Firewall Wizards mailing list archives
Re: H.323
From: Adam Shostack <adam () homeport org>
Date: Fri, 12 Mar 1999 18:56:08 -0500
Fascinating. Can someone who is a Raptor customer ask what security functionality their H.323 proxy provides, and what H.323 messages it would not pass? Adam On Thu, Mar 11, 1999 at 02:30:12PM -0500, Chris Calabrese wrote: | Just read this. Very interesting. BTW, Raptor v6 claims H.323 proxy support, s | o at | least the firewall issues can be handled. | | Chris Shenton wrote: | | > > I am interested in obtaining "lessons learned" from those of you who may | > > have implemented H.323 (especially if you used NetMeeting). Specifically, | I | > | > > am interested in the following: | > | > When I was at NASA I wrote a paper on NetMeeting's (non-) | > security. You might find it helpful. | > | > http://www.shenton.org/~chris/nasa-hq/netmeeting/ | > | > After this analysis we decided not to deploy across the WAN. Just no | > way to make it secure. | > | > After I released it I got some mail from a couple firewall developers | > who said they were working on actual app proxies but that they were | > very complex. Maybe they exist now in a useable form -- I haven't | > looked into this recently. | > | > > 4. Any security issues? Note, H.323 v2 has enhanced security to include | > > authentication, integrity, privacy, and non-repudiation, although we ma | y | > | > > be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw | a | > | > > concern about the "shared application execution facility enabling remote | | > > users to execute unintended program on other participant's workstations" | | > > but I never really saw anything specific. | > | > NetMeeting doesn't even have a concept of *user* authentication. It | > assumes there's one human per IP address. Clearly developed by a | > PC-mentality coder. It certainly could n't be mistaken for anything | > resembling strong authentication. | > | > In short, it's a naively designed and poorly implemented product which | > can't be securred by 3rd-party gateways, protocol convertors, etc. At | > least I didn't find a way back when I was investigating it. If you do, | > let me know. | > | > Thanks. | | -- | Chris Calabrese | Internet Infrastructure and Security | Merck-Medco Managed Care, L.L.C. | christopher_calabrese () merck com -- "It is seldom that liberty of any kind is lost all at once." -Hume