11-15-2011 04:21 AM - edited 03-11-2019 02:50 PM
Hello Everyone,
I am trying to block Teamviewer in our network using Cisco ASA. I blocked port 5938 but it dynamically connected to on port 443 which is https. I even tried blocking via the regex way but could not stop the connection.
My conclusion, since it falls back to https blocking it from the firewall becomes all the more difficult as it wont do https inspection. I guess IPS also will fail to inspect https.
Other option would be through Microsoft GPO, but this would be my last option. Is there an alternate solution to accomplish this task?
Regards
Solved! Go to Solution.
11-17-2011 07:55 AM
Hi Sundeep,
As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.
The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).
Hope that helps.
-Mike
11-17-2011 07:55 AM
Hi Sundeep,
As you noticed, these applications are very resilient in a firewalled environment and can often connect on multiple different ports and protocols. This makes it easy for users to connect without the need for any network configuration, but difficult to stop with a firewall.
The ASA won't be able to inspect the HTTPS traffic as you already mentioned. You could try blocking the DNS lookups for the servers, but the application might then try a hard-coded IP address. You could use a 3rd party device to act as an HTTPS proxy and block the connection that way. However, even with that it's possible that the application would just choose some other port to use. This is why blocking the application itself is the best choice (either through GPO or some other host-based application).
Hope that helps.
-Mike
12-20-2011 05:39 AM
I have just the same topic to solve.
For now, I am using a squid proxy to filter specific dstdomains, such as .teamviewer.com or by means of RegEx acls
But I am expecting to solve it across ASA with IDS/IPS signatures
Do you jnow if it is possible ?
Thanks
Alain
12-20-2011 12:29 PM
Kind of an old thread but if your hardware allows it you might wan to consider installing a CSC module on your ASA, the CSC will allow you to block a particular category that involves all these remote controll programs:
Category Group: Internet Security
Category Type: Remote Access Program
Definition: Sites that provide tools for remotely monitoring and controlling computers
http://www.cisco.com/en/US/products/ps6823/index.html
http://www.cisco.com/en/US/docs/security/csc/csc63/administration/guide/csc4.html#wp1065979
HTH.
Raga
12-21-2011 10:05 PM
Hi Luis,
I dont think CSC can inspect HTTPS traffic, I did a little bit of reading on it and came across that CSC cant inspect https. However as Marvin pointed out, Ironport WSA can. I have also tried it with Microsofts TMG and it is very effective.
12-22-2011 06:05 AM
Hi Sundeep,
The CSC module can filter HTTPS traffic in the latest version (6.6.1125.0).
-Mike
12-20-2011 12:39 PM
The Cisco Ironport WSA (web proxy device) can do this also.
12-22-2011 09:25 AM
anyway, my purpose would be to detect any resident exe which could connect by itself and open a backdoor from inside to outside
Since port 80 is widely available for internet access, does IDS (AIM-SSM) able to get this info ?
12-22-2011 09:29 AM
Alain,
If you are looking for a way to block the actual .exe on the user's machine what you really need is a Host IPS.
Regards.
01-03-2012 04:26 AM
Hi Guys,
i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...
is there any update ...any solution?.
Regards
Sher
01-03-2012 04:28 AM
Hi Guys,
i have the same problem with my cisco ASA-5585 i want to block the teamviewer ,Logmein and GotoMyPc...
is there any update ...any solution?.
Regards
Sher
11-30-2016 04:30 AM
Hello,
Actually I blocked the TeamViewer on WSA by blocking the applications for presentation/conferencing also the 5938 port is blocked on firewall but the application still able to connect.
07-28-2012 01:00 PM
Hi Bro
TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall. TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com.
So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):
regex TV-RGX “\.teamviewer\.com”
regex DG-RGX “\.dyngate\.com”
class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX
policy-map type inspect dns TV-PLC
parameters
message-length maximum 512
match domain-name regex class TV-CLS
drop
policy-map global_policy
class inspection_default
inspect dns TV-PLC
service-policy global_policy global
P/S: If you think this comment is useful, please do rate them nicely :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide