Firewall Wizards mailing list archives
Re: Dealing with MS Netmeeting & H.323
From: David Bonn <David.Bonn () watchguard com>
Date: Wed, 3 Jun 1998 09:24:53 -0700
"Fred" == Frederick M Avolio <fred () avolio com> writes:
Fred> Many companies claim to "handle" and some even indicate "handle Fred> securely." I'd be interested in a short blurb from the vendors who Fred> handle such things indicating how they handle it and why they think Fred> the way they handle it is secure. (This is not intended to cast Fred> aspersions on any above-mentioned vendor.) Our newest (3.0) release has an H.323 proxy. We were primarily motivated by a lot of customer requests and some of our customers were using WG for intranet firewalling and netmeeting in their offices. The self-invented workarounds to get H.323 to work were ugly enough that we felt that adding the proxy would make a big difference. Without network address translation, we can support both incoming and outgoing H.323 calls. With network address translation, we don't support incoming H.323 calls. H.323 seems to have a lot of assumptions about one and only one client per host, and to support incoming H.323 calls in a NAT situation one would have to have "redirector" support. We don't. AFAIK the only application anyone has actually used our H.323 proxy with is Netmeeting and Intel's Internet Phone, which is okay from my standpoint (try naming another application that uses H.323). I'd actually feel better saying that we have a "netmeeting proxy". Since Netmeeting appears to only use a subset of H.323, you'd have a more properly paranoid proxy if you sliced things that way. As for using "secure" and "H.323" in the same sentence, I'd feel somewhat like a jerk for doing so. Here's why: o H.323 is a bulky, complex, and open-ended protocol. o To make matters worse, H.323 uses ASN.1 encoding. o Netmeeting appears to use only a subset of H.323. That makes me wonder how much of the protocol design has actually been exercised. o The history with other network protocols has been that it takes a number of years and a fair amount of trauma (SMTP? Java seems to be in progress) to work out all of the security implications. H.323 hasn't had that time and (again, AFAIK) no studies about its security implications have been widely distributed. I didn't write our H.323 proxy, and this is based on a discussion with the guy down the alley who did. David Bonn CTO && VP Engineering WatchGuard Technologies, Inc.
Current thread:
- Dealing with MS Netmeeting & H.323 Hal (Jun 01)
- Re: Dealing with MS Netmeeting & H.323 Henry Hertz Hobbit (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Kjell Wooding (Jun 04)
- <Possible follow-ups>
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 David Bonn (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Rob Poland (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 02)
- FW: Dealing with MS Netmeeting & H.323 Hal (Jun 02)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 ark (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Bernhard Schneck (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 ark (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Tony Schliesser (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Ryan Russell (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 05)
(Thread continues...)