[j-nsp] Block Skype and Ultrasurf using ScreenOS

Pavel Lunin plunin at senetsy.ru
Wed Nov 3 16:37:26 EDT 2010


Hi Giuliano,

I haven't really tried such things myselft for ages but AFAIK it's not even
possible with IDP since at least skype goes into encrypted mode when it
detect itself blocked and simulates something https quite well. Please
correct me, if someone knows I'm not right. In this case some too much
clever gear might detect it using fancy heuristic methods but it's not
Juniper. Sort of a workarond approach (has been introduced by Juniper few
years ago for standalone IDP) is to use DiffSerf marking (don't know whether
SRX IDP also supports it) to mark detected packets (signature-based), then
an upstream router is used to police marked packets to something 64k in
order to give illusion of reachability but make it unusable.

Pretty sure any plain stateful firewall like SSG can't do it.

2010/11/3 Giuliano Cardozo Medalha <giulianocm at uol.com.br>

> People,
>
> Does anyone knows how to block ultrasurf and skype applications using only
> a SSG140 Box with DI license ?
>
> Or it is only possible to block it using SRX650 with IDP license ?
>
>
> Is it possible to configure ?
>
> Where can I find the detailed signatures of this both applications ?
>
> Thanks a lot,
>
> Giuliano
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list