Firewall Wizards mailing list archives
Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls
From: Bret Watson <lists () ticm com>
Date: Wed, 27 Aug 2003 07:30:16 +0800
OK maybe I forgot to give a detail..H.323 is the IP Telephony protocol.. Netmeeting uses it, but so does many other system, such as picturetel and cisco's stupidly expensive wifi IP phones..
Why do we want to use IP telephony? well its useful, cheaper than paying for a PABX multi-national roaming system, and allows roaming phone calls even to executives in airport lounges...
So it ain't going away in a hurry - no matter how much we say "its bad"The solution I proposed I believe does "the right thing" it puts it behind an application proxy where it belongs..
Cheers, BretPS - what is not mission critical now? My last client listed its mission critical systems, 2 out of the 10 most critical were internet facing, and had to be internet facing since they were its webserver and ftp server..
At 17:07 26/08/03 -0400, Marcus J. Ranum wrote:
Bret Watson wrote: >A better solution is this.. >>in the DMZ place a H323 gatekeeper with routed proxying turned on, restrict the port ranges to the number of simultaneous connections you expect to receive..Y'know, I think I must just be "retro" but I think there's no how, no way that netmeeting has any business entering or exiting a mission-critical network. I.e..: if it's worth firewalling, it's best to not allow this kind of stuff at all. Of course the users will scream. But they will always scream anyhow. How long will it be before someone writes a worm that uses it? Then everyone'll be scrambling for a "solution" to the problem once the horse has left the barn. There's a "solution" for this crud and that's not to run the risk in the first place... Sorry - I'm feeling extremely curmudgeonly today. In my inbox I had *5* reports of mission-critical networks that were taken down by various worms in the last week. Why's that? On the surface, the answer is "RPC bug" but the REAL answer is "people should not be connecting mission-critical networks to the Internet - even with firewalls." A small handful of us have been singing this song quietly in the corner for about 12 years, now. Is anyone going to ever "get it"?? mjr.
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Apple's iSight and Firewalls Jim Seymour (Aug 20)
- Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 25)
- Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bret Watson (Aug 26)
- Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Paul Robertson (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Frederick M Avolio (Aug 26)
- Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Bret Watson (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Frederick M Avolio (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 28)
- Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bret Watson (Aug 26)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Barney Wolff (Aug 27)
- Re: Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls Marcus J. Ranum (Aug 27)
- Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 25)
- Re: Setting up H323 IP telephony etc - was Re: Apple's iSight and Firewalls Bartek Krajnik (Aug 28)
- <Possible follow-ups>
- RE: Apple's iSight and Firewalls Dave Killion (Aug 20)
- RE: Apple's iSight and Firewalls black (Aug 21)
- RE: Apple's iSight and Firewalls Dave Killion (Aug 21)