Is it possible to use an open-source tool such as Cisco IPS or Cisco ASA to block incoming Teamviewer connections to specific internal IP blocks, while allowing the outgoing ones? I cannot find a specific answer on other online sources.
-
You're running Linux, Windows, a server? – RoraΖ Aug 25 '14 at 12:43
-
2@raz How is that relevant when he wants to block it at the network layer? – Xander Aug 25 '14 at 12:53
-
@Xander he's asking for an open source tool. I'm simply asking what platform he's working with. – RoraΖ Aug 25 '14 at 12:57
-
Most users using Teamviewer use Windows OS – confused1027 Aug 25 '14 at 13:15
5 Answers
I don't think you can do this with firewalls, at the networking layer. When you connect someone with TeamViewer, you don't do it directly. TeamViewer users connect each other by using a third party server in the middle.
You can see the answer of kobaltz for the question How exactly does a remote program like Team Viewer work?
When you run TeamViewer, you are assigned an ID on their broker server. You make a connection to a Teamviewer ID, and TeamViewer passes the connection down through the TeamViewer client's established tunnel to the destination and you then you are prompted for password and then the connection establishes afterwards.
To achieve your goal, you should use TeamViewer's way. I think this article from TeamViewer is what are you looking for: How can I restrict access for TeamViewer connections to my computer?
You can also restrict access to your computer in different ways. Depending on how you want to restrict access and to what extent, choose one of the following options:
To completely prevent any access with ID and password, exit TeamViewer in the taskbar. Any incoming or outgoing connections are no longer possible.
To restrict access to ordained devices, use the Black- or Whitelist in the TeamViewer full version. Deny incoming connections for specific TeamViewer IDs or only allow connections for defined TeamViewer-IDs.
To restrict features for incoming connections, use the access control for incoming connections. Choose between Full access, Confirm all, viewing access or deny any incoming remote control connection.
To deny connections from outside your network, only allow incoming LAN connections.
There is a couple of ways that you can block / allow Teamviewer specifically through Cisco ASA and the Firepower (IPS/IDS) module. NBAR can be used on routers as well.
NBAR can also be used at a router level to block traffic for a specific application. Although i'm not 100% sure, you should be able to create some custom ACL's for incoming and outgoing traffic for teamviewer. This will address your issue of teamviewer jumping to different ports as NBAR inspects the traffic and looks for specific markers.
Jumping into Cisco Firepower which is a IPS/IDS module for Cisco ASA firewalls we can set it to block specific applications...
we can set an access control policy specifically for incoming traffic to block the teamviewer application whilst allowing outgoing. updates are received from Cisco daily on signature types for teamviewer apps.
Can be found under Policies -> Access Control -> New Rule -> Application tab select the remote control applications you want to block in here. this may require a more advanced license so it may pay to check that you're capable of this.
the other way, that doesn't require any additional licensing is through intrusion prevention. however this doesn't resolve your issue of wanting to allow outgoing connections. it will block incoming and outgoing connections completely, but you do have the ability to monitor / alert or block on connections that are established. this may be an alternative to blocking it completely as you are able to view where the connection is originating from and then potentially feed that into your log aggregator or SIEM and take action from there.
- 56
- 5
It's not possible (with a certain amount of time/ressources) to block Teamviewer with a conventional firewall. It would be possible using a proxy and firewall in combination. The easiest solution if you are in a windows environment:
Only allow LAN connection. Create a GPO that sets the following registry-key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version[X]\Security_AcceptIncoming
REG_DWORD
=0
or
HKEY_LOCAL_MACHINE\SOFTWARE\TeamViewer\Version[X]\Security_AcceptIncoming
REG_DWORD
=0
-
I have tried your suggestion but this does not block incoming connection. We are using Teamviewer as a client requirement to support external customers, that's why I cannot reject that request. I believe I can add another layer of security by blocking incoming connection. But I beg your pardon if trying this on my network does not block the incoming connection. Did I miss something? Please advise. Thanks! – confused1027 Aug 25 '14 at 14:52
-
@Dr.U The link you provided, which references http://blog.accuvant.com/bthomasaccuvant/teamviewer-authentication-protocol-part-1-of-3/, implies that TeamViewer is vulnerable due to a 4 digit numeric password. However the research is a year and a half old; TeamViewer's default is no longer 4 digit numeric pins. They now provide for two factor authentication. – RoraΖ Aug 25 '14 at 18:42
-
-
@confused1027 have you tried it from outside your network? another alternative would be to set up a proxy, forbid the teamviewer connections and a few TCP ports... – Dr.Ü Aug 26 '14 at 08:35
-
Yes, I am testing it from outside my network (different WAN IPs). – confused1027 Aug 26 '14 at 16:38
You can do so with the ASA or any other firewalls if you can use groups. What you would do is create a group that you would want to allow to access/be accessed by Teamviewer. Throw machines with permissions to connect to Teamviewer, then block all the others.
The issue becomes a firewall ACL. When you make connections to and from TeamViewer, you are being proxied through their servers. Here are the listed TeamViewer networks. What you want to do is create an ACL named "TeamViewer Networks" allow to your group, and deny to others.
- 8,682
- 16
- 31
-
This will block the connectivity in both directions, won't it? The OP explicitly asked how to prevent incoming TeamViewer connections ***while still allowing outgoing ones***. – WhiteWinterWolf Dec 20 '15 at 10:15
-
The `A` record for `teamviewer.com` is 46.163.100.220, so the list of TeamViewer networks is clearly incomplete. – 200_success Jun 02 '16 at 19:46
-
No WhiteWinterWolf, you can put the ACL only in your desired direction, so you can allow outgoing ones and only deny the incoming. – Overmind Sep 28 '16 at 05:18
I think the easiest way to block incoming teamviewer connection just edit your TeamViewer configuration. Go to TeamViewer menu > Extras > Option > Advance > Show Advance Option. On Access Control section you can change from Full Access to Costum Settings or change to Deny incoming remote control sessions which block all incoming sessions to your pc.
Maybe Costum Settings is the best options which you can allow, confirm or deny some service by click configure....
- 1
-
This doesn't answer the question. The OP asks about a central, network-wide solution and not one on each client. – schroeder Aug 22 '15 at 17:38