Janco,
In theory it can be done with ufdbGuard, a URL filter for Squid.
Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world.
If you configure Skype to use HTTPS, ufdbGuard can sort of detect
Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS
protocol and this is what ufdbGuard detects.
Skype also can use the HTTP protocol on port 80 but since it
does not use the HTTP protocol (only the port number) Squid will
not understand Skype's intentions and effectively block it.
To open the firewall to allow Skype to go out direct/NAT is asking
for trouble. So we can "safely" implement a mechanism that supports
Skype over HTTPS.
ufdbGuard is a filter and it is easy to configure to block the rest of
the internet for a number of PCs.
However, there is a major security issue, since allowing Skype means
that you allow all applications that use port 443 to go the the internet,
including proxy tunnels (e.g. proxytunnel uses SSH).
I consider Skype unsafe to use because it uses a undisclosed
("black box") protocol that is waiting for another virus/worm
to (ab)use and there is no antivirus vendor that can scan
the content of HTTPS.
My advise would be to look for an alternative of Skype.
-Marcus
Janco van der Merwe wrote:
> Hi,
>
> I need to set up Squid with the following:
>
> The network has 36 PCs all with Skype - Business needs
> Skype.....why.....I dont know.
>
> Only 6 of the 36 PCs is allowed to use the internet the rest is not but
> they must be able to access skype. Currently they have a Squid
> configuration with a transparent proxy with no passwords /
> authentication. They do not want authentication brought in because they
> don't want to type passwords.
>
> Can anyone assist me on how to set up Squid with the correct ACLs for
> the above because this is a little bit out of my league and I don't know
> how I am going to allow Skype but no other http traffic.
>
> I'm fine with the setup of the ACL to allow certain computers to the
> Internet but to block all other Internet traffic but Skype that is where
> my bug falls of its cork.
>
Received on Tue Oct 30 2007 - 02:57:55 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:02 MDT