Trustwave Becomes First Pure-Play MDR Provider to Attain FedRAMP Authorization. Learn More

Request a Demo
Trustwave Becomes First Pure-Play MDR Provider to Attain FedRAMP Authorization. Learn More

Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » Legacy Products » Secure Web Gateway » HOWTO: How to block Remote Access clients

HOWTO: How to block Remote Access clients

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • SWG 9.x
  • SWG 10.0

Question:

  • I want to block remote access clients, like TeamviewerQS (Quick Support), but the URL Category "Remote Access" is not available with all URL Cat filters. Remote support web sites should not be blocked in general.
  • It is not practical to block these requests based on destination URLs or IP addresses.
  • These clients often use tunneled connections (such as TCP 443) which cannot be blocked in general.
  • HTTP methods (e.g. CONNECT) are not available as conditions in SWG versions below 10.1.

Procedure:

Remote access clients often don't use a browser, but do use HTTP as a protocol. To block or control these connections, it is necessary to identify a specific criterion based on the content of the connection.

Example: TeamviewerQS

Step 1: Trace a successful connection

Identify a unique feature of the connection. In this case you can use the User Agent string: "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; DynGate)".

Step 2: Create a Condition and a rule to block

  • In the SWG interface, navigate to Policies > Condition Settings > Header Fields, and add a new component, e.g. "Blocked User Agents":

  • Create a Blocking Rule using this condition:

 

Step 3: Test the connection request

The requests should now fail, and the reason can be seen by tracing the network stream:

 

 

Notes:

This procedure can be used to block many proprietary clients in a flexible and granular way. It is not limited to Remote Access clients.

To contact Trustwave about this article or to request support:

Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster.


Execution: 0.031. 8 queries. Compression Disabled.
Powered by InstantKB.NET