topic Re: Block 3rd Party RDP Apps in Network Security

Block 3rd Party RDP Apps

sabinj — Fri, 21 Feb 2020 16:28:19 GMT

I have a request from management to block 3rd party remote desktop applications at the firewall. I'm wondering if this can be done on an ASA, possibly through the Service Policy Rules...

ASA-5545 version 9.2(4)27

Any advice would be appreciated.

Re: Block 3rd Party RDP Apps

balaji.bandi — Wed, 14 Nov 2018 20:47:00 GMT

If you are referring RDP then it will be port 3389 to block.

if not you need to capture the logs in FW what is the application port using, then start building the access rules to block that port.

Do you have any example of 3rd Party RDP Apps ?

Re: Block 3rd Party RDP Apps

Martin Carr — Wed, 14 Nov 2018 21:21:39 GMT

Yes, you can a primitive way is to block RDP (3389) as mentioned, in practice this should be the case anyway, as only the required traffic should be permitted.

Also be aware, other ports can be used. RDS can tunnel over HTTPS, for example.

A better solution is to use FirePower, as this has the ability to do application fingerprinting.

Martin

Re: Block 3rd Party RDP Apps

sabinj — Thu, 15 Nov 2018 02:53:36 GMT

Thanks for the responses. I should have worded my question a little better.

So the goal is to block any third party application used to obtain a remote desktop session. Things like Teamviewer, ScreenConnect, PC Anywhere (is that still around), GoToMyPC and do so at the edge. We have already blocked 3389, but those applications don't use that port and some use random port or tunnel over https as pointed out.

I wasn't sure if ASA had the ability to do this native or not. I wanted to make sure it cannot before I recommend a new product like Firepower or another security appliance / software.

Re: Block 3rd Party RDP Apps

Martin Carr — Sat, 17 Nov 2018 23:27:51 GMT

I guess your ASA is not next generation? Firepower is included with newer models. This has to ability to do L7 application filtering (i.e. AVC).

Martin

Re: Block 3rd Party RDP Apps

Abheesh Kumar — Sun, 18 Nov 2018 10:27:23 GMT

Hi,

With the native ASA you cannot identity the L7 application to block. or else you need to identify the ports which the application is using and block it. If your ASA have firepower service then you can block the L7 applications, or else you need to go with ASA with firepower or FTD.

HTH

Abheesh

Re: Block 3rd Party RDP Apps

venkat_n7 — Mon, 19 Nov 2018 01:21:28 GMT

You need to write application/service access-rules, you cant do that on asa. best option would be - if you have firepower then use firepower or else you have to use internal SEIM device to block such traffic. i recommend to use SEIM to do that.