Dealing with MS Netmeeting & H.323

David Bonn David.Bonn@watchguard.com
Wed, 3 Jun 1998 09:24:53 -0700


>>>>> "Fred" == Frederick M Avolio <fred@avolio.com> writes:

Fred> Many companies claim to "handle" and some even indicate "handle
Fred> securely."  I'd be interested in a short blurb from the vendors who
Fred> handle such things indicating how they handle it and why they think
Fred> the way they handle it is secure. (This is not intended to cast
Fred> aspersions on any above-mentioned vendor.)

Our newest (3.0) release has an H.323 proxy.  We were primarily
motivated by a lot of customer requests and some of our customers were 
using WG for intranet firewalling and netmeeting in their offices.
The self-invented workarounds to get H.323 to work were ugly enough
that we felt that adding the proxy would make a big difference.

Without network address translation, we can support both incoming and
outgoing H.323 calls.  With network address translation, we don't
support incoming H.323 calls.  H.323 seems to have a lot of
assumptions about one and only one client per host, and to support
incoming H.323 calls in a NAT situation one would have to have
"redirector" support.  We don't.

AFAIK the only application anyone has actually used our H.323 proxy
with is Netmeeting and Intel's Internet Phone, which is okay from my
standpoint (try naming another application that uses H.323).  I'd
actually feel better saying that we have a "netmeeting proxy".  Since
Netmeeting appears to only use a subset of H.323, you'd have a more
properly paranoid proxy if you sliced things that way.

As for using "secure" and "H.323" in the same sentence, I'd feel
somewhat like a jerk for doing so.  Here's why:

 o H.323 is a bulky, complex, and open-ended protocol.

 o To make matters worse, H.323 uses ASN.1 encoding.

 o Netmeeting appears to use only a subset of H.323.  That makes
   me wonder how much of the protocol design has actually been
   exercised.

 o The history with other network protocols has been that it takes a
   number of years and a fair amount of trauma (SMTP?  Java seems to
   be in progress) to work out all of the security implications.
   H.323 hasn't had that time and (again, AFAIK) no studies about
   its security implications have been widely distributed.

I didn't write our H.323 proxy, and this is based on a discussion with 
the guy down the alley who did.

David Bonn
CTO && VP Engineering
WatchGuard Technologies, Inc.