01-02-2009 12:32 AM - edited 02-20-2020 09:41 PM
We are blocking the Remote admin using the access list , but it is found that users are changing the port numbers ( Default 4899).How we can Block remote admin totally on routers by using access list ?
01-02-2009 06:20 AM
Use restrictive rather than permissive rules. Block all ports by default and only allow ports that are required for business.
Hope that helps.
01-04-2009 08:06 PM
Hi Colling,
It will be very difficult as our organisation has 15000 user and every user has different applications.
01-05-2009 12:37 AM
It is expected that a system/network administrator will have to at least try using a technical solution to solve a problem he/she's facing at the work, but in the end, as a system/network admin, you're not supposed to fight with users. If your equipment simply isn't the correct technology to solve your problem, solve your problem by making it a company policy (obviously a policy is no good if you don't state consequences of failing to follow that policy) that they aren't supposed to RDP to their home servers (I suppose by RADMIN that's what you mean). If you've blocked the default port, and you know people are still doing it, then obviously you have some way of finding out.
Another way to look at it, it really shouldn't be that difficult of a task to find out what outgoing ports need to be opened. If you're really unsure, then co-ordinate with team-leads or head of departments (this should get you the information on 99% of what needs to be opened, and the rest can be opened/approved on a case-by-case basis)
An easy way I've learned to quickly figure things out is block all outgoing connections, allow those that you know are needed and wait for the phone to ring :) Or, another solution would be to allow outgoing what you already know you need, then at the end of the chain of rules, add a rule which will log anything else (since the connection didn't match any of permit rules, it will generate a log entry) and review the logs every so often during the day.
I also do know you can create a class-map and use regex to match information found within the traffic that goes back/forth, however I don't know enough about the RDP protocol (again, I'm assuming you're talking about RDP) to assure you this would work. I guess first and foremost the traffic would need not to be encrypted, and then you'd have to identify some kind of commonality in the connection negotiation traffic for a a session being established.
I've read your last post about the organization having 15000 users and such, and I do realize the answers I'm proposing are somewhat similar to the previous answer you got, but the truth is, as a business, what falls under "business related activities" should already be well defined to begin with. If it isn't, perhaps the problem is partly with the employees, but mostly with management for not making clear what's expected of their employees.
01-05-2009 02:38 AM
Sorry, I went off-base when I suggested inspection session info for some commonalities. Not sure what you're using, but my 5505 is a layer2/3 device so obviously I don't have access to session info.
Also, on another note, even if you do find a technical solution to deal with the problem, this restriction should still be made part of your corporate policy
AND
I'm no big fan of instituting policies you don't have a way to monitor/enforce (i.e.: have such a policy without having a way to monitor ppl for compliance is lame) however if it's all you have left, then it's all you have left.
That being said, if none of the solutions above are suitable for you, I'm sure that either someone with more advanced knowledge could make another suggestion, or that the answer will be for you to be ready to open your wallet for a deep excavation (there has to be a solution, hardware or software, that can do this)
01-05-2009 03:16 AM
Thanks ,
I have read about the NBAR protocol which filter not on port basis but on application basis , can this will work ?
01-05-2009 03:48 AM
Hi,
Quite possibly. I've seen another thread where someone was trying to block yahoo messenger and he made a reference to nbar, however I'm not sure what NBAR is capable of / what are it's limitiations. The device I get to play with is quite cheap / on the low-end scale, an ASA5505.
01-05-2009 05:46 AM
I originally thought about NBAR, but you stated that the users are changing ports on you and all though NBAR can look inside packets, it would have difficulty catching all those port changes.
01-05-2009 06:48 AM
Hi Erik,
Thanks for the reminder that some of our problems can only be solved by employees being honest and/or via policy set down and enforced by management. A +5 from NYC for your answer.
Best,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide