We help IT Professionals succeed at work.

Block Logme internally

So on our network we use log me in Which I want us to be able to connect to log me in machines outside of our network, however what I want to prevent is people using log me in from outside the office to their work computer.   I cant control the desktops so I need to do something from the routers/firewalls.   Does anyone have any suggestions ?
Comment
Watch Question

Commented:
what kind of firewall you have? if you have ISA server deny all outboubond trafic from website you create called http://*.logmein.com to internal network and your done. also i think this is possible on any fiewall to deny traffic from spesific site to internal network.

Commented:
It wont be easy to block the access, if u dont have a content based filtering device at your perimeter.  These services makes use of common ports like 80 and 443 for connection. One rule u can give in your firewall/router is to allow inbound http and https connections to only any webservers that might there in ur internal network.

Allow only required ports from outside to inside of your network, except http and https. I hope, if u have servers/websites exposed to internet, are on a different network.  

Commented:
I'm pretty sure this is a tall order.  The task is to block the "server" feature of LMI from being run internally.  You may need to use a software policy but even that is going to be difficult because it's just a java applet.  The traffic between the host and remote systems for these type of services is all standard HTTP and HTTPS traffic and the middle-man broker server is the same pool whether you're the remote or the hsot.  The only difference is the java applet running on each side.  

We typically suggest a no-tolerance IT policy that basically states that users will be written up, terminated and/or tortured if they are found to be running the software.  
It's possible to block Logmein for your internal network

If you would like to prevent your employees from installing LogMeIn on their work computer, you should block secure.logmein.com on your firewall(s).

If you are on a Windows Domain, you may also install a Group Policy Object, which will allow you to limit access throughout your entire domain, without the need for firewall rules.  Please see the link below for more information regarding the Group Policy Object.

https://logmeinsupport.com/kblive/crm/selfservice/displaywh.jsp?DocId=2538

Let me know if it works for you
Commented:
That's a great article, curua2008.  Looks like the GPO can limit the ability for desktop sharing while allowing the ability for local domain users/computers to access the site to connect remotely to other computers.
first of all.. you have to prevent the users from installing log me in in thier computers..to reduce the risk.


then if you have websense you can block logmein locally..then they are can't connect from outside to computers..

and you can block the port 2002 tcp because it working in 80,443 and 2002 ports.
I would filter out anything coming from and going to logmein.com at the firewall. You should include the IP addresses as well.

ARIN lookup of Logmein
67.201.61.224 - 67.201.61.239


if you want to detect clients with Logmein installed it's also pretty simple if you have an IDS set up to sniff traffic on your internet gateway.

For example here's the rules for snort to detect Logmein. We have it deployed and worked pretty well.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/myrahost/list.aspx?"; nocase; content:!"|0d 0a|Host\: "; classtype:policy-violation; sid:2007765; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Update Activity"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/update.logmein.com/"; nocase; content:!"|0d 0a|Host\: "; classtype:policy-violation; sid:2007766; rev:2;)
It looks like the app communicates to app57.logmein.com (216.52.233.217) as well. I'm guessing that there is also more IP's in that range that you will need to filter. Another option is to setup a proxy (like squid proxy) to monitor and filter web traffic.