ASA 5520 and Blocking LogMeIn and GoToMyPC

Unanswered Question
Sep 2nd, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} Anyone know how to block LogMeIn and GoToMyPC?  We are using an ASA 5520.  We mainly want to prevent people coming into our network using those applications.  Also, our helpdesk uses LogMeIn Rescue and would need to allow that for them. 

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rmavila Thu, 09/02/2010 - 07:38

Hi Danielle,

Using an access-list would be a good way to prevent anyone from outside coming into your network using GoToMyPC and LogMeIn. An access-list can be applied on the outside interface which is facing the internet. GoToMyPC uses port number 8900 and LogMeIn uses 12975 and 32976. Also it will attempt to use port 443 if it fails to connect on other two ports.

access-list block_traffic deny tcp any eq 8900

access-list block_traffic deny tcp any eq 12975

access-list block_traffic deny tcp any eq 32976

access-list block_traffic deny tcp any eq 443.

access-list block_traffic permit ip any any

Since we are blocking traffic on 443 in case you have https server on the inside it will cause problems. This access-list should be applied on the outside interface.

ellievermits Thu, 09/02/2010 - 07:41

Thank you for the advice!  So if applied on the outside interface only - the help des

k will still be able to use LogMeIn Rescue from inside?

rmavila Thu, 09/02/2010 - 07:53

Ya it should work. I am assuming that logmein does not use the same port to connect back to help desk pc.

sachinga.hcl Thu, 09/02/2010 - 08:19

HI Daniell,

The ASA has built in REGEXPS for gotomypc and  there was way to do this also for log me.


class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2


!
asa5520# sh run all reg
asa5520# sh run all regex
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"

regex _default_GoToMyPC-tunnel "machinekey"


If you see these kind of applications has grown to hundreds (or used to grow) quite fast, faster then we're able to adjust regexp on ASA - since they are supposed to be static by nature. Don't expect a one command wonder.


I'm not intemately familiar with those APPs... since gotomypc work on HTTP potential CSC would be a nice way to prohibit it.


Note that IPS seems to be familiar with Hamachi:

http://www.cisco.com/web/software/282773979/34047/Readme-IPS-sig-S387.txt

15454.0   LogMeIn Hamachi Activity                 


Blocking Log Me In & Go To MY PC LogMeIn uses HTTPS which is not covered in the HTTP inspection.
So, the regex method may not be useful for that.
You could try blocking couple of LogMeIn ports (TCP 12975 and 32976

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)

to see if that helps.

LogMeIn application connects to an intermediate server (bibi.hamachi.cc) to establish communication. You can block that IP from communicating to your network. Hope this helps.

i just added two routes into my core router of

ip route 66.151.158.177 255.255.255.255 Null0

ip route 216.115.217.45 255.255.255.255 Null0


This kills the constant polls that gotomypc uses in order to come back through your firewall.


If you want to find out who is using it you can build an access list around those two.


Access-list 101 deny ip any host 66.151.158.177 log

access-list 101 deny ip any host 216.115.217.45 log

acess-list 101 permit ip any any


Check your log files and it will tell you the internal IP addresses that tried to access those sites.

You can also check Cisco IPS S387 SIGNATURE UPDATE DETAILS NEW SIGNATURES

SIGID     SIGNAME                                   ENGINE          SEVERITY      ENABLED


15454.0   LogMeIn Hamachi Activity            atomic-ip       informational       false
15455.0   LogMeIn Product Activity              atomic-ip       low                    false

you could block access to poll.gotomypc.com to keep GoToMyPC from working.


You'll need to block port 8200, GoToMyPC generates only outgoing HTTP/TCP to ports 80,443 and/or port 8200 and you can also stop 'poll.gotomypc.com' - sorry don't have the IP address but try doing nslookup for 'poll.gotomypc.com' to get the relevant IP address.


Read the following PDF document on this matter as well.


https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Personal_Security_White_Paper.pdf


---------

GoToMyPC server [service installed] always sends an outgoing HTTP "ping" to the GoToMyPC broker (poll.gotomypc.com) at regular intervals checking to see if any connect requests have been received.


So  to prevent the GoToMyPC broker from accessing our company’s computers is by blocking access to the host GoToMyPC Broker.


This will prevent anyone from starting a connection to access any computer inside our firewall [The protected LAN].


Name:  poll.gotomypc.com

Address: 66.151.158.177


Using a simple outbound ACL will do the job, if you dont need any access to that site, you can just deny ip for that IP


access-list 100 deny ip 192.168.0.0 255.255.255.0 host 66.151.158.177

access-list 100 permit ip any any


this will deny both tcp and udp connections to that ip.


If you have a proxy server, you can use URL based filtering in that, if you need to block many more such websites.

Also, GoToMyPC will help us to block our Internet-visible IPs [Real IPs].

They already have a policy for companies who do not currently have GoToMyPC accounts but wish to block access using their Authorization Management Service, simply we have to send a request to the following email address: [email protected].

---------------
Another easiest way to block any of these service without content filtering is by URL since you need to login to the
www.logmein.com, www.gotomypc.com, etc...

Setup a local DNS zone on your DNS server
127.0.0.0 logmein.com gotomypc.com

If they can't resolve to logmmein, gotomypc they can't connect.


------------------------

Another way of doing this is to block installation of the executable such as logmien as a group policy or through your Anti-Virus software.


Port 2002 needs to be open for TCP inbound and outbound traffic.


---------------------------
Hope this helps and let me know how you get on.

Sachin Garg

Hi Danielle,

A little late here and maybe my approack is a sledge hammer but it works for me ATM with our ASA and our PIX.  Since the Logmein traffic originates from the inside by the client to one of the MANY secure.logmen.com servers you will need to block outbound TCP 80 and 443 traffic to those specific IPs related to secure.logmein.com.  The method I chose was create the group of logmein IPs (it changes as they add more) and then i applied the rules to the inside interface.

ASA Example:

object-group network LOGMEIN
description Hosts allowing use of logmein remote session software to local IPs
network-object 64.94.18.0 255.255.255.0
network-object 69.25.20.0 255.255.255.0
network-object 69.25.21.0 255.255.255.0
network-object 74.201.74.0 255.255.255.0
network-object 74.201.75.0 255.255.255.0
network-object 77.242.192.0 255.255.255.0
network-object 77.242.193.0 255.255.255.0
network-object 216.52.233.0 255.255.255.0
network-object 212.118.234.0 255.255.255.0
network-object 64.74.103.0 255.255.255.0

Example of outbound rules used:

access-list INSIDE_OUT extended deny tcp any object-group LOGMEIN

although you could block just TCP 80 and 443

access-list INSIDE_OUT extended deny tcp any object-group LOGMEIN eq http

access-list INSIDE_OUT extended deny tcp any object-group LOGMEIN eq https

For good measure any inbound traffic:

access-list OUTSIDE_IN extended deny tcp object-group LOGMEIN any

On the PIX side the same action was taken:

object-group network LOGMEIN
  description Hosts allowing use of logmein remote session software to local IPs
  network-object 64.94.18.0 255.255.255.0
  network-object 69.25.20.0 255.255.255.0
  network-object 69.25.21.0 255.255.255.0
  network-object 74.201.74.0 255.255.255.0
  network-object 74.201.75.0 255.255.255.0
  network-object 77.242.192.0 255.255.255.0
  network-object 77.242.193.0 255.255.255.0
  network-object 216.52.233.0 255.255.255.0
  network-object 212.118.234.0 255.255.255.0
  network-object 64.74.103.0 255.255.255.0

access-list outside_access_in deny tcp object-group LOGMEIN any

access-list inside_access_out deny tcp any object-group LOGMEIN

Blocking all TCP may be heavy handed but it works against a moving target.

Actions

This Discussion

Related Content