LogMeIn is a graphical desktop sharing system. After installing LogMeIn on a Windows machine (the host), users can control the desktop of that machine from virtually anywhere via:
- Any web browser (ActiveX add-on, Java plugin client, Firefox plugin)
- Windows or iPhone or BlackBerry Storm application (LogMeIn Ignition)
|LogMeIn Free||Remote Desktop Services (formerly known as Terminal Services)
Virtual Network Computing (VNC)
|Free||Is not detected by firewalls, Intrusion Detection Systems, network security scanners.Allows connecting from anywhere on the internet to machines without routable IP addresses.|
How can I detect and/or filter LogMeIn Network Traffic?
The machine where LogMeIn is installed initiates and maintains a constant HTTPS connection to the LogMeIn, Inc servers; the firewalls treat this as an outgoing connection as if a user is navigating to an HTTPS site.
Below is a Wireshark capture of the network traffic to and from the LogMeIn application installed on the host computer.
<localhost> 35641 <DNSServer> 53 DNS Standard query A secure.logmein.com
<DNSServer> 53 <localhost> 35641 DNS Standard query response CNAME secure.logmein.com.akadns.net A 220.127.116.11
<localhost> 2474 18.104.22.168 80 TCP 2474 > http [SYN]
22.214.171.124 80 <localhost> 2474 TCP http > 2474 [SYN, ACK]
<localhost> 2474 126.96.36.199 80 TCP 2474 > http [ACK]
<localhost> 2474 188.8.131.52 80 TCP [TCP segment of a reassembled PDU]
<localhost> 53211 <DNSServer> 53 DNS Standard query A control.app105.logmein.com
<DNSServer> 53 <localhost> 53211 DNS Standard query response CNAME app105.logmein.com A 184.108.40.206
<localhost> 2475 220.127.116.11 443 TCP 2475 > https [SYN]
18.104.22.168 443 <localhost> 2475 TCP https > 2475 [SYN, ACK]
The above capture shows all of the types of traffic done by the LogMeIn application. The application connects via HTTP to secure.logmein.com to and receives a web page that contains the host name of a LogMeIn gateway. Then, the application connects via HTTPS to the received host name.
In order to detect LogMeIn applications in your network, monitor network traffic to *.logmein.com domain.
In order to block LogMeIn applications, make the DNS lookup not work correctly for *.logmein.com domain or block network traffic to and from *.logmein.com domain.
How can I detect LogMeIn using GFI LANguard 9?
From the GFI LANguard Scanning Profiles Editor select the current profile and add the application named “LogMeIn” as shown in the screen shot below.
After changing the scanning profile, perform a security scan using that profile. A high security vulnerability warning will be generated.