Forgive the in-line comments and replies, too tired to do otherwise...
"Gripp, Stan" wrote:
>I have a fundamental problem with your statement Nick. I don't
>usually jump into a thread but I need you to clarify your statement.
Hey, that's what they are there for. If you think I am wrong and can
demonstrate why, certainly, speak up! Not only is it proper to do, it
is responsible to do, don't let me get away with saying anything that
is demonstratably wrong. 8-)
>Are you saying that the Cisco's PIX, Cisco's IOS, NAI's Guantlet,
>NetGuard, Checkpoint's Firewall-1, Ascend's Secure Connect and
>Axent's Raptor are not secure when configured with h.323. And if
>that is so, why would reputable companies that supply the mentioned
>ICSA approved firewalls, add support for such a blatant security
>hole? Or have they just figured out how to do it.
I was not speaking to the h.323 protocol itself, I was referring to
Netmeeting, the topic in question (one day, you get pounded for going
off topic, another day, you get pounded for staying on topic. Good
thing I got thick skul..er..skin. 8). Anyway, there are two different
issues here, h.323 and Netmeeting.
I will say all those firewall programs you listed are permitting a
breach of network and PC integrity and security if they are being used
to pass Netmeeting. Very similar to unlocking a locked door for a
stranger: the stranger may stay outside or walk in, do nothing or rob
you blind, burn your building, whatever. Netmeeting permits one user
to come in and take over your computer. That is crazy. I don't care
WHO supports it, I have a brain, I can read the reports and think for
myself. If the logic dictates, I'm not afraid to say some very big
companies are quite wrong in many things they do.
As for h.323, I'm not an expert on it, but in a quick glance at some
docs I found on the 'net, it was clearly NOT intended for WAN access
over public networks (i.e., the Internet). It is a very bad idea.
Look at it. This is NOT how you run a protocol through the modern and
public Internet, much too difficult to administer and control. I
can't believe people base their businesses on something like this.
The Internet requires sane and managable protocols, not this kind of
idiocy. Can you see where this goes? Any and every new protocol and
app, a new proxy on your firewall? Next year, you have to trash your
perfectly good firewall for something new, just because Bob's Software
Corp said "Isn't this cool?" Open season on idiot protocols? Soon,
your firewall becomes so complex that its integrity can never be
proven, can never be completely tested, and so full of holes that it
should be called the fire sponge (or fire-revolving-door). There is
no reason videoconferening needs this kind of cr*p protocol. There is
no excuse for having to add new and ever more complex proxy servers to
firewalls.
As for why "reputable companies" would do such a thing, I guess I
start by questioning your terms. RESPECTED companies, sure.
Reputable? Is it "reputable" to say you are promoting security and
then support an insecure app? I don't care how big or successful a
company is, if they encourage the implementation of bad ideas, I don't
consider them reputable. You, of course, get to decide for yourself.
My guess is the marketing department told the engineering department
"do this, they want it", and I rather doubt the engineering department
liked it one bit. The legal department stuck something in the license
agreement which says "you are responsible for what you do with our
product" and told management that gets them off the hook. The legal
department doesn't care if it does or doesn't -- they get paid if they
are right, they get paid even more if they are wrong. (What a line of
work, eh?)
As for ICSA approval of firewalls go, I am not entirely sure what they
are testing for or what the approval actually means, but as virtually
any firewall can be turned into an open door, I don't think the
support of a bad protocol and a bad product would necessarily void
ICSA approval. I've heard stories of GB systems opened so wide they
were nothing more than bridge. Doesn't mean the product is bad, just
the installer was an idiot.
The scary thing in any business is, unfortunately the big companies
often get big by selling bad products. That doesn't make it right or
wrong -- but I appreciate companies that hold themselves to higher
standards, even if they don't become the next Microsoft.
>I implement and configure all of the above mentioned firewalls,
>plus Gnatbox (and Gnatbox is one of my favorites). All of the
>firewalls that I work with from Stateful Inspection to Proxy based
>have support for h.323 with the exception of GTA's Gnatbox.
I get clients that ask me to set up bad systems for them all the time,
too. I turn them down. I'd rather not have them as a client than to
have my name attached to a bad job. O.k., I'm weird. However, I'll be
quick to admit my competition makes a hell of a lot more money than I
do. I'm o.k. with this. I'd rather be proud of the work I do than be
rich doing shoddy work.
>All open ports and protocols in a firewall, introduce some sort
>of risk to any environment exposed to the Internet or a dialup
>connection. Once a firewall has been configured to pass a selected
>port or protocol, it is up to the underlying application on the
>network to provide the security (Proxy based firewalls the
>exception to this rule). The only real secure environment is one
>that is unplugged from the wall. As far as I am concerned the
>firewall vendor has to adopt the most efficient way of supporting
>as many protocols as possible and let the client or customer
>decide on what to open up, because it is inevitably the client or
>customers decision as to what they want to use for applications.
>We can only make their lives and environments as easy and secure
>as they want it to be, all we can do is inform them of the risks
>based on their choices.
If customers were really being educated, I'd agree 100%. That's not
what happens in most cases, however. The customer says "I want to do
X" and no matter how stupid it is, the salesperson says "Sure, no
problem". Given a choice between "giving the customer what they want"
vs. educating the customer as to why what he is trying to do is a
really stupid idea, 95 out of 100 sales people will go for the the
sale (and the other five will be unemployed next week). Be realistic
here... The technical people aren't the ones who make the sale, it's
the sales people. And it is the rare tech who gets to stand up and
say "No, this isn't right". They aren't paid enough to care, and they
aren't planning on being around when this comes back to bite someone.
You are quite right, the security of a firewall is dependent upon the
apps behind it. However, if the app is insecure by design, should the
firewall manufacturer bend over backwards to let the user shoot
themselves in the head? Is it wise to let people use an app that
shouldn't be used? Or can't be properly filtered and guarded?
>I also don't want to loose the opportunity of recommending a solid,
>quick and inexpensive firewall such as Gnatbox because it doesn't
>support one lousy protocol and the client is stuck on using a
>particular application.
There is a problem with having an easy to use, low-cost product.
People tend to think "if it let me do it, it's o.k.", without the
training or understanding to appreciate the true significance of their
implementation. That's pretty shaky ground to be on, legally, I would
think. If a lawyer can ever figure out how to keep a jury of people
too dumb to avoid jury duty awake for a trial, I think a lot of
software publishers are in deep doo-doo.
Personally, I'd rather loose the deal. If the client wants to hang
themselves, I'd rather someone else sells 'em the rope. But that's
me. Yeah, someone here already offered to NOT participate in my IPO,
and I can understand why. I'm also not doing an IPO...most of those
lately have been scams, too. I'm earning my living the old fashioned
way -- honesty and value, and in case you are wondering, it isn't a
good way to get rich. But I sleep well.
>
>Regards
>
>_________________________________________________
>
>Stan Gripp
>Network Consultant
>IT Infrastructure Group
>Online Business Systems
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>
>_________________________________________________
>
>This email message is for the sole use of the intended recipient(s) and may
>contain confidential and privileged information. Any unauthorized review,
>use, disclosure or distribution is prohibited. If you are not the intended
>recipient, please contact the sender by reply email and destroy all copies
>of the original message.
^^^^ Speaking of lawyers.... Sheesh. 8-)
Nick.
BGFH
--
http://www.holland-consulting.com/
