Re: H.323

[Chris Calabrese <christopher_calabrese () merck com>]

Just read this.  Very interesting.  BTW, Raptor v6 claims H.323 proxy support, s
o at
least the firewall issues can be handled.

Chris Shenton wrote:

> > I am interested in obtaining "lessons learned" from those of you who may
> >  have implemented H.323 (especially if you used NetMeeting).  Specifically, 
I
> > am interested in the following:
>
> When I was at NASA I wrote a paper on NetMeeting's (non-)
> security. You might find it helpful.
>
> http://www.shenton.org/~chris/nasa-hq/netmeeting/
>
> After this analysis we decided not to deploy across the WAN. Just no
> way to make it secure.
>
> After I released it I got some mail from a couple firewall developers
> who said they were working on actual app proxies but that they were
> very complex. Maybe they exist now in a useable form -- I haven't
> looked  into this recently.
>
> > 4.  Any security issues?  Note, H.323 v2 has enhanced security to include
> >      authentication, integrity, privacy, and non-repudiation, although we ma
y
> >      be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw
 a
> >     concern about the "shared application execution facility enabling remote

> >     users to execute unintended program on other participant's workstations"

> >     but I never really saw anything specific.
>
> NetMeeting doesn't even have a concept of *user* authentication. It
> assumes there's one human per IP address. Clearly developed by a
> PC-mentality coder. It certainly could n't be mistaken for anything
> resembling strong authentication.
>
> In short, it's a naively designed and poorly implemented product which
> can't be securred by 3rd-party gateways, protocol convertors, etc. At
> least I didn't find a way back when I was investigating it. If you do,
> let me know.
>
> Thanks.

--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
christopher_calabrese () merck com