On Tue, 16 Mar 1999 19:13:19 -0500, "Larry Cannell" <[EMAIL PROTECTED]> said:
Larry> Options for getting T.120 running through a firewall. I should
Larry> first point out that my interest in NetMeeting is strictly with
Larry> data conferencing. This includes application
Larry> sharing/collaboration, shared whiteboarding, and file
Larry> transfer. I have very little interest in the video and audio
Larry> capabilities in NetMeeting (at this time). So my work to date
Larry> with firewalls has been in support of T.120.
Excellent -- you're only interested in the ones that can jeopardize
your corporate enterprise. You've got your work cut out for you!
Larry> So, how to you get by that firewall? One way is to configure
Larry> the firewall to allow the T.120 port through (I forget the port
Larry> number at the moment). The biggest problem here is with your
Larry> firewall or security admin. They might not let you connect to
Larry> just any system. But if they do then you are almost done.
There's more than one T.120 port. They caller and callee meet on a
rendezvous port then negotiate to connect on another port. Then they
meet there and negotiate another *set* of ports to meet on do actually
do the work. You have to open holes (or get a proxy which does) to all
of these. That's what makes the proxy hard.
Larry> Next problem is with DNS. Many firewall admins don't allow DNS
Larry> queries to go out so you are stuck with numeric IP
Larry> addresses.
Ah, so you're not interested in protecting the enterprise at all.
You're interested in "getting by" those pesky paranoid fascist
security nazis! Even it puts your corporate jewels at risk.
Hey, Chrysler, check out what Ford's doing! :-)
Speaking of Chrysler, one of the more clueful guys I've met on
big-industry security concerns, working with partners, etc, is Bob
Moskowitz at Chrysler. You might wanna check out his writings -- he's
able to take very complex issues and explain them in a couple pages or
so.
Larry> Another option is to use a winsock proxy (I've labeled this a
Larry> transparent proxy since the application doesn't know it is
Larry> being proxied but that label may be mis-applied). I've tried
Larry> both MS-Proxy's winsock proxy and the Aventail AutoSocks. These
Larry> products proxy the actual winsock calls, tunneling the T.120
Larry> protocol until it hits a proxy server in the DMZ which unwraps
Larry> it and sends the stream on outside your network. It pretty much
Larry> feels like you are connected to the Internet (even DNS lookups
Larry> are handled).
And allows the traffic back unchecked, even if it's hostile. That's
the problem with tunnels: they just pass the data through, like
a... uh... a tunnel.
Larry> You're only solution at this point is a conference
Larry> server. Think of a conference server as a headless NetMeeting
Larry> client.
Yup, outside both parties' firewalls.
Larry> The nice thing about a conference server is that it makes
Larry> firewall admins happy. You now only poke one small hole through
Larry> the firewall to a known conference server where everyone
Larry> meets. It also deals very well with the problem of multiple
Larry> participants sitting behind firewalls.
The not nice thing about a conference server is that it lets traffic
in regardless of content. So if a hostile connected to your conference
server, it just passes it back through your firewall into your LAN and
you're toast. Thanks, but no thanks.
Larry> So where does one find a conference server? Well, if you are so
Larry> inclined you can deploy one yourself. Check
Larry> http://www.databeam.com or http://www.wpine.com to name just
Larry> two. Commercial data conferencing services are now starting to
Larry> appear on the market. Check with your isp.
Been there, done that. Not inclined to increase the ease which bad
guys can plow through my firewall.
Larry> The approach we plan on taking is to allow T.120 connections
Larry> through the firewall to a limited number of conference servers.
Then you'll have to limit who can connect to all the conference
servers. Have you looked at the authentication mechanisms? They're
pathetic. Of course so is NetMeeting's so DataBeam's taking their cue
from MicroSoft on this one. You don't have any guarantee that the
person connecting to the conference server is who he/she claims to be.
Victim.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
