Solved

Blocking LogMeIn under PIX Firewall

Posted on 2006-11-01
3
11,644 Views
Last Modified: 2013-11-16
Hi All,

How can you block LogMeIn service using Pix 506E firewall ? I am using ver 6.3.5.

Please let me know

Thanks.
0
Comment
Question by:tssiva
  • 2
3 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 17855931
The LogMeIn service works by installing a client piece of software on the machine you want to remotely control which then establishes an HTTPS tunnel to a "gateway" server located on the LogMeIn network.  Without the use of content filtering software such as Websense (which has a defined protocol for LogMeIn blocking), you can manually block your internal machines from establishing the HTTPS tunnel in outbound by denying TCP 443 in an outbound direction to the pool of LogMeIn gateway server IP addresses.

I did some testing and found that they have at least 17 different servers setup to be gateway servers.  Their DNS names are app01-app17.logmein.com.  The IP addresses for these servers are not on the same network segment which makes this a little more tricky.  This might not be a complete list, but you get the idea about how to perform the blocking.  Here is the IP list:

63.208.197.11  app01.logmein.com
63.208.197.12  app02.logmein.com
63.208.197.13  app03.logmein.com
63.208.197.14  app04.logmein.com
63.208.197.15  app05.logmein.com
63.208.197.16  app06.logmein.com
63.209.251.17  app07.logmein.com
63.209.251.18  app08.logmein.com
63.209.251.19  app09.logmein.com
63.209.251.20  app10.logmein.com
63.209.251.21  app11.logmein.com
63.209.251.22  app12.logmein.com
63.209.251.23  app13.logmein.com
63.208.197.24  app14.logmein.com
63.208.197.25  app15.logmein.com
63.208.197.26  app16.logmein.com
63.208.197.27  app17.logmein.com

As you can see, they did not use contiguous addressing in the setup, probably to increase their uptime in case their ISP has network problems.  So to block, these destination IP addresses in an outbound direction, here are the commands for a PIX firewall.  These should be entered from "config" mode on the PIX.

access-list acl_out deny tcp any host 63.208.197.11 eq https
access-list acl_out deny tcp any host 63.208.197.12 eq https
access-list acl_out deny tcp any host 63.208.197.13 eq https
access-list acl_out deny tcp any host 63.208.197.14 eq https
access-list acl_out deny tcp any host 63.208.197.15 eq https
access-list acl_out deny tcp any host 63.208.197.16 eq https
access-list acl_out deny tcp any host 63.209.251.17 eq https
access-list acl_out deny tcp any host 63.209.251.18 eq https
access-list acl_out deny tcp any host 63.209.251.19 eq https
access-list acl_out deny tcp any host 63.209.251.20 eq https
access-list acl_out deny tcp any host 63.209.251.21 eq https
access-list acl_out deny tcp any host 63.209.251.22 eq https
access-list acl_out deny tcp any host 63.209.251.23 eq https
access-list acl_out deny tcp any host 63.208.197.24 eq https
access-list acl_out deny tcp any host 63.208.197.25 eq https
access-list acl_out deny tcp any host 63.208.197.26 eq https
access-list acl_out deny tcp any host 63.208.197.27 eq https
access-list permit ip any any

Then, apply this to the inside interface with the following command:

access-group acl_out in interface inside

The last statement in the above ACL is to allow all of your other Internet traffic originating from inside the network to still flow as it does now.  Assuming you do not currently have an ACL applied to the inside interface, this last statement is necessary because of the implicit "deny" behavior at the end of a PIX ACL.

Be very careful when applying this ACL to the inside interface since you will now have to explicitly allow any traffic that you want to allow to the outside from your inside network because of the application of this ACL.  This includes normal HTTP traffic, DNS lookups, NTP for time syncs, various ports for streaming media, etc.  The last statement in the ACL should take care of all of this for you so be sure to include some sort of global "catch all" permit statement like that...otherwise you will probably have your users waiting at your door with pitch forks and torches!  :-)

Hope this helps...

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17855941
Oops!  The last statement in the ACL should read:

access-list acl_out permit ip any any

I forgot to specify the name of the ACL in the previous post...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868530
The easiest way would be to create a bogus dns domain for logmein.com and send all the requests coming to this domain to a non-existent ip address. Easy to manage, easily achievable.

Cheers,
Rajesh
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question