HOW TO COMPLETELY BLOCK TEAMVIEWER CONNECTION

salawu.kabiru · ‎01-24-2015

I use ASA Firewalls within my organization, i need help on how we can completely block teamviewer connections in and out of my organizations network.

thank you

Julio Carvajal · ‎01-24-2015

Hello Salawu,

There has been a lot of discussions about these and what I can tell you from that is Team-Viewer is an application that is really difficult to block as it jumps from port to port to be able to reach their servers to the point they can use Port TCP/80 and I am quite sure you do not want to block that.

Some people have talked about instead of filtering the traffic to their IPs (as there are many many) to use DNS inspection with regex and then block their domain instead.

Note: Check this post for that

https://supportforums.cisco.com/discussion/11536791/block-teamviwer-cisco-asa-5520-82

I have even seen that it can jump to port TCP/443 (HTTPS) where the traffic goes encrypted so the firewall will not be able to filter this as the traffic will not go in clear text.

The only way You could make this happen is if you have a Next-Generation Firewall and you implement the CX module to be Fully Application Aware and filter the Team-Viewer application (You might even enable SSL Decryption in case it uses port 443).

I hope this answer helps you and remember to rate my answers :)

Regards,

Jcarvaja
Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance contact us at http://i-networks.us

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marvin Rhoads · ‎01-25-2015

While that solution using CX would work in theory, I have yet to see anyone do CX SSL decryption in production.

Number 1 it makes a huge hit in firewall throughput performance.

Number 2 it requires a PKI in which you issue a special certificate type to the CX that is both trusted by all your clients as well as able to issue child certificates.

I've done it in the lab but that was only to learn the concept.

For apps that don't use SSL then, yes - the AVC feature of the NGFW (either CX or FirePOWER module) can block applications independent of tcp or udp port.

Julio Carvajal · ‎01-25-2015

ey Marvin,

Wow Long time no see!

I do have use it in production and the things that I can share are

1) ofcourse performance is affected but at least in our case I was expecting a worse performance. It was actually really good.

2)For inbound SSL traffic decryption is just not useful as none of the 3 Patty certificaré vendors will not give u a certificate with the capability of crearing child certificares. That will breake the trust of chain. And if you use a cert from your domain having your users trusting that on the internet is just a pain in the ...

3)For outbound ssl inspection is good enough as you can ask the local users to install the certificate from the ASA itself or from your local CA.

Anyway glad to see you sr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marvin Rhoads · ‎01-25-2015

Hi Julio - good to see you around again.

Did you have any metrics on performance? I am very hesitant in a large enterprise - I have one customer running a 5585 with CX on SSP-20 and even without SSL decryption I have been seeing the hardware card running out of resources at only 300-400 Mbps sustained throughput. We turned off CX-based IPS and are only running WSE and AVC there.

Asking users to install a certificate doesn't scale well when I we have several thousand users - many of them on guest devices and not even eligible to get a GPO pushed to them if the customer even had an established PKI (which they don't in most cases).

With more and more sites defaulting to https (Facebook etc.) this is a growing problem.