Re: H.323

[Chris Shenton <cshenton () uucom com>]

> I am interested in obtaining "lessons learned" from those of you who may
>  have implemented H.323 (especially if you used NetMeeting).  Specifically, I 
> am interested in the following:

When I was at NASA I wrote a paper on NetMeeting's (non-)
security. You might find it helpful.

http://www.shenton.org/~chris/nasa-hq/netmeeting/

After this analysis we decided not to deploy across the WAN. Just no
way to make it secure. 

After I released it I got some mail from a couple firewall developers
who said they were working on actual app proxies but that they were
very complex. Maybe they exist now in a useable form -- I haven't
looked  into this recently.


> 4.  Any security issues?  Note, H.323 v2 has enhanced security to include 
>      authentication, integrity, privacy, and non-repudiation, although we may 
>      be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw a 
>     concern about the "shared application execution facility enabling remote 
>     users to execute unintended program on other participant's workstations" 
>     but I never really saw anything specific. 

NetMeeting doesn't even have a concept of *user* authentication. It
assumes there's one human per IP address. Clearly developed by a
PC-mentality coder. It certainly could n't be mistaken for anything
resembling strong authentication.


In short, it's a naively designed and poorly implemented product which
can't be securred by 3rd-party gateways, protocol convertors, etc. At
least I didn't find a way back when I was investigating it. If you do,
let me know.

Thanks.