Is it possible to block Teamviewer and Logmein ?



  • Hello, I have been trying to figure out a way to block out Teamviewer and Logmein networks, but I can't seem to find a way. I have searched on the forums and I haven't found a compreensive solution yet.

    Thanks in advance, this is for a school assignment and I am still quite new on firewalling.


  • LAYER 8 Global Moderator

    What exactly are you trying to stop.. So you want to stop users from using teamviewer to connect to stuff outbound, or stop users from accessing their machines remotely with teamviewer installed?

    Teamviewer and logmein, etc. are actually designed to work through your typical soho router/firewall without the users having to do anything - client behind your firewall makes a connection to the servers, the other user then connects to these servers and goes through that tunnel to get to the remote machine.  They will work outbound on 80/443 etc.. your typical web ports.

    To block them the best thing would be to block all the networks of teamviewer/other such service.  You would need to find all the netblocks the teamviewer servers are on for example.



  • @johnpoz:

    What exactly are you trying to stop.. So you want to stop users from using teamviewer to connect to stuff outbound, or stop users from accessing their machines remotely with teamviewer installed?

    Teamviewer and logmein, etc. are actually designed to work through your typical soho router/firewall without the users having to do anything - client behind your firewall makes a connection to the servers, the other user then connects to these servers and goes through that tunnel to get to the remote machine.  They will work outbound on 80/443 etc.. your typical web ports.

    To block them the best thing would be to block all the networks of teamviewer/other such service.  You would need to find all the netblocks the teamviewer servers are on for example.

    I am trying to block it both ways, will a DNS resolver domain override work? also if I were to block it by IP, how could I get a list of all the IP's (sorry if its a dumb question) used by these services.

    Thanks a lot for the answer in advance.


  • LAYER 8 Global Moderator

    If you know the domains, then sure you could block it by stoping the dns query.  But I think as last ditch it goes for IP directly.  The tool is really designed to circumvent firewalls.  If not it would run on port X and be done with it.  You would just block port X and there you go..  But if port X doesn't work then it tries 80 and 443..



  • You can google teamviewer subnets and logmein subnets, it will give you the address ranges.  Create Alias objects for these network objects, and create a block rule using the aliases.
    That should take care of the problem.



  • Don't forget Chrome Remote Desktop if you're trying to block people from using VNC services.


  • LAYER 8 Global Moderator

    Also doesn't stop them from using it via a proxy ;)



  • You could install Snort and write a custom rule using OpenAppID to drop identified traffic I think.



  • @gerby123:

    You could install Snort and write a custom rule using OpenAppID to drop identified traffic I think.

    app-detect.rules might already have it

    # alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client; content:"|00 00 00 00 00 00 00 00|"; depth:8; content:"|00 17 24 47 50 00|"; within:6; distance:2; replace:"|00 00 00 00 00 00|"; metadata:service teamview; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24098; rev:2;)
    # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_server,established; content:"|11 30 39|"; depth:3; replace:"|00 00 00|"; metadata:service teamview; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24097; rev:1;)
    # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT Teamviewer remote connection attempt"; flow:to_client,established; content:"|11 30 39|"; depth:3; replace:"|00 00 00|"; metadata:service teamview; reference:url,en.wikipedia.org/wiki/TeamViewer; classtype:policy-violation; sid:24096; rev:1;)
    

Log in to reply