LogMeIn is a graphical desktop sharing system. After installing LogMeIn on a Windows machine (the host), users can control the desktop of that machine from virtually anywhere via:

  • Any web browser (ActiveX add-on, Java plugin client, Firefox plugin)
  • Windows or iPhone or BlackBerry Storm  application (LogMeIn Ignition)
Product Name
Similar Products Price Advantages
LogMeIn Free Remote Desktop Services (formerly known as Terminal Services)
Virtual Network Computing (VNC)
Free Is not detected by firewalls, Intrusion Detection Systems, network security scanners.Allows connecting from anywhere on the internet to machines without routable IP addresses.

 

How can I detect and/or filter LogMeIn Network Traffic?

The machine where LogMeIn is installed initiates and maintains a constant HTTPS connection to the LogMeIn, Inc servers; the firewalls treat this as an outgoing connection as if a user is navigating to an HTTPS site.

Below is a Wireshark capture of the network traffic to and from the LogMeIn application installed on the host computer.

<localhost>   35641  <DNSServer>   53     DNS    Standard query A secure.logmein.com

<DNSServer>   53     <localhost>   35641  DNS    Standard query response CNAME secure.logmein.com.akadns.net A 77.242.192.193

<localhost>   2474   77.242.192.193       80     TCP    2474 > http [SYN]

77.242.192.193       80     <localhost>   2474   TCP    http > 2474 [SYN, ACK]

<localhost>   2474   77.242.192.193       80     TCP    2474 > http [ACK]

<localhost>   2474   77.242.192.193       80     TCP    [TCP segment of a reassembled PDU]

<localhost>   53211  <DNSServer>   53     DNS    Standard query A control.app105.logmein.com

<DNSServer>   53     <localhost>   53211  DNS    Standard query response CNAME app105.logmein.com A 77.242.193.145

<localhost>   2475   77.242.193.145       443    TCP    2475 > https [SYN]

77.242.193.145       443    <localhost>   2475   TCP    https > 2475 [SYN, ACK]

The above capture shows all of the types of traffic done by the LogMeIn application. The application connects via HTTP to secure.logmein.com to and receives a web page that contains the host name of a LogMeIn gateway. Then, the application connects via HTTPS to the received host name.

In order to detect LogMeIn applications in your network, monitor network traffic to *.logmein.com domain.

In order to block LogMeIn applications, make the DNS lookup not work correctly for *.logmein.com domain or block network traffic to and from  *.logmein.com domain.

How can I detect LogMeIn using GFI LANguard 9?

From the GFI LANguard Scanning Profiles Editor select the current profile and add the application named “LogMeIn” as shown in the screen shot below.

After changing the scanning profile, perform a security scan using that profile. A high security vulnerability warning will be generated.