11-14-2018 12:09 PM - edited 02-21-2020 08:28 AM
I have a request from management to block 3rd party remote desktop applications at the firewall. I'm wondering if this can be done on an ASA, possibly through the Service Policy Rules...
ASA-5545 version 9.2(4)27
Any advice would be appreciated.
11-14-2018 12:47 PM
If you are referring RDP then it will be port 3389 to block.
if not you need to capture the logs in FW what is the application port using, then start building the access rules to block that port.
Do you have any example of 3rd Party RDP Apps ?
***** Rate All Helpful Responses *****
11-14-2018 01:21 PM
Yes, you can a primitive way is to block RDP (3389) as mentioned, in practice this should be the case anyway, as only the required traffic should be permitted.
Also be aware, other ports can be used. RDS can tunnel over HTTPS, for example.
A better solution is to use FirePower, as this has the ability to do application fingerprinting.
11-14-2018 06:53 PM
Thanks for the responses. I should have worded my question a little better.
So the goal is to block any third party application used to obtain a remote desktop session. Things like Teamviewer, ScreenConnect, PC Anywhere (is that still around), GoToMyPC and do so at the edge. We have already blocked 3389, but those applications don't use that port and some use random port or tunnel over https as pointed out.
I wasn't sure if ASA had the ability to do this native or not. I wanted to make sure it cannot before I recommend a new product like Firepower or another security appliance / software.
11-17-2018 03:27 PM
I guess your ASA is not next generation? Firepower is included with newer models. This has to ability to do L7 application filtering (i.e. AVC).
11-18-2018 02:27 AM
With the native ASA you cannot identity the L7 application to block. or else you need to identify the ports which the application is using and block it. If your ASA have firepower service then you can block the L7 applications, or else you need to go with ASA with firepower or FTD.
11-18-2018 05:21 PM
You need to write application/service access-rules, you cant do that on asa. best option would be - if you have firepower then use firepower or else you have to use internal SEIM device to block such traffic. i recommend to use SEIM to do that.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: