Archive

Posts Tagged ‘firewall’

Blocking TeamViewer Connection Using Cisco ASA Firewall

January 13, 2011 3 comments

TeamViewer (TV) is application that used to create remote access connection to PC anywhere. Even if the PC located behind the firewall.

Similiar like YahooMessenger, TV provide every client with the PIN and password. Everyone who want to access the other TV client need to know the PIN and password of the opposite PC. And every party that want to make connection must be connected to the TV server (servers domain is *.teamviewer.com and/or *.dyngate.com) usualy using TCP port 80.

PC that running TV is potentialy act as a backdoor in the enterprise network. Yes, to make remote connection we need to know the PIN and password, but using Social Engineering technique, untrusted person can gained it.

Because TV client using port 80 for the outbound connection, it is difficult to block using port basis. So, because TV client must be connected first to the TV server, we can use another aproach, that is blocking every dns request for the *.teamviewer.com and/or *.dyngate.com

So, these are the configuration if we use Cisco ASA Firewall (i am using OS ver 8.x):

regex TV-RGX “\.teamviewer\.com”
regex DG-RGX “\.dyngate\.com”

class-map type regex match-any TV-CLS
match regex DG-RGX
match regex TV-RGX

policy-map type inspect dns TV-PLC
parameters
message-length maximum 512
match domain-name regex class TV-CLS
drop

policy-map global_policy
class inspection_default
inspect dns TV-PLC

service-policy global_policy global

Controlling TCP-Half (Embryonic) Connection on Cisco PIX Firewall

June 6, 2008 Leave a comment

One solution to prevent or minimizing the risk of DoS/DDoS (Dsitributed Denial of Service) attack is to limit the tcp-half connection from outside to the inside or DMZ network (Usually every administrator of networks, put the public servers (web, ftp, mail servers, etc.) in the DMZ network).

TCP half connection is the TCP connection that not yet completed. One of the DoS/DDoS attack method is to flood the target with the TCP Syn packet. The objective of this attack is to fulfill the TCP connection slots of the target, so the legitimate traffic will not occur.

If your network use Cisco PIX Firewall, you can minimize the risk of this attack with controlling the TCP-Half (Embryonic) connection, with add an option in your Static NAT configuration like an example below:

static (dmz,outside) 123.1.2.3 192.168.100.12 netmask 255.255.255.255 tcp 0 1000

1000 is the limit of the TCP-Half connection that can occur between the outside network and the server in the DMZ network (192.168.100.12 is the local and 123.1.2.3 is the global IP Address).

At least there are two things that will happen for this scenario:

  • If until the tcp half-closed time reach the timeout value and the ACK signal is never come, then the TCP half-connection will drop by PIX Firewall. You can set the TCP Half Connection timeout with the command: ” timeout half-closed hh[:mm[:ss]] “. The default time is 10 minutes.

  • If the TCP Syn packet that coming from the outside network was spoofed active IP Address, then the real appliance that used the spoofed IP Address will send the TCP RST packet to the PIX Firewall, so the TCP half connection will be dropped.
Categories: Network Security Tags: , , ,