Bell the Skype

NetFlow Analyzer | November 7, 2006 | 2 min read
Quote:
…….I want to disable skype on my network. The boss is mad because employees are eating all of the bandwidth. Please help…..

goes a post in Skype’s blog. Perhaps, Skype makes you share the same feelings too.

As an IT/Network administrator your biggest challenge, as with many others in this profession, could be Belling the S-k-y-p-e. You probably have no idea of number of skype clients in your setting and the kind of bandwidth they are hogging. According to this blog, Skype sessions use an asymmetric key exchange to distribute the 256 bit symmetric key employed by the AES cipher for session encryption. Skype’s outbound connection can use any dynamic combination of TCP and UDP ports, including outbound ports 80 and 443 which are typically open for HTTP and HTTPS access making port blocking filters completely ineffective.

So the only way of identifying and blocking Skype is through deep-packet inspection looking out for the Skype Signature.

Just a quick brief as to how you could use NetFlow Analyzer beyond bandwidth monitoring to accomplish activities like dropping Skype packets.

Enable NBAR discovery by the following command

Quote:
ip nbar protocol-discovery

Now you can identify the top applications consuming bandwidth by this command :

Quote:
show ip nbar protocol-discovery stats bit-rate top-n 10

which will list the top-10 bandwidth consuming applications.

You can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers : –

Quote:
ip nbar port-map protocol-name [tcp | udp] port-number

Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535

If you find Skype to be one among the top applications consuming bandwidth, use the following command to drop Skype packets:

Quote:
class-map match?any p2pmatch protocol skypepolicy?map block?p2p

class p2p

drop

int FastEthernet0

description PIX?facing interface

service?policy input block?p2p

All said, should you still need skype for your business be sure to read this . Other informative articles on Skype are avilable here, here, here & here

Cheers

Sankar

NFA