Block Logme internally

what kind of firewall you have? if you have ISA server deny all outboubond trafic from website you create called http://*.logmein.com to internal network and your done. also i think this is possible on any fiewall to deny traffic from spesific site to internal network.

It wont be easy to block the access, if u dont have a content based filtering device at your perimeter.  These services makes use of common ports like 80 and 443 for connection. One rule u can give in your firewall/router is to allow inbound http and https connections to only any webservers that might there in ur internal network.

Allow only required ports from outside to inside of your network, except http and https. I hope, if u have servers/websites exposed to internet, are on a different network.  

I'm pretty sure this is a tall order.  The task is to block the "server" feature of LMI from being run internally.  You may need to use a software policy but even that is going to be difficult because it's just a java applet.  The traffic between the host and remote systems for these type of services is all standard HTTP and HTTPS traffic and the middle-man broker server is the same pool whether you're the remote or the hsot.  The only difference is the java applet running on each side.  

We typically suggest a no-tolerance IT policy that basically states that users will be written up, terminated and/or tortured if they are found to be running the software.  

first of all.. you have to prevent the users from installing log me in in thier computers..to reduce the risk.


then if you have websense you can block logmein locally..then they are can't connect from outside to computers..

and you can block the port 2002 tcp because it working in 80,443 and 2002 ports.

if you want to detect clients with Logmein installed it's also pretty simple if you have an IDS set up to sniff traffic on your internet gateway.

For example here's the rules for snort to detect Logmein. We have it deployed and worked pretty well.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/myrahost/list.aspx?"; nocase; content:!"|0d 0a|Host\: "; classtype:policy-violation; sid:2007765; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/update.logmein.com/"; nocase; content:!"|0d 0a|Host\: "; classtype:policy-violation; sid:2007766; rev:2;)

It looks like the app communicates to app57.logmein.com (216.52.233.217) as well. I'm guessing that there is also more IP's in that range that you will need to filter. Another option is to setup a proxy (like squid proxy) to monitor and filter web traffic.