>
> NetMeeting can be click-n-point configured to autoanswer an incoming
> "call", whether you're there or not, so this bypasses human
> intervention. I once configged a system at work to do this so I could
> go home, "call" it up, and watch who was wandering through my office.
> No human intervention required.
Yes, NetMeeting can be configured to auto-answer and to immediately send
video. It also sends audio at the start of a conference too. This not only
is a security problem but a bandwidth issue for us as well. Users with sound
cards sometimes wonder why their application sharing is slow (it's because
they are sending sound as well, they just didn't know it).
However, we were talking about data conferencing and I know of no way to
auto-answer and then auto-share or auto-collaborate. If there is a way then
many people on the NetMeeting list would like to know how. I would not
enable such a capability in our load, if it were possible.
> I would expect something more serious in the way of user auth.
I would like to see something better too. Stay tuned to NM3. btw: do you
allow any applications that does not have this level of authentication?
> Someone calling me on the phone can't delete everything on my hard
> drive and send a forged tax form to the IRS. NetMeeting can.
>
> You can't believe the information there since there's no strong auth.
>
> Larry> NetMeetings involving audio are inherently
> Larry> self-authenticating. It's just not done programmatically.
>
> Huh?
What I was trying to say is that you must understand the context in which
NetMeeting is used. A telephone conversation is involved during the
NetMeeting conference (at least it is in a business environment). Given
that, authentication can be done verbally to ensure who is in your
conference.
To say there is no authentication is not taking into account the context in
which it is used.
(Reminder to other readers: we are referring the risk of remote control of
applications. Someone could still covertly monitor your conference. We
handle this risk based on the sensitivity of the information. Confidential
data can only go over private network paths).
> Larry> Well, unfortunately, no T.120 proxies exist on the market
> Larry> today.
> Undoubtedly because these many-fine-lunches protocols are absurdly
> complex and therefore very difficult to implement
I suspect the problem is not with the difficulty in implementing the proxy
(PictureTel and DataBeam were actively marketing this to firewall vendors).
I think there is no market for it (at least, I'm yet to be convinced of it).
Maybe this will change.
Have you approached your firewall vendor and asked them why they haven't
implemented this? If not, why not? This might allow you to service your
customers asking for this.
> Firewalls and proxy servers which simply move packets from here to
> there with no inspection of the stuff going on aren't going to improve
> the situation -- they won't filter hostile traffic.
They can, however, restrict who can initiate and accept T.120 calls. We do
not allow incoming calls and only allow outgoing calls to a limited number
of addresses and ports.
> Since the conference server doesn't do any serious auth, and doesn't
> block hostile traffic (it can't tell what's friendly or hostile) bad
> guys can simply connect to it and affect your interior workstations.
> This just exploits the trust you've given to the conf server.
"Simply" is an exageration. There is some authentication in the form of a
password and connecting to a conference will not go un-noticed by the
participants. Also, a bad guy cannot connect to anyone inside the firewall
simply because a conference server exists.
>
> It's a good approach but the app itself doesn't protect the client
> workstation.
Yes, NetMeeting does not protect the PC by itself. Can any application make
this claim? The best that can be done in all situations is apply reasonable
controls (fw rules to limit connections, only allow needed protocols, user
education, etc.) and assess the remaining vulnerabilities against the
business need.
Larry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
