CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 14 of 14

Thread: Skype

  1. #1
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Skype

    The goal is to allow Skype and only Skype (voice, chat and all) (the consumer version). Naive as I am, I thought this would be no problem with our new, bright and shiny firewalls.

    So I created an accept rule and specified "Skype" in the application column. Does it work? Nah, of course not. While some initial traffic to Microsoft servers seems to go through, the traffic (peer-to-peer I guess) on random TCP and UDP ports gets denied.

    I tried with and without HTTPS inspection, not that it would matter because Skype apparently uses something proprietary anyway.

    So how do I make this work and what is this "Skype" application that I can use as an application filter anyway since it's not doing what it should?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Skype

    What does your policy look like to allow the traffic?
    If pre-R80.10, what's the Firewall policy in addition to the App Control policy?
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Re: Skype

    Quote Originally Posted by PhoneBoy View Post
    What does your policy look like to allow the traffic?
    If pre-R80.10, what's the Firewall policy in addition to the App Control policy?
    This is the policy
    Click image for larger version. 

Name:	skype1.jpg 
Views:	80 
Size:	9.0 KB 
ID:	1370

    And this is what the resulting log looks like
    Click image for larger version. 

Name:	skype2.jpg 
Views:	78 
Size:	156.5 KB 
ID:	1371

    As you can see, the "high port" connections, clearly related to Skype, don't seem to be caught by the rule supposed to let Skype through...

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Skype

    Something doesn't look right with your Skype service.
    On my system, the Skype service shows with the Skype logo.
    Also notice the ports it matches as part of the application definition:

    Click image for larger version. 

Name:	Screen Shot 2018-02-17 at 8.55.16 PM.png 
Views:	87 
Size:	79.5 KB 
ID:	1372

    Which are different than what your logs show as being dropped.
    Which means the Skype application definition will not allow the traffic because this is not one of the default ports matched by the application.
    This can be changed in the Match Settings part of the Application definition.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Re: Skype

    To be safe I carried out a manual update of the APCL database.

    The logo is still missing and the match rules show in a different order, however they are the same than you show in your screenshot.

    Well, if they don't correctly match traffic I don't think I should go fiddle in there, but rather report it to Checkpoint for everyone to benefit from it, no?

    Oh and maybe you can enlighten me on what these application profiles actually say. I guess if all these port ranges are being matched, that doesn't mean that any traffic on those ports will be let through blindly, will it? How will it know that everything that happens on those ports is indeed Skype traffic? What if someone brings, say, an SSH server up on one of those ports (and say concurrently start Skype to make those ports available), how can I be sure nothing like that happens?

    I guess IP-wise every destination IP will potentially have to go through since this is peer-to-peer and also Skype traffic apparently can't be inspected, so I am wondering how it would be possible to filter this at all.

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Skype

    The ports we list in our application definition are exactly the same that Skype specifies on their website: https://support.skype.com/en/faq/FA1...indows-desktop
    You can also configure Skype to use a specific port, which I imagine is what this particular user has done.
    In that case, the standard Skype definition won't work and you either need to correct the application definition OR the user configuration.

    On the larger issue, our application definition allows these ports as a first pass at layer 3/4
    This is required because it's not possible to know what application is using those ports without first seeing some Layer 7 traffic.
    You can only see Layer 7 traffic if you allow the TCP/UDP session to pass.
    This is pretty much how every vendor has to do it.
    See also: http://phoneboy.org/2016/12/14/which...pplication-id/
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Re: Skype

    Thanks for the explanations.

    It's not about a user who has configured something strange. It's users demanding to use Skype so I was testing myself beforehand. I didn't have Skype installed so I downloaded Skype-8.15.0.4.exe from skype.com.

    The high port is a random port (usually outside the range defined in the application signature). There is not much that you can configure in that app anyway.

    Clearly, the Microsoft documentation you reference is either wrong or targets another version of Skype. I could find some complaints in MS forums about this, but obviously the expected answer was "did you reinstall Skype already"? Next, they will be probably asked to reboot their PC, so we shouldn't count on help from there.

    I've contacted Checkpoint support in order to sort this one out. I'll let you know about my findings.

  8. #8
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    327
    Rep Power
    14

    Default Re: Skype

    49152 through 65535 is the default port range for MSRPC. Has that been changed from the default in this environment? It would normally be changed through group policy on the DC. Given Microsoft owns Skype, I wouldn't be at all surprised if they had it just piggyback on the configured RPC port range.
    Zimmie

  9. #9
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Re: Skype

    So I contacted support and they suggested to include a whole bunch of apps, Microsoft Office, Outlook and what not to solve this.

    Is this how application control is supposed to work? I.e. if I want to use application X for which there exists a specific profile, I nevertheless have to also add Y and Z and ... to make it work?? That seems a little awkward.

    Especially since you can't define anything like "only allow Microsoft Office if related to Skype" (which should be contained in the application signature I guess).

    It turns out what's really required here is STUN.

  10. #10
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Skype

    Quote Originally Posted by jeronimo View Post
    So I contacted support and they suggested to include a whole bunch of apps, Microsoft Office, Outlook and what not to solve this.

    Is this how application control is supposed to work? I.e. if I want to use application X for which there exists a specific profile, I nevertheless have to also add Y and Z and ... to make it work?? That seems a little awkward.
    That should not be required for Skype (the consumer version).
    You can change the application definition to allow different ports, like I suggested earlier.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  11. #11
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Re: Skype

    Quote Originally Posted by PhoneBoy View Post
    That should not be required for Skype (the consumer version).
    You can change the application definition to allow different ports, like I suggested earlier.

    Well, yes I can but it doesn't help. I tested the following:
    I cloned the Skype service and since you can't customize the existing rules, I just used "Any" service for detection in the cloned Skype object.
    Without the "STUN protocol" explicitly added to that rule, VoIP is not connecting.

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Skype

    I've flagged this to the folks who work on the various App Control signatures.
    Adding STUN to the Skype service doesn't seem unreasonable.
    Meanwhile, manually adding STUN to the same rule that allows Skype doesn't seem unreasonable either...
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  13. #13
    Join Date
    2012-08-06
    Posts
    63
    Rep Power
    8

    Default Re: Skype

    Quote Originally Posted by PhoneBoy View Post
    Adding STUN to the Skype service doesn't seem unreasonable.
    I agree that only having to add STUN manually to the rule is not a disaster.

    From a security point of view, I was however wondering if that would not mean that STUN would be allowed for every other connection too, since the relationship between several services in the same rule usually is an OR-relationship.

    However, support claims that would only be the case "if the source and the destinations are the same". Now I'll have to find out what that means.

    In cases like this one I am actually wondering if anyone has ever used these features. And at the same moment I am wondering who would not be using these features, since everyone seems to be using Skype etc.....

  14. #14
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: Skype

    Yes, theoretically, STUN could be used outside of the Skype context in this situation.
    That said, if you're not allowing other VoIP applications, then allowing STUN won't really do much since the actual VoIP traffic should be blocked.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. Skype
    By *tomo* in forum Application Control Blade
    Replies: 1
    Last Post: 2011-02-17, 09:26
  2. SKype
    By Toleukhan in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 3
    Last Post: 2010-08-23, 10:08
  3. One-way voice of skype-out
    By kevinnc in forum IPS Blade (Formerly SmartDefense)
    Replies: 4
    Last Post: 2009-11-22, 20:03
  4. Block Skype
    By sale123 in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2007-04-16, 15:04
  5. Cannot use skype
    By 20100 in forum IPS Blade (Formerly SmartDefense)
    Replies: 2
    Last Post: 2006-10-30, 17:05

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •