Trying to block WAN to LAN Teamviewer access from all but one remote IP.

 

I work in the energy industry. Coal cleaning plants, power plants, mines, etc. all have custom built sensor equipment and software that runs each location. I need to allow team viewer access so they can remote in and fix issues with software and diagnose hardware issues but need to limit access from only their IP.

Teamviewer uses hole-punching for it's standard mechanism. Basically everything is outgoing connections. The connection can fall back to port 80 so it will be difficult to block all these connections without blocking other stuff.

 

 

There are two options:

 

• You can configure black and whitelisting in the teamviewer instance running on your senser equipment. See this link: https://community.teamviewer.com/t5/Knowledge-Base/How-can-I-restrict-access-for-TeamViewer-connecti...
  But it's not IP-address based, it's TeamviewerID based. That might be an option.
• Another solution would be to only use teamviewers "LAN-based" option. To do that you could setup port forwarding like this:
  

  And block the "normal" teamviewer by denying connections to DST IP teamviewer.com with the L3 firewall. Note that this will also block access to the teamviewer website.

But from a security standpoint I really don't stand behind any of this. You should think about a VPN solution to allow remote access to machinery.

 

Ah, okay.

 

I use Teamviewer in my org, but I control access via Teamviewer itself. All of my clients have Teamviewer Host which is assigned to a management group with easy access. I just make sure all of the management accounts have 2FA. For sensitive devices, I restrict access specific hosts in Teamviewer settings.

 

Otherwise, I think a more elegant solution would be to set Teamviewer to allow only LAN connections, and use a site-to-site VPN. I'd imagine you have a LOT of remote sites however.

Sorry, good ideas everyone but I didn't explain good enough. The Team viewer instances are used only by the company who designed and made the hardware, we internally use Bomgar for remote support. This is where out issues start to come in because we need to secure the rest of the network from the window we opened to allow remote connection to the control computers to manage the custom equipment for the site.

I had understood the situation, the explanation was good enough :). My workarounds are still valid.

 

From a security standpoint the least you can do is segment that device thoroughly from the rest of the network. If your supplier is willing to take that risk, fine, if their machine gets hacked it's on them. But at least make sure the rest of your network is secure.