On Thu, 10 May 2001, Sadler, Connie J wrote:
> Some of us would really like to know what the risks are with Netmeeting. We
> get requests for it frequently - through the firewall, and would like a
> configuration that would allow that, but haven't found a secure way to do it
> yet...
In my opinion (which obviously isn't shared), you're better off doing
remote display to a sacrificial host on the DMZ and letting people
netmeeting from there outbound if you can get away with data and
whiteboard sharing only. Securing one host on the DMZ and allowing a
unidirectional outbound single pipe to do the remote display protocol from
the desktop gives a significantly higher level of assurance and limits the
potential security liabilities to one host. If that host is ghosted anew
from CD on a regular basis, kept up to date and adaquately ACL'd-
especially after doing the normal "turn off all the services that
aren't absolutely necessary" stuff, the risk to your internal production
network and end-user machines will be the remote display protocol (Citrix,
PC Anywhere, VNC (With SSH or without), or whatever Terminal Server uses.)
If the users need video, that means a fairly long audio/video run (to the
DMZ), and probably puts you in confernce-room only mode. I'm not sure if
any of the above remote access things pass audio. If you're just looking
for shared whiteboarding/data though, it's doable per-desktop.
I've always considered putting a sacraficial lamb in a conference room to
be the best functionality/security tradeoff. It stops some impromptu
meetings, but also stops impromptu screwing off- you'll have to make a
call as to which is more likely/damaging in your environment.
Finally, you may want to look at proprietary solutions that use single
port connections that are firewall friendly if it's between company
locations or a fixed set of collaberators who can be outfitted and
cooperative.
Netmeeting's default for LAN connections is 435kb/s, which could be a
factor if it gets popular for internal use instead of getting up or
calling an extension depending on how many users you have. It's supposed
to do some dynamic limiting, but if your company is big enough and the use
is regular and mandatory it might become an issue.
Also, you'll probably want to dig and see what happens if an external
client doesn't support audio with G.723.1 and G.711.1-- G.711 (which is
listed as a mandatory H.323 CODEC) uses something like 53kb/s as a
minimum- so someone with a wierd client, strange configuration or axe to
grind might be able to cause an internal user to use a lot of bandwidth.
Desktop sharing is the piece that would make me the most nervous,
especially if you allow unbounded inbound connections. In NT/2k, the
sharing password is a domain name/login- so if you have admins who are
drinking the MS koolaid and silly enough to allow NT/2k sharing with
outside users (Yep, you guessed it, administrator privs. mean you get to
share) or if everyone logs in using an admin password the potential is
there for things to not be pretty at all.
The NM Resource Kit allows you to disable a lot of stuff, but that
probably requires a lot more software control and blocking of user
downloads than anyone can reasonably expect these days.
Hope this helps some,
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
