Firewall Wizards mailing list archives
Re: H.323
From: Chris Calabrese <christopher_calabrese () merck com>
Date: Thu, 11 Mar 1999 14:30:12 -0500
Just read this. Very interesting. BTW, Raptor v6 claims H.323 proxy support, s o at least the firewall issues can be handled. Chris Shenton wrote:
I am interested in obtaining "lessons learned" from those of you who may have implemented H.323 (especially if you used NetMeeting). Specifically,
I
am interested in the following:When I was at NASA I wrote a paper on NetMeeting's (non-) security. You might find it helpful. http://www.shenton.org/~chris/nasa-hq/netmeeting/ After this analysis we decided not to deploy across the WAN. Just no way to make it secure. After I released it I got some mail from a couple firewall developers who said they were working on actual app proxies but that they were very complex. Maybe they exist now in a useable form -- I haven't looked into this recently.4. Any security issues? Note, H.323 v2 has enhanced security to include authentication, integrity, privacy, and non-repudiation, although we ma
y
be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw
a
concern about the "shared application execution facility enabling remote
users to execute unintended program on other participant's workstations"
but I never really saw anything specific.NetMeeting doesn't even have a concept of *user* authentication. It assumes there's one human per IP address. Clearly developed by a PC-mentality coder. It certainly could n't be mistaken for anything resembling strong authentication. In short, it's a naively designed and poorly implemented product which can't be securred by 3rd-party gateways, protocol convertors, etc. At least I didn't find a way back when I was investigating it. If you do, let me know. Thanks.
-- Chris Calabrese Internet Infrastructure and Security Merck-Medco Managed Care, L.L.C. christopher_calabrese () merck com