Firewall Wizards mailing list archives
Re: H.323
From: Chris Shenton <cshenton () uucom com>
Date: 10 Mar 1999 16:53:23 -0500
I am interested in obtaining "lessons learned" from those of you who may have implemented H.323 (especially if you used NetMeeting). Specifically, I am interested in the following:
When I was at NASA I wrote a paper on NetMeeting's (non-) security. You might find it helpful. http://www.shenton.org/~chris/nasa-hq/netmeeting/ After this analysis we decided not to deploy across the WAN. Just no way to make it secure. After I released it I got some mail from a couple firewall developers who said they were working on actual app proxies but that they were very complex. Maybe they exist now in a useable form -- I haven't looked into this recently.
4. Any security issues? Note, H.323 v2 has enhanced security to include authentication, integrity, privacy, and non-repudiation, although we may be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw a concern about the "shared application execution facility enabling remote users to execute unintended program on other participant's workstations" but I never really saw anything specific.
NetMeeting doesn't even have a concept of *user* authentication. It assumes there's one human per IP address. Clearly developed by a PC-mentality coder. It certainly could n't be mistaken for anything resembling strong authentication. In short, it's a naively designed and poorly implemented product which can't be securred by 3rd-party gateways, protocol convertors, etc. At least I didn't find a way back when I was investigating it. If you do, let me know. Thanks.
Current thread:
- Re: H.323 Paul Howell (Mar 05)
- Re: H.323 Chris Shenton (Mar 11)