Want to block Skype file transfers?

Since one of my colleagues publisched a report about security considerations of Skype in a corporate environment and acknowledged my input for the report, I receive questions from around the world on this topic. People are attrackted to the tool for use a s a convenient and cheap communication channel over the internet, but are worried for consequences in corporate use.

One of the questions I recieved lately is about blocking the file transfer function in Skype. It is possible to send and receive files, using the communication channel set up by Skype. For corporate security officers this is a worry, since the transports are encrypted from end-to-end and no central gateway can scan the files for virusses or confidential information.

Blocking Skype file transfers is a though job. It is not as easy as to close a specific port on your firewall, since Skype can use the same channel for file transfer as the voice channel. So if you allow the use of Skype for VoIP, you implicit create a channel for file transfer an propagation of malware. When no direct connections between peers can be made, the bandwith used for file transfer is very small (about 4k bits per sec), but malware often does not need more than that. Together with the poor user authentication (is the user on the other side really the one you expect he or she is?), it is very easy to trick a user in accepting a file and run it.

This leaves you only one option to block file transfers with Skype: block Skype. There a several ways to block Skype:

• Use a managed personal firewall with a policy to block Skype's access to the network, e.g Symantecs Client Security


• Block traffic to IP-addresses 80.160.91.5 and 80.160.91.13, to bloch Skype authentication (I haven't tried this)


• Block the use of https (port 443). This is very drastic.


• Use a gateway security scanner, which filters traffic that is not proper HTML , like Bluecoat


• Prevent installing Skype in the first place: lock down the workstation, so that users are not able to install software.

It depends on your situation which option suits you best. Of course all workstations should run up-to-date antivirus tools. In case you want to use Skype, this is your single layer of protection against malware using the Skype file transfer function. And train your users!