Dealing with MS Netmeeting & H.323

Hal hal@mrj.com
Mon, 1 Jun 1998 13:54:08 -0700


     
    I'm wondering if anyone has had much luck securing Microsoft's Netmeeting product?    This topic has been
discussed here and on other lists. People usually just throw up their hands when dealing with it.  What's the best  advice 

In summary here's what  I found out about it..  

It's based on an H.323. architecture using T.120's  transport, the IETF Realtime Protocol/(RTP)/ Real Time Control  Protocols (RTCP) for its audio and video feeds and includes a few additional features.  Ports:  (TCP) 389 - Internet Locator (LDAP), 522- HTTP based User Locator (I think this is a MS proprietary protocol), 1503 -T.124 "media independent transport".  1720- H323 call setup , 1731 H323 audio call setup (not sure what this is for).  Here are the zingers: Dynamically assigned TCP and UDP ports in the "ephemeral" range (> 1024) carrying RTP & RTCP (allocated as  dynamically assigned even/odd pairs, one pair per direction and media type). RTCP is used for feedback about the real time channel (congestion, quality, etc..) The actual  port numbers for these associations are passed in an ASN.1 open local channel request on port 1720. 


Issues:  (1)  Router filters control a single port or port range. Dynamic port assignments require the range to be very large defeating the filter's purpose. 
(2) Network Address Translation.  H.323 logical channel open fetches the local client address and passes that  bound into an application (session) PDU to the destination causing internal address leakage. (The destination tries to send to the untranslated internal address of the source instead of the translated external address) 

An H.323 proxy could solve these problems.  Firewall-1 states they can handle H.323  and work with Netmeeting (Does anyone have any experience with this?).  Guantlet/NT has an H.323. proxy but  their administrator's guide, which lists several multimedia  applications, does not list NetMeeting.   Are there other firewalls that can handle netmeeting?    

One suggestion I received was to allow just the data portion of Netmeeting by blocking the dynamically assigned ports that carry the audio and video.   Difficult to satisfy a customer expecting interactive audio and video.  


Regards Hal. 
Hal@mrj.com