how to block Skype

hi experts ,

i have an issue here...i need to block Skype ports because all the people at the firm spend hrs in Skype...My boss of course doesnt understand that they save our company money..so he wants to play deputy Dog so the order is given to block Skype...but how can i block it since it is using port 80 ? We are using websense web filter and ASA 5580 ( for FW).
Should i use a GPO and kill the skype.exe process ?

please help....why do people create software that runs on the most common port ??? what happen to the rest gazillion of ports ?

please help....( i am already checking at Monster.com for another Job)
c_hocklandAsked:
Who is Participating?
 
Chris StauntonCommented:
You can create a hash to kill the exe if launched.  Only problem is that you'll have to keep updating it when Skype releases updates.

Shooter
0
 
Chris StauntonCommented:
This might also help you out and is a much better solution.

Shooter



# Cisco equipment running IOS version 12.4 (4) T - This is the "free" option, provided your network uses Cisco gear and you have a service contract to get the latest IOS.

Cisco introduced in mid-2006 a Skype classification in NBAR.

To block Skype you do the following NBAR configuration (Source: Cisco Tips) which will drop Skype packets
and in fact any p2p application you want (limewire, kazaa, etc.):

class-map match-any p2p
match protocol skype

policy-map block-p2p
class p2p
drop

int FastEthernet0
description PIX-facing interface
service-policy input block-p2p
If you are unsure about the bandwidth eating applications being used in your organization. you can access the interface connected to the Internet and configure following command:
ip nbar protocol-discovery.
This will enable nbar discovery on your router.
Use following command:-
show ip nbar protocol-discovery stats bit-rate top-n 10
it will show you top 10 bandwidth eating applications being used by the users. Now you will be able to block/restrict traffic with appropriate QoS policy.

we can also use ip nbar port-map command to look for the protocol or protocol name, using a port number or numbers other than the well-known Internet Assigned Numbers Authority (IANA)-assigned) port numbers.

Usage as per cisco:-
ip nbar port-map protocol-name [tcp | udp] port-number

Up to 16 ports can be specified with this command. Port number values can range from 0 to 65535

- Block Skype using Group Policy (corporate environments)
0
 
c_hocklandAuthor Commented:
ok the first part ...got it...

the second,,,, int FastEthernet0

.
.
service-policy input block-p2p


the above commands go to the external or interface ???
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Chris StauntonCommented:
FastEthernet0 should be your internal interface.  It will block any attempt by employees to use p2p applications.


Shooter
0
 
Ehab SalemIT ManagerCommented:
If you want Websense to block Skype, you have to block the "uncategorized" category. Otherwise you will have to track all IPs that users connect to and add it to a block list, and do that on a daily basis.
Are you using any application control installed? like Symantec SEP 11? ESM? If so you can also use these to stop launching Skype.
0
 
c_hocklandAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.