On 10 May 2001, Michael T. Babcock wrote:
> >
> > Before you even get to "How would I pass it?", you need to stop and look
> > at "Should I pass it?" Dig though the protocols and make your own
> > evaluation, but you'll need a really lax security policy and no focus on
> > client-side protections to open a sucking chest wound like Netmeeting
> > unless the protocols have changed significantly in the last two years.
>
> Netmeeting uses the standard H323 communications protocol (among
> others). It is not an 'open chest wound' and there are gateway packages
> available (at least for Linux/BSD/Windows) that you can set up on an
> externally accessible machine that act as proxies for the connections by
> your users.
1. "Among others" is one of the telling phrases. Not that any streaming
protocol is particularly security freindly, including 323.
2. Streaming media protocols aren't "proxied", they're passed. If there's
going to be a signficant tunneling vector outside of HTTP and DNS, H.323
will be the one. If we propogate applications that use them, it'll happen
sooner rather than later. If we pass them blindly through firewalls,
malcode will exploit that fact.
3. Making a gateway doesn't make a protocol magically "safe." Once again,
just because you _can_ pass a protocol doesn't mean you _should_.
4. Firewalls protect based on *blocking* traffic, not on passing it.
5. 2.1 wasn't known for being completely interoperable with other h.323
packages, what assertion do you have that it even completely follows the
specification (even if we were to assume that the specification was
somethign worth passing through a firewall?) 3.01 is supposed to be
better, but who knows? Interoperability is important because if you're
relying on either proxy enforcement or protocol specifications for any
measure of prortection, then deviations change the evaluation.
6. 3.01 post-dates my last detailed look at Netmeeting, but the phrase
"Security functionality is new to NetMeeting 3.01. This feature employs
user authentication, password protection, and data encryption to ensure
your conference's security." Coming from a company that doesn't have a
good track record at either authentication or encryption would sure make
me think about doing a significant evaluation prior to relying on either
feature.
7. From a NM3 FAQ:[1]
Can I encrypt a video or audio call?
No. When you use encryption you are forced into a "data only" mode.
Audio and video are disabled.
Whoops! So much for completelness of implementation for security, so
much for confidentiality of information passed over the 'Net...
8. Also from the FAQ:
Does NetMeeting 3 work better than NetMeeting 2.1 with firewalls and/or
NATs?
We've heard that NetMeeting 3.01, build 3388, works slightly better with
firewalls, proxy servers, and/or NATs. The NetMeeting 3 Resource Kit has
quite a bit of information for users on corporate networks. NetMeeting
still requires some ports to be opened and won't work with all
configurations.
Doesn't sound all that standard to me, and the phrase "stil requires som
eports to be opened" should be a red flag.
You don't cover a sucking chest wound with a gauze bandage.
Paul
[1] http://www.netmeet.net/nm3_faq.asp
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
