Re: NetMeeting security solution?

[Chris Shenton <cshenton () uucom com>]

Don Cox <dcox () kodak com> writes:

> Advocates of NetMeeting are trying to convince me that:
> a) If you use tunneling (to take care of opening all ports on your
> firewall problem), AND
> b) If you use neT.120 Conference Server,
> that security should not be a threat. 


If you tunnel then the connection between the two sites is secure,
yes.  But if -- say -- your site is protected but the remote site is
not, then anyone who gets in to the remote site can pass through the
tunnel to yours. And once they do that, the "application sharing"
gives them mouse/keyboard access to your machine, the LAN and servers
it has access to. 

(Only if both sites are tight -- or rather have the same security
policy -- does this not lower risk. Most places I've seen don't have
this situation, the control isn't central.)


> Say that I insist that audio and
> video be disabled, and that we use tunneling, do you feel that using
> neT.120 Conference Server will address all other security issues?

The audio and video isn't inherently insecure, nor is the whiteboard:
it's just all the damn ports you have to open since the protocol's so
complex. (Micro$oft says to simply "open all UDP and TCP ports above
1024 in your firewall"; sheesh).

The application sharing *is* inherently dangerous as it gives remote
users (and anyone who can hack them) mouse/keyboard access to your
machine. In 5 seconds you can insert a DOS command shell into a shared
Word doc and then do anything you want -- install sniffers, delete
files. On NT too.

A couple firewall vendors are working on true proxies which understand
the T.120 and H.323 protocols so that they only open the ports which
the peers negotiate but I'm not sure if they're available yet.


> Note: reasons given to me for using neT.120 Conference Server were taken
> from http://www.databeam.com/net120/top_ten.html. Interesting that
> companies such as GE, Ford, Boeing, FileNet and MCI use NetMeeting.

They probably eat at McDonald's too, but that doesn't make the golden
arches fine cuisine.  There's a brain-damage in large corporations
which says "we have to use Product X because everyone else is using
it". Only later do they worry about security. And it's hard for net
admins to argue with users who say "It's *free*".  Shudder.

I found Databeam to be *not* helpful. Remote users connect to the
server, but than that traffic is mirrored to you. Again, application
sharing is the threat, even if the audio/video/whiteboard issues are
finessed by risking someone else's machine, the Databeam server.


I'll try and get my whitepaper back on line this week; I spent a while
looking into this.