Dealing with MS Netmeeting & H.323

Ryan Russell ryanr@sybase.com
Mon, 8 Jun 1998 12:44:19 -0700


Don't get me wrong.. I'm actually a big SPF fan.

I was being more general with my definition of "secure."

Sure you, can make an SPF w/NAT hande it "securely" in
terms of only allowing the minimum ports by snooping
the data stream, etc..  Rumor has it that FW1 4.0 will
do just that.

What I was referring to was the capabilities of the
program itself... i.e. one of my users could go
into a netmeeting session, and give control of
a DOS box to someone on the outside.  No thanks.

>From that point of view, FW-1 handles it perfectly
"securely" at present.  It doesn't work at all. :)

                    Ryan






Jan.Bervar@nil.si on 06/04/98 09:10:09 AM

Please respond to Jan.Bervar@nil.si

To:   firewall-wizards@nfr.net
cc:    (bcc: Ryan Russell/SYBASE)
Subject:  Re: Dealing with MS Netmeeting & H.323





On 06/03/98 08:18:41 PM "Ryan Russell"  wrote:
> I'll agree with Fred on this one... It's pratically impossible
> to really handle Netmeeting securely at this point, since the
application's
> purpose in life creates huge holes, even when functioning correctly.

I don't consider it a huge risk for outgoing calls, when handled *PROPERLY*
by a stateful filter. And to make it scalable, you would appreciate the low
 latency
and high throughput that SPFs tend to have. Of course, YCMMV (C=customer's)
 ;)

> At best at present, the main SPF products such as FW1 and PIX
> just open the minimum number of ports for the minimum amount
> of time.  It's a big impovement over Microsoft's instructions (
> Just let all UDP in... .yea, right) but the program itself is still
> pretty bad.

Yes, this is the way SPFs handle all the weird services. The obvious
problem
we have here is that we rely on a timeout to close the dynamically opened
ports if you cannot determine the end of the session from a control channel
(for example, if you are streaming UDP inbound). So you do have a little
race condition there.




Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 8825661A.00217F11;
Thu, 4 Jun 1998 23:05:52 -0700
Received: from smtp1.sybase.com (smtp1 [130.214.220.35])
          by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
       id XAA02248; Thu, 4 Jun 1998 23:03:46 -0700 (PDT)
Received: from inergen.sybase.com by smtp1.sybase.com
(4.1/SMI-4.1/SybH3.5-030896)
     id AA18337; Thu, 4 Jun 98 23:03:46 PDT
Received: from nfr.net (tower.nfr.net [208.196.145.10])
          by inergen.sybase.com (8.8.4/8.8.4) with ESMTP
       id XAA14816; Thu, 4 Jun 1998 23:05:08 -0700 (PDT)
Received: (from lists@localhost)
     by nfr.net (8.8.8/8.8.8) id UAA19201
     for firewall-wizards-outgoing; Thu, 4 Jun 1998 20:46:42 -0500 (CDT)
Received: (from fwiz@localhost)
     by nfr.net (8.8.8/8.8.8) id UAA19186
     for firewall-wizards@nfr.net; Thu, 4 Jun 1998 20:46:37 -0500 (CDT)
Received: from nermal.nil.si (nermal.nil.si [193.77.3.35])
     by nfr.net (8.8.8/8.8.8) with ESMTP id LAA15927
     for <firewall-wizards@nfr.net>; Thu, 4 Jun 1998 11:07:17 -0500 (CDT)
From: Jan.Bervar@nil.si
Received: (from mailer@localhost) by nermal.nil.si (SMTP/unknown) id
SAA19262 for <firewall-wizards@nfr.net>; Thu, 4 Jun 1998 18:10:39 +0200
(MET DST)
X-Authentication-Warning: nermal.nil.si: mailer set sender to
<Jan.Bervar@nil.si> using -f
Received: from asterix.notes.nil.si(193.77.3.111) by nermal.nil.si with
NIL-SMTP  (V1.3)
     id sma019260; Thu Jun  4 18:10:25 1998
Received: by asterix.notes.nil.si(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998))
id C1256619.0058D433 ; Thu, 4 Jun 1998 18:10:14 +0200
X-Lotus-Fromdomain: NIL
To: firewall-wizards@nfr.net
Message-Id: <C1256619.0058B53D.00@asterix.notes.nil.si>
Date: Thu, 4 Jun 1998 18:10:09 +0200
Subject: Re: Dealing with MS Netmeeting & H.323
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: owner-firewall-wizards@nfr.net
Precedence: bulk
Reply-To: Jan.Bervar@nil.si