Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2088
Views
10
Helpful
6
Replies

Block 3rd Party RDP Apps

sabinj
Level 1
Level 1

‎11-14-2018 12:09 PM - edited ‎02-21-2020 08:28 AM

I have a request from management to block 3rd party remote desktop applications at the firewall.  I'm wondering if this can be done on an ASA, possibly through the Service Policy Rules...  

 

ASA-5545 version 9.2(4)27

 

Any advice would be appreciated.  

 

 

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎11-14-2018 12:47 PM

If you are referring RDP then it will be port 3389 to block.

 

if not you need to capture the logs in FW what is the application port using, then start building the access rules to block that port.

 

Do you have any example  of 3rd Party RDP Apps ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Martin Carr
Level 4
Level 4

‎11-14-2018 01:21 PM

Yes, you can a primitive way is to block RDP (3389) as mentioned, in practice this should be the case anyway, as only the required traffic should be permitted.

 

Also be aware, other ports can be used. RDS can tunnel over HTTPS, for example.

 

A better solution is to use FirePower, as this has the ability to do application fingerprinting.

 

Martin

sabinj
Level 1
Level 1
In response to Martin Carr

‎11-14-2018 06:53 PM

Thanks for the responses.  I should have worded my question a little better.  

 

So the goal is to block any third party application used to obtain a remote desktop session.  Things like Teamviewer, ScreenConnect, PC Anywhere (is that still around), GoToMyPC and do so at the edge.  We have already blocked 3389, but those applications don't use that port and some use random port or tunnel over https as pointed out.

 

I wasn't sure if ASA had the ability to do this native or not.  I wanted to make sure it cannot before I recommend a new product like Firepower or another security appliance / software. 

0 Helpful

Martin Carr
Level 4
Level 4
In response to sabinj

‎11-17-2018 03:27 PM

I guess your ASA is not next generation? Firepower is included with newer models. This has to ability to do L7 application filtering (i.e. AVC).

 

Martin

0 Helpful

Abheesh Kumar
VIP Alumni
VIP Alumni
In response to sabinj

‎11-18-2018 02:27 AM

Hi,

With the native ASA you cannot identity the L7 application to block. or else you need to identify the ports which the application is using and block it. If your ASA have firepower service then you can block the L7 applications, or else you need to go with ASA with firepower or FTD.

 

HTH

Abheesh

0 Helpful

venkat_n7
Level 1
Level 1

‎11-18-2018 05:21 PM

You need to write application/service access-rules, you cant do that on asa. best option would be - if you have firepower then use firepower or else you have to use internal SEIM device to block such traffic. i recommend to use SEIM to do that.

Please rate comments and support
with regards,
Venkat
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card