I have a fundamental problem with your statement Nick. I don't usually jump into a thread but I need you to clarify your statement.
Are you saying that the Cisco's PIX, Cisco's IOS, NAI's Guantlet, NetGuard, Checkpoint's Firewall-1, Ascend's Secure Connect and Axent's Raptor are not secure when configured with h.323. And if that is so, why would reputable companies that supply the mentioned ICSA approved firewalls, add support for such a blatant security hole? Or have they just figured out how to do it.
I implement and configure all of the above mentioned firewalls, plus Gnatbox (and Gnatbox is one of my favorites). All of the firewalls that I work with from Stateful Inspection to Proxy based have support for h.323 with the exception of GTA's Gnatbox.
All open ports and protocols in a firewall, introduce some sort of risk to any environment exposed to the Internet or a dialup connection. Once a firewall has been configured to pass a selected port or protocol, it is up to the underlying application on the network to provide the security (Proxy based firewalls the exception to this rule). The only real secure environment is one that is unplugged from the wall. As far as I am concerned the firewall vendor has to adopt the most efficient way of supporting as many protocols as possible and let the client or customer decide on what to open up, because it is inevitably the client or customers decision as to what they want to use for applications. We can only make their lives and environments as easy and secure as they want it to be, all we can do is inform them of the risks based on their choices.
I also don't want to loose the opportunity of recommending a solid, quick and inexpensive firewall such as Gnatbox because it doesn't support one lousy protocol and the client is stuck on using a particular application.
Regards
_________________________________________________
Stan Gripp
Network Consultant
IT Infrastructure Group
Online Business Systems
[EMAIL PROTECTED]
[EMAIL PROTECTED]
_________________________________________________
This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
-----Original Message-----
From: Nick Holland [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 10, 2000 12:46 PM
To: [EMAIL PROTECTED]
Subject: Re: netmeeting?
--------------------- Attention -----------------------------
Online GNAT Box User Forum is Now Open
Click the Register link and sign up today
http://www.gnatbox.com/cgi-bin/Ultimate.cgi
-------------------------------------------------------------
Send postings to: [EMAIL PROTECTED]
Access the list archives at: http://www.gnatbox.com/gb-users/
-------------------------------------------------------------
I believe it is not that GTA considers h.323 an unimportant protocol
as much as they consider NetMeeting a dangerous product, in violation
of many rules of basic security. You let people into Netmeeting, you
barely have any firewall left to worry about. So, why not just save
yourself the cost and maintenance of a firewall and the delusion that
you have anything resembling system security?
A firewall by itself does not make your network secure, especially
when you blow a hole in it that big. It would be much like getting
the newest and most secure locks for all the doors of your
office...and leaving them in the box. Or driving a bulldozer through
one wall because you find the locks inconvenient. Simply purchase of
the locks by itself does not make you secure! You are far better off
with NO locks than thinking you have security when you in fact do not.
Do a search on your favorite search engine for "Netmeeting security",
read through the results. Pretty scary.
Netmeeting is a bad idea. Basing your business around it is ALSO a
bad idea. A firewall won't protect you, not once you open enough
access to let NetMeeting do its damma..er..work.
This leaves GTA in a bad position -- Do they play into the popular
demands that they blow a hole a mile wide in their firewall? If GM or
Ford considers adding a feature to their cars that would be popular
and yet they know could be dangerous, you can bet they are opening
themselves up to all kinds of unpleasant lawsuits should they decide
to implement the feature. So far, the computer industry has been
spared these kinds of lawsuits -- but I can't imagine this will last
forever. GTA has repeatedly made it publicly known they are aware of
security issues with Netmeeting -- don't even have to go digging
through secret company documents. Do you propose that they go ahead
and support it anyway? In heavy industry, that gets people big fines
and bad reputations.
Nick.
Chris Green wrote:
> Gnatbox cannot pass voice or video portions of netmeeting through NAT. I am
> currently evaluating a seperate gatekeeper product that may work to go
> around gnatbox for h.323 connects. GTA does not consider h.323 to be an
> important protocol at all. They don't seem to understand that some of us
> are switching to h.323 for everything we do, including our phone systems.
>
> Chris Green
>
> >From: "Stuart Birchall" <[EMAIL PROTECTED]>
> >To: <[EMAIL PROTECTED]>
> >Subject: netmeeting?
> >Date: Mon, 10 Jul 2000 11:56:39 +0100
> >
> >Hi Everyone,
> >does Gnatbox supporting Microsoft Netmeeting?
> >Cheers,
> >Stu
> >
> >
----------------------------------------------
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe gb-users your_email_address
in the body of the message
