How to prevent LogMeIn users thru PIX

kev_jacob · ‎12-28-2005

Hi,

I have a PIX version 6.3(1). I have noticed that some users are using LogMeIn remote desktop services without the knowledge of the administrator. I tried to block the port and noticed that it uses Internet ports HTTP. All users are permitted to access the Internet and so HTTP cannot be blocked. So how can i block this LogMeIn application on the PIX 6.3. Do you think I will need to upgrade to an IPS or PIX 7.0 or does 6.3 itself support some method of blocking this kind of application?

logmein.com will describe how it works.

Can anyone provide me with the right solution?

Thanks

Kevin

baudhayan · ‎12-29-2005

I guess LogMeIn runs on TCP Port 2002. Try blocking this Port & let me know.

b_learoyd · ‎12-29-2005

Kev,

forcing users to use a proxy seems to break it quite well and brings lots of other benefits too !

Barry.

prasadrp · ‎12-30-2005

Hi Kevin

Logmein tries to connect to secure.logmein.com and tries to go through https. So the only way to block it is through blocking the ip for secure.logmein.com, which is 63.209.251.90. Again it won't be a full proof solution since mirrored sites might pop in with different IPs and IPs can change.

Regarding upgrade to version 7.0. With pix 7.0, yes we do have deep packet inspection (called map, for ex. http-map, gtp-map, ftp-map) available for http, ftp, gtp and so on, but for secure protocols, we cannot do much. We can block logmein effectively using ASA with IPS or IPS appliance.

But you will find such applications which depends on secure communications increasing a lot. I would prefer to have a deep packet inspection feature for DNS in PIX next version, which could allow us to permit or drop packet on the basis on dns queries, which can make life a bit better for us.