Search squid archive

Re: Squid with Skype

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Janco,

Your solution made me think about an alternative...

Why don't you try this: setup an extra SOCKS proxy that listens
to port 1080 only and configure this proxy to
do authentication.

Then configure Skype to use the SOCKS proxy and
you as sysadmin type the username/password, hence users
are not able to use the SOCKS proxy with a browser since
they don't know the password.

Then you can configure the normal proxy to block Skype
with ufdbGuard and block internet for 36-6 PCs.

-Marcus

PS: never underestimate users, most of them are able
to type "I am blocked" in Google.


janco@xxxxxxxxxxxxxxxxxxx wrote:
Hi,

Iknow what I'm about to tell you might raise a couple of eye browse but I
had no choice in this matter.

What I did was keep port 80 open on the firewall to allow skype to do what
it wants becuase in this case the client was at a no nogotiation stgae
where skype was concerned so looking for an alternative was out of the
question.

Next I forced all client PC to use Squid as the proxy, got to love GPO,
where there are a couple of acls determining who can access the Internet
and who can't and it works.....it's not the right way of doing it I know
but under the circumstances there was no alternative, luckily the users
are quite stupid and they will not know how to change the proxy but if I
get that 1 user who has a little savy I'm going to have my hands full.

I tested the skype through trying to force it to go through a certain port
but had so many comebacks it wasn't funny so the above was the solution.

If anyone can give me an alternative to the above mentioned I would be
very greatful but keep in mind that looking for a skype alternative is not
an option because that is dictated to me.

With regards



Janco,

In theory it can be done with ufdbGuard, a URL filter for Squid.

Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world.
If you configure Skype to use HTTPS, ufdbGuard can sort of detect
Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS
protocol and this is what ufdbGuard detects.

Skype also can use the HTTP protocol on port 80 but since it
does not use the HTTP protocol (only the port number) Squid will
not understand Skype's intentions and effectively block it.

To open the firewall to allow Skype to go out direct/NAT is asking
for trouble.  So we can "safely" implement a mechanism that supports
Skype over HTTPS.
ufdbGuard is a filter and it is easy to configure to block the rest of
the internet for a number of PCs.

However, there is a major security issue, since allowing Skype means
that you allow all applications that use port 443 to go the the internet,
including proxy tunnels (e.g. proxytunnel uses SSH).

I consider Skype unsafe to use because it uses a undisclosed
("black box") protocol that is waiting for another virus/worm
to (ab)use and there is no antivirus vendor that can scan
the content of HTTPS.
My advise would be to look for an alternative of Skype.

-Marcus


Janco van der Merwe wrote:
Hi,

I need to set up Squid with the following:

The network has 36 PCs all with Skype - Business needs
Skype.....why.....I dont know.

Only 6 of the 36 PCs is allowed to use the internet the rest is not but
they must be able to access skype. Currently they have a Squid
configuration with a transparent proxy with no passwords /
authentication. They do not want authentication brought in because they
don't want to type passwords.

Can anyone assist me on how to set up Squid with the correct ACLs for
the above because this is a little bit out of my league and I don't know
how I am going to allow Skype but no other http traffic.

I'm fine with the setup of the ACL to allow certain computers to the
Internet but to block all other Internet traffic but Skype that is where
my bug falls of its cork.






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux