cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1704
Views
10
Helpful
6
Replies

Block 3rd Party RDP Apps

sabinj
Level 1
Level 1

I have a request from management to block 3rd party remote desktop applications at the firewall.  I'm wondering if this can be done on an ASA, possibly through the Service Policy Rules...  

 

ASA-5545 version 9.2(4)27

 

Any advice would be appreciated.  

 

 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

If you are referring RDP then it will be port 3389 to block.

 

if not you need to capture the logs in FW what is the application port using, then start building the access rules to block that port.

 

Do you have any example  of 3rd Party RDP Apps ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Martin Carr
Level 4
Level 4

Yes, you can a primitive way is to block RDP (3389) as mentioned, in practice this should be the case anyway, as only the required traffic should be permitted.

 

Also be aware, other ports can be used. RDS can tunnel over HTTPS, for example.

 

A better solution is to use FirePower, as this has the ability to do application fingerprinting.

 

Martin

Thanks for the responses.  I should have worded my question a little better.  

 

So the goal is to block any third party application used to obtain a remote desktop session.  Things like Teamviewer, ScreenConnect, PC Anywhere (is that still around), GoToMyPC and do so at the edge.  We have already blocked 3389, but those applications don't use that port and some use random port or tunnel over https as pointed out.

 

I wasn't sure if ASA had the ability to do this native or not.  I wanted to make sure it cannot before I recommend a new product like Firepower or another security appliance / software. 

I guess your ASA is not next generation? Firepower is included with newer models. This has to ability to do L7 application filtering (i.e. AVC).

 

Martin

Hi,

With the native ASA you cannot identity the L7 application to block. or else you need to identify the ports which the application is using and block it. If your ASA have firepower service then you can block the L7 applications, or else you need to go with ASA with firepower or FTD.

 

HTH

Abheesh

venkat_n7
Level 1
Level 1

You need to write application/service access-rules, you cant do that on asa. best option would be - if you have firepower then use firepower or else you have to use internal SEIM device to block such traffic. i recommend to use SEIM to do that.

Please rate comments and support
with regards,
Venkat
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: