Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls

["Marcus J. Ranum" <mjr () ranum com>]

Bret Watson wrote:
> A better solution is this..
>
> in the DMZ place a H323 gatekeeper with routed proxying turned on, restrict the port ranges to the number of 
> simultaneous connections you expect to receive..

Y'know, I think I must just be "retro" but I think there's no how, no way
that netmeeting has any business entering or exiting a mission-critical
network. I.e..: if it's worth firewalling, it's best to not allow this kind of
stuff at all. Of course the users will scream. But they will always
scream anyhow. How long will it be before someone writes a worm
that uses it? Then everyone'll be scrambling for a "solution" to the
problem once the horse has left the barn. There's a "solution" for
this crud and that's not to run the risk in the first place...

Sorry - I'm feeling extremely curmudgeonly today. In my inbox I had
*5* reports of mission-critical networks that were taken down by
various worms in the last week. Why's that? On the surface, the
answer is "RPC bug" but the REAL answer is "people should not
be connecting mission-critical networks to the Internet - even with
firewalls."   A small handful of us have been singing this song quietly
in the corner for about 12 years, now. Is anyone going to ever "get it"??

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards