FW: Dealing with MS Netmeeting & H.323

[Hal <hal () mrj com>]

Here is some additional information on netmeeting.    Port 522 (ULS) is used by version 1, but not version 2.1 (the 
currently available version) which uses Port 389 (ILS).  Open port 1503 (T.120) to enable data conferencing features: 
white board, chat, file transfer and application sharing.  All this is standard TCP. Audio/Video is another story. 
Also, there's a nasty security problem with the shared application execution facility enabling remote users to execute 
unintended programs on other participant's  workstations.  

 Thanks to (jussi.jaskonaho () digital com) for point out a really great paper on all this. 
 (www.it.hq.nasa.gov/~cshenton/hq/netmeeting)

Regards
Hal
Hal () mrj com  

----------
From:  Hal[SMTP:hal () mrj com]
Sent:  Monday, June 01, 1998 1:54 PM
To:  'firewall-wizards () nfr com'
Subject:  Dealing with MS Netmeeting & H.323 


     
    I'm wondering if anyone has had much luck securing Microsoft's Netmeeting product?    This topic has been
discussed here and on other lists. People usually just throw up their hands when dealing with it.  What's the best  
advice 

In summary here's what  I found out about it..  

It's based on an H.323. architecture using T.120's  transport, the IETF Realtime Protocol/(RTP)/ Real Time Control  
Protocols (RTCP) for its audio and video feeds and includes a few additional features.  Ports:  (TCP) 389 - Internet 
Locator (LDAP), 522- HTTP based User Locator (I think this is a MS proprietary protocol), 1503 -T.124 "media 
independent transport".  1720- H323 call setup , 1731 H323 audio call setup (not sure what this is for).  Here are the 
zingers: Dynamically assigned TCP and UDP ports in the "ephemeral" range (> 1024) carrying RTP & RTCP (allocated as  
dynamically assigned even/odd pairs, one pair per direction and media type). RTCP is used for feedback about the real 
time channel (congestion, quality, etc..) The actual  port numbers for these associations are passed in an ASN.1 open 
local channel request on port 1720. 


Issues:  (1)  Router filters control a single port or port range. Dynamic port assignments require the range to be very 
large defeating the filter's purpose. 
(2) Network Address Translation.  H.323 logical channel open fetches the local client address and passes that  bound 
into an application (session) PDU to the destination causing internal address leakage. (The destination tries to send 
to the untranslated internal address of the source instead of the translated external address) 

An H.323 proxy could solve these problems.  Firewall-1 states they can handle H.323  and work with Netmeeting (Does 
anyone have any experience with this?).  Guantlet/NT has an H.323. proxy but  their administrator's guide, which lists 
several multimedia  applications, does not list NetMeeting.   Are there other firewalls that can handle netmeeting?    

One suggestion I received was to allow just the data portion of Netmeeting by blocking the dynamically assigned ports 
that carry the audio and video.   Difficult to satisfy a customer expecting interactive audio and video.  


Regards Hal. 
Hal () mrj com