Firewall Wizards mailing list archives
Re: Dealing with MS Netmeeting & H.323
From: "Ryan Russell" <ryanr () sybase com>
Date: Mon, 8 Jun 1998 12:44:19 -0700
Don't get me wrong.. I'm actually a big SPF fan. I was being more general with my definition of "secure." Sure you, can make an SPF w/NAT hande it "securely" in terms of only allowing the minimum ports by snooping the data stream, etc.. Rumor has it that FW1 4.0 will do just that. What I was referring to was the capabilities of the program itself... i.e. one of my users could go into a netmeeting session, and give control of a DOS box to someone on the outside. No thanks.
From that point of view, FW-1 handles it perfectly
"securely" at present. It doesn't work at all. :) Ryan Jan.Bervar () nil si on 06/04/98 09:10:09 AM Please respond to Jan.Bervar () nil si To: firewall-wizards () nfr net cc: (bcc: Ryan Russell/SYBASE) Subject: Re: Dealing with MS Netmeeting & H.323 On 06/03/98 08:18:41 PM "Ryan Russell" wrote:
I'll agree with Fred on this one... It's pratically impossible to really handle Netmeeting securely at this point, since the
application's
purpose in life creates huge holes, even when functioning correctly.
I don't consider it a huge risk for outgoing calls, when handled *PROPERLY* by a stateful filter. And to make it scalable, you would appreciate the low latency and high throughput that SPFs tend to have. Of course, YCMMV (C=customer's) ;)
At best at present, the main SPF products such as FW1 and PIX just open the minimum number of ports for the minimum amount of time. It's a big impovement over Microsoft's instructions ( Just let all UDP in... .yea, right) but the program itself is still pretty bad.
Yes, this is the way SPFs handle all the weird services. The obvious problem we have here is that we rely on a timeout to close the dynamically opened ports if you cannot determine the end of the session from a control channel (for example, if you are streaming UDP inbound). So you do have a little race condition there. Received: from tunnel.sybase.com ([130.214.231.88]) by ibwest.sybase.com (Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 8825661A.00217F11; Thu, 4 Jun 1998 23:05:52 -0700 Received: from smtp1.sybase.com (smtp1 [130.214.220.35]) by tunnel.sybase.com (8.8.4/8.8.4) with SMTP id XAA02248; Thu, 4 Jun 1998 23:03:46 -0700 (PDT) Received: from inergen.sybase.com by smtp1.sybase.com (4.1/SMI-4.1/SybH3.5-030896) id AA18337; Thu, 4 Jun 98 23:03:46 PDT Received: from nfr.net (tower.nfr.net [208.196.145.10]) by inergen.sybase.com (8.8.4/8.8.4) with ESMTP id XAA14816; Thu, 4 Jun 1998 23:05:08 -0700 (PDT) Received: (from lists@localhost) by nfr.net (8.8.8/8.8.8) id UAA19201 for firewall-wizards-outgoing; Thu, 4 Jun 1998 20:46:42 -0500 (CDT) Received: (from fwiz@localhost) by nfr.net (8.8.8/8.8.8) id UAA19186 for firewall-wizards () nfr net; Thu, 4 Jun 1998 20:46:37 -0500 (CDT) Received: from nermal.nil.si (nermal.nil.si [193.77.3.35]) by nfr.net (8.8.8/8.8.8) with ESMTP id LAA15927 for <firewall-wizards () nfr net>; Thu, 4 Jun 1998 11:07:17 -0500 (CDT) From: Jan.Bervar () nil si Received: (from mailer@localhost) by nermal.nil.si (SMTP/unknown) id SAA19262 for <firewall-wizards () nfr net>; Thu, 4 Jun 1998 18:10:39 +0200 (MET DST) X-Authentication-Warning: nermal.nil.si: mailer set sender to <Jan.Bervar () nil si> using -f Received: from asterix.notes.nil.si(193.77.3.111) by nermal.nil.si with NIL-SMTP (V1.3) id sma019260; Thu Jun 4 18:10:25 1998 Received: by asterix.notes.nil.si(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) id C1256619.0058D433 ; Thu, 4 Jun 1998 18:10:14 +0200 X-Lotus-Fromdomain: NIL To: firewall-wizards () nfr net Message-Id: <C1256619.0058B53D.00 () asterix notes nil si> Date: Thu, 4 Jun 1998 18:10:09 +0200 Subject: Re: Dealing with MS Netmeeting & H.323 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-firewall-wizards () nfr net Precedence: bulk Reply-To: Jan.Bervar () nil si
Current thread:
- Re: Dealing with MS Netmeeting & H.323, (continued)
- Re: Dealing with MS Netmeeting & H.323 Tony Schliesser (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Ryan Russell (Jun 03)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Frederick M Avolio (Jun 05)
- Re: Dealing with MS Netmeeting & H.323 Bob Acosta (Jun 04)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 05)
- Cisco IOS Firewall NetSurfer (Jun 07)
- Re: Cisco IOS Firewall Henry Hertz Hobbit (Jun 08)
- Cisco IOS Firewall NetSurfer (Jun 07)
- Re: Dealing with MS Netmeeting & H.323 Jan . Bervar (Jun 08)
- Re: Dealing with MS Netmeeting & H.323 Ryan Russell (Jun 08)