cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
68376
Views
0
Helpful
12
Replies

How to block Teamviewer,Logmein,GotoMyPC etc?

Sundeep Dsouza
Level 1
Level 1

Hello Everyone,

I am trying to block Teamviewer in our network using Cisco ASA. I blocked port 5938 but it dynamically connected to on port 443 which is https. I even tried blocking via the regex way but could not stop the connection.

My conclusion, since it falls back to https blocking it from the firewall becomes all the more difficult as it wont do https inspection. I guess IPS also will fail to inspect https.

Other option would be through Microsoft GPO, but this would be my last option. Is there an alternate solution to accomplish this task?

Regards

1 Accepted Solution

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hi Sundeep,

As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.

The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).

Hope that helps.

-Mike

View solution in original post

12 Replies 12

mirober2
Cisco Employee
Cisco Employee

Hi Sundeep,

As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.

The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).

Hope that helps.

-Mike

I have just the same topic to solve.

For now, I am using a squid proxy to filter specific dstdomains, such as  .teamviewer.com or by means of RegEx acls

But I am expecting to solve it across ASA with IDS/IPS signatures

Do you jnow if it is possible ?

Thanks

Alain

Kind of an old thread but if your hardware allows it you might wan to consider installing a CSC module on your ASA, the CSC will allow you to block a particular category that involves all these remote controll programs:

Category Group: Internet Security

Category Type: Remote Access Program

Definition: Sites that provide tools for remotely monitoring and controlling computers

http://www.cisco.com/en/US/products/ps6823/index.html

http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html#wp1065979

HTH.

Raga

Hi Luis,

I dont think CSC can inspect HTTPS traffic, I did a little bit of reading on it and came across that CSC cant inspect https. However as Marvin pointed out, Ironport WSA can. I have also tried it with Microsofts TMG and it is very effective.

Hi Sundeep,

The CSC module can filter HTTPS traffic in the latest version (6.6.1125.0).

-Mike

The Cisco Ironport WSA (web proxy device) can do this also.

anyway, my purpose would be to detect any resident exe which could connect by itself and open a backdoor from inside to outside

Since port 80 is widely available for internet access, does IDS (AIM-SSM) able to get this info ?

Alain,

If you are looking for a way to block the actual .exe on the user's machine what you really need is a Host IPS.

Regards.

Hi Guys,

i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...

is there any update ...any solution?.

Regards

Sher

Hi Guys,

i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...

is there any update ...any solution?.

Regards

Sher

Hello, 

Actually I blocked the TeamViewer on WSA by blocking the applications for presentation/conferencing also the 5938 port is blocked on firewall but the application still able to connect. 

Hi Bro

TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall. TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.

So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):

regex TV-RGX “\.teamviewer\.com”

regex DG-RGX “\.dyngate\.com”

class-map type regex match-any TV-CLS

match regex DG-RGX

match regex TV-RGX

policy-map type inspect dns TV-PLC

parameters

message-length maximum 512

match domain-name regex class TV-CLS

drop

policy-map global_policy

class inspection_default

inspect dns TV-PLC

service-policy global_policy global

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: