>I was not speaking to the h.323 protocol itself, I was referring to >Netmeeting, the topic in question (one day, you get pounded for going >off topic, another day, you get pounded for staying on topic. Good >thing I got thick skul..er..skin. 8). Anyway, there are two different >issues here, h.323 and Netmeeting. > >I will say all those firewall programs you listed are permitting a >breach of network and PC integrity and security if they are being used >to pass Netmeeting. Very similar to unlocking a locked door for a >stranger: the stranger may stay outside or walk in, do nothing or rob >you blind, burn your building, whatever. Netmeeting permits one user >to come in and take over your computer. That is crazy. I don't care >WHO supports it, I have a brain, I can read the reports and think for >myself. If the logic dictates, I'm not afraid to say some very big >companies are quite wrong in many things they do.
Netmeeting does not permit anything. The user chooses to allow this. PC Anywhere does the same thing and its as simple as opening a port to allow that to happen inbound to your network. You are absolutely confusing the role of the software company writing the firewall vs. the firewall administrator. > >As for h.323, I'm not an expert on it, but in a quick glance at some >docs I found on the 'net, it was clearly NOT intended for WAN access >over public networks (i.e., the Internet). It is a very bad idea. >Look at it. This is NOT how you run a protocol through the modern and >public Internet, much too difficult to administer and control. I >can't believe people base their businesses on something like this. >The Internet requires sane and managable protocols, not this kind of >idiocy. Can you see where this goes? Any and every new protocol and >app, a new proxy on your firewall? Next year, you have to trash your >perfectly good firewall for something new, just because Bob's Software >Corp said "Isn't this cool?" Open season on idiot protocols? Soon, >your firewall becomes so complex that its integrity can never be >proven, can never be completely tested, and so full of holes that it >should be called the fire sponge (or fire-revolving-door). There is >no reason videoconferening needs this kind of cr*p protocol. There is >no excuse for having to add new and ever more complex proxy servers to >firewalls. The h.323 protocol is here to stay and GTA will lose in the long run if they don't support it soon. The problem here is that GTA is stating they won't support it because their customers don't need it. The reality is that small companies are the first to be using this. We use it extensively internal to our company, and our clients, vendors, etc are more and more expecting us to utilize netmeeting and other h.323 based technologies to communicate with them. We are currently implementing a new phone system which is network based. We can take our phone anywhere in the world and plug it into an internet connected network and make phone calls out of our office. These kind of technologies are dependent on my ability to NAT h.323. The only alternative is to fully expose boxes outside of the firewall that need h.323 which is far worse than the ever so slight risk involved in allowing an administrator to choose to allow h.323 onto his LAN. Other firewalls have not only fully supported h.323 for a while now, but have been very diligent in making sure that it works transparently to the end user. Others (Raptor for certain) have even set up complex proxies to allow you to setup inbound capabilities so that people can connect to the proxy and request a certain person inside. This will be expected of all firewalls very soon. Vendors who cannot provide such technologies will be left behind. > >As for why "reputable companies" would do such a thing, I guess I >start by questioning your terms. RESPECTED companies, sure. >Reputable? Is it "reputable" to say you are promoting security and >then support an insecure app? I don't care how big or successful a >company is, if they encourage the implementation of bad ideas, I don't >consider them reputable. You, of course, get to decide for yourself. >My guess is the marketing department told the engineering department >"do this, they want it", and I rather doubt the engineering department >liked it one bit. The legal department stuck something in the license >agreement which says "you are responsible for what you do with our >product" and told management that gets them off the hook. The legal >department doesn't care if it does or doesn't -- they get paid if they >are right, they get paid even more if they are wrong. (What a line of >work, eh?) I can only speculate as to why one would turn away a customer, but I won't. A vendor that I would trust would never walk away from a challenge. I have always made sure to inform my customer and to do the legwork to ensure that I have tried everything possible to secure the environemnt yet still allow them to work. Since when is it the vendors place to tell a business what they can and cannot use? That's not how business works. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
