Firewall Wizards mailing list archives
RE: Apple's iSight and Firewalls
From: Dave Killion <Dkillion () netscreen com>
Date: Wed, 20 Aug 2003 11:25:46 -0700
Black, Some firewalls support monitoring the H.240 command channel for 'open data channel' commands. For those that don't support this application layer monitoring, you'd have to open up a huge range of ports (typically UDP) for the data channels to work. This is the Swiss-cheese problem. H.323 is one of the most firewall-hostile protocols I've ever seen. Which I why I recommended that instead of opening up all sorts of ports (always a bad idea) that instead they point-to-point encrypt it, and be done with the matter. There are a variety of different ways to solve this problem, the ideal solution depending on what skill sets Jim has, what sort of features his current equipment has, and what kind of money his management is willing to spend on such a system. VPN's a drop-dead simple solution with obvious side benefits. But only if your infrastructure supports VPN's. -Dave -----Original Message----- From: black () galaxy silvren com [mailto:black () galaxy silvren com] Sent: Wednesday, August 20, 2003 10:58 AM To: Dave Killion Cc: 'firewall-wizards () honor icsalabs com' Subject: RE: [fw-wiz] Apple's iSight and Firewalls For h.323 an netmeeting, all I needed to do was open udp 1719 to the gatekeeper's address... am I missing something here or where does the "swiss cheese" come into play? On Wed, 20 Aug 2003, Dave Killion wrote:
Jim, If it's a site-to-site video confererencing system, where both sides are firmly under your control (Corp HQ to Corp Office, etc), I'd strongly recommend a VPN tunnel, which solves most of the Swiss-cheese problems. This is something you should already have, anyway. Just a thought... Dave Killion Senior Security Engineer Security Group, NetScreen Technologies, Inc. -----Original Message----- From: jseymour () LinxNet com [mailto:jseymour () LinxNet com] Sent: Tuesday, August 19, 2003 5:43 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] Apple's iSight and Firewalls Hi All, My company would like to set up inexpensive video-conferencing. They've been bugging me for a solution for some time. The partner company, being All Windows, All The Time, of course immediately suggested NetMeeting. ISTR a discussion about NetMeeting here, perhaps prompted by me, and, IIRC, it pretty much requires one make swiss cheese of their firewall for it to work. I vetoed it, and management backed me up. Doing a search on "NetMeeting" on SecurityFocus was not encouraging, either. Recently they bought me an iBook to do some WebObjects development with. It just hit me today that maybe Apple's iSight product would do the trick for video conferencing. Problem is: I've no idea what iSight would need through the firewall. There's this: http://www.macosxhints.com/article.php?story=20030623203213301 If 5060 and 16384 through 16403 UDP are all that are required, and I can specify the only allowed IP address inside they would forward to, well, that might be acceptable. Comments? Opinions? Suggestions? Flames? ;) Thanks, Jim -- Jim Seymour | PGP Public Key available at: jseymour () LinxNet com | http://www.uk.pgp.net/pgpnet/pks-commands.html http://jimsun.LinxNet.com | _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Attachment:
smime.p7s
Description:
Current thread:
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls, (continued)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Paul Robertson (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Frederick M Avolio (Aug 26)
- Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Bret Watson (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Frederick M Avolio (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 28)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Barney Wolff (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 27)
- Re: Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 28)
- RE: Apple's iSight and Firewalls black (Aug 21)