Solved

Blocking LogMeIn under PIX Firewall

Posted on 2006-11-01
3
11,631 Views
Last Modified: 2013-11-16
Hi All,

How can you block LogMeIn service using Pix 506E firewall ? I am using ver 6.3.5.

Please let me know

Thanks.
0
Comment
Question by:tssiva
  • 2
3 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 17855931
The LogMeIn service works by installing a client piece of software on the machine you want to remotely control which then establishes an HTTPS tunnel to a "gateway" server located on the LogMeIn network.  Without the use of content filtering software such as Websense (which has a defined protocol for LogMeIn blocking), you can manually block your internal machines from establishing the HTTPS tunnel in outbound by denying TCP 443 in an outbound direction to the pool of LogMeIn gateway server IP addresses.

I did some testing and found that they have at least 17 different servers setup to be gateway servers.  Their DNS names are app01-app17.logmein.com.  The IP addresses for these servers are not on the same network segment which makes this a little more tricky.  This might not be a complete list, but you get the idea about how to perform the blocking.  Here is the IP list:

63.208.197.11  app01.logmein.com
63.208.197.12  app02.logmein.com
63.208.197.13  app03.logmein.com
63.208.197.14  app04.logmein.com
63.208.197.15  app05.logmein.com
63.208.197.16  app06.logmein.com
63.209.251.17  app07.logmein.com
63.209.251.18  app08.logmein.com
63.209.251.19  app09.logmein.com
63.209.251.20  app10.logmein.com
63.209.251.21  app11.logmein.com
63.209.251.22  app12.logmein.com
63.209.251.23  app13.logmein.com
63.208.197.24  app14.logmein.com
63.208.197.25  app15.logmein.com
63.208.197.26  app16.logmein.com
63.208.197.27  app17.logmein.com

As you can see, they did not use contiguous addressing in the setup, probably to increase their uptime in case their ISP has network problems.  So to block, these destination IP addresses in an outbound direction, here are the commands for a PIX firewall.  These should be entered from "config" mode on the PIX.

access-list acl_out deny tcp any host 63.208.197.11 eq https
access-list acl_out deny tcp any host 63.208.197.12 eq https
access-list acl_out deny tcp any host 63.208.197.13 eq https
access-list acl_out deny tcp any host 63.208.197.14 eq https
access-list acl_out deny tcp any host 63.208.197.15 eq https
access-list acl_out deny tcp any host 63.208.197.16 eq https
access-list acl_out deny tcp any host 63.209.251.17 eq https
access-list acl_out deny tcp any host 63.209.251.18 eq https
access-list acl_out deny tcp any host 63.209.251.19 eq https
access-list acl_out deny tcp any host 63.209.251.20 eq https
access-list acl_out deny tcp any host 63.209.251.21 eq https
access-list acl_out deny tcp any host 63.209.251.22 eq https
access-list acl_out deny tcp any host 63.209.251.23 eq https
access-list acl_out deny tcp any host 63.208.197.24 eq https
access-list acl_out deny tcp any host 63.208.197.25 eq https
access-list acl_out deny tcp any host 63.208.197.26 eq https
access-list acl_out deny tcp any host 63.208.197.27 eq https
access-list permit ip any any

Then, apply this to the inside interface with the following command:

access-group acl_out in interface inside

The last statement in the above ACL is to allow all of your other Internet traffic originating from inside the network to still flow as it does now.  Assuming you do not currently have an ACL applied to the inside interface, this last statement is necessary because of the implicit "deny" behavior at the end of a PIX ACL.

Be very careful when applying this ACL to the inside interface since you will now have to explicitly allow any traffic that you want to allow to the outside from your inside network because of the application of this ACL.  This includes normal HTTP traffic, DNS lookups, NTP for time syncs, various ports for streaming media, etc.  The last statement in the ACL should take care of all of this for you so be sure to include some sort of global "catch all" permit statement like that...otherwise you will probably have your users waiting at your door with pitch forks and torches!  :-)

Hope this helps...

0
 
LVL 28

Accepted Solution

by:
batry_boy earned 250 total points
ID: 17855941
Oops!  The last statement in the ACL should read:

access-list acl_out permit ip any any

I forgot to specify the name of the ACL in the previous post...
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868530
The easiest way would be to create a bogus dns domain for logmein.com and send all the requests coming to this domain to a non-existent ip address. Easy to manage, easily achievable.

Cheers,
Rajesh
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now