?
Solved

Blocking LogMeIn under PIX Firewall

Posted on 2006-11-01
3
Medium Priority
?
11,677 Views
Last Modified: 2013-11-16
Hi All,

How can you block LogMeIn service using Pix 506E firewall ? I am using ver 6.3.5.

Please let me know

Thanks.
0
Comment
Question by:tssiva
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 17855931
The LogMeIn service works by installing a client piece of software on the machine you want to remotely control which then establishes an HTTPS tunnel to a "gateway" server located on the LogMeIn network.  Without the use of content filtering software such as Websense (which has a defined protocol for LogMeIn blocking), you can manually block your internal machines from establishing the HTTPS tunnel in outbound by denying TCP 443 in an outbound direction to the pool of LogMeIn gateway server IP addresses.

I did some testing and found that they have at least 17 different servers setup to be gateway servers.  Their DNS names are app01-app17.logmein.com.  The IP addresses for these servers are not on the same network segment which makes this a little more tricky.  This might not be a complete list, but you get the idea about how to perform the blocking.  Here is the IP list:

63.208.197.11  app01.logmein.com
63.208.197.12  app02.logmein.com
63.208.197.13  app03.logmein.com
63.208.197.14  app04.logmein.com
63.208.197.15  app05.logmein.com
63.208.197.16  app06.logmein.com
63.209.251.17  app07.logmein.com
63.209.251.18  app08.logmein.com
63.209.251.19  app09.logmein.com
63.209.251.20  app10.logmein.com
63.209.251.21  app11.logmein.com
63.209.251.22  app12.logmein.com
63.209.251.23  app13.logmein.com
63.208.197.24  app14.logmein.com
63.208.197.25  app15.logmein.com
63.208.197.26  app16.logmein.com
63.208.197.27  app17.logmein.com

As you can see, they did not use contiguous addressing in the setup, probably to increase their uptime in case their ISP has network problems.  So to block, these destination IP addresses in an outbound direction, here are the commands for a PIX firewall.  These should be entered from "config" mode on the PIX.

access-list acl_out deny tcp any host 63.208.197.11 eq https
access-list acl_out deny tcp any host 63.208.197.12 eq https
access-list acl_out deny tcp any host 63.208.197.13 eq https
access-list acl_out deny tcp any host 63.208.197.14 eq https
access-list acl_out deny tcp any host 63.208.197.15 eq https
access-list acl_out deny tcp any host 63.208.197.16 eq https
access-list acl_out deny tcp any host 63.209.251.17 eq https
access-list acl_out deny tcp any host 63.209.251.18 eq https
access-list acl_out deny tcp any host 63.209.251.19 eq https
access-list acl_out deny tcp any host 63.209.251.20 eq https
access-list acl_out deny tcp any host 63.209.251.21 eq https
access-list acl_out deny tcp any host 63.209.251.22 eq https
access-list acl_out deny tcp any host 63.209.251.23 eq https
access-list acl_out deny tcp any host 63.208.197.24 eq https
access-list acl_out deny tcp any host 63.208.197.25 eq https
access-list acl_out deny tcp any host 63.208.197.26 eq https
access-list acl_out deny tcp any host 63.208.197.27 eq https
access-list permit ip any any

Then, apply this to the inside interface with the following command:

access-group acl_out in interface inside

The last statement in the above ACL is to allow all of your other Internet traffic originating from inside the network to still flow as it does now.  Assuming you do not currently have an ACL applied to the inside interface, this last statement is necessary because of the implicit "deny" behavior at the end of a PIX ACL.

Be very careful when applying this ACL to the inside interface since you will now have to explicitly allow any traffic that you want to allow to the outside from your inside network because of the application of this ACL.  This includes normal HTTP traffic, DNS lookups, NTP for time syncs, various ports for streaming media, etc.  The last statement in the ACL should take care of all of this for you so be sure to include some sort of global "catch all" permit statement like that...otherwise you will probably have your users waiting at your door with pitch forks and torches!  :-)

Hope this helps...

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 750 total points
ID: 17855941
Oops!  The last statement in the ACL should read:

access-list acl_out permit ip any any

I forgot to specify the name of the ACL in the previous post...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868530
The easiest way would be to create a bogus dns domain for logmein.com and send all the requests coming to this domain to a non-existent ip address. Easy to manage, easily achievable.

Cheers,
Rajesh
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question