Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: H.323

From: Adam Shostack <adam () homeport org>
Date: Fri, 12 Mar 1999 18:56:08 -0500
Fascinating.  Can someone who is a Raptor customer ask what security
functionality their H.323 proxy provides, and what H.323 messages it
would not pass?

Adam


On Thu, Mar 11, 1999 at 02:30:12PM -0500, Chris Calabrese wrote:
| Just read this.  Very interesting.  BTW, Raptor v6 claims H.323 proxy support, s
| o at
| least the firewall issues can be handled.
| 
| Chris Shenton wrote:
| 
| > > I am interested in obtaining "lessons learned" from those of you who may
| > >  have implemented H.323 (especially if you used NetMeeting).  Specifically, 
| I
| >
| > > am interested in the following:
| >
| > When I was at NASA I wrote a paper on NetMeeting's (non-)
| > security. You might find it helpful.
| >
| > http://www.shenton.org/~chris/nasa-hq/netmeeting/
| >
| > After this analysis we decided not to deploy across the WAN. Just no
| > way to make it secure.
| >
| > After I released it I got some mail from a couple firewall developers
| > who said they were working on actual app proxies but that they were
| > very complex. Maybe they exist now in a useable form -- I haven't
| > looked  into this recently.
| >
| > > 4.  Any security issues?  Note, H.323 v2 has enhanced security to include
| > >      authentication, integrity, privacy, and non-repudiation, although we ma
| y
| >
| > >      be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw
|  a
| >
| > >     concern about the "shared application execution facility enabling remote
| 
| > >     users to execute unintended program on other participant's workstations"
| 
| > >     but I never really saw anything specific.
| >
| > NetMeeting doesn't even have a concept of *user* authentication. It
| > assumes there's one human per IP address. Clearly developed by a
| > PC-mentality coder. It certainly could n't be mistaken for anything
| > resembling strong authentication.
| >
| > In short, it's a naively designed and poorly implemented product which
| > can't be securred by 3rd-party gateways, protocol convertors, etc. At
| > least I didn't find a way back when I was investigating it. If you do,
| > let me know.
| >
| > Thanks.
| 
| --
| Chris Calabrese
| Internet Infrastructure and Security
| Merck-Medco Managed Care, L.L.C.
| christopher_calabrese () merck com

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume
Previous By Date Next
Previous By Thread Next

Current thread: