RE: [fw-wiz] Apple's iSight and Firewalls

From: Dave Killion (Dkillion_at_netscreen.com)
Date: 08/20/03

  • Next message: black_at_galaxy.silvren.com: "RE: [fw-wiz] Apple's iSight and Firewalls" 
    To: "'black@galaxy.silvren.com'" <black@galaxy.silvren.com>, Dave Killion <Dkillion@netscreen.com>
Date: Wed, 20 Aug 2003 11:25:46 -0700

    Black,

    Some firewalls support monitoring the H.240 command channel for 'open data
    channel' commands. For those that don't support this application layer
    monitoring, you'd have to open up a huge range of ports (typically UDP)
    for the data channels to work. This is the Swiss-cheese problem.

    H.323 is one of the most firewall-hostile protocols I've ever seen. Which
    I why I recommended that instead of opening up all sorts of ports (always
    a bad idea) that instead they point-to-point encrypt it, and be done with
    the matter.

    There are a variety of different ways to solve this problem, the ideal
    solution depending on what skill sets Jim has, what sort of features his
    current equipment has, and what kind of money his management is willing to
    spend on such a system.

    VPN's a drop-dead simple solution with obvious side benefits. But only if
    your infrastructure supports VPN's.

    -Dave

    -----Original Message-----
    From: black@galaxy.silvren.com [mailto:black@galaxy.silvren.com]
    Sent: Wednesday, August 20, 2003 10:58 AM
    To: Dave Killion
    Cc: 'firewall-wizards@honor.icsalabs.com'
    Subject: RE: [fw-wiz] Apple's iSight and Firewalls

    For h.323 an netmeeting, all I needed to do was open udp 1719 to the
    gatekeeper's address... am I missing something here or where does the
    "swiss cheese" come into play?

    On Wed, 20 Aug 2003, Dave Killion wrote:

    > Jim,
    >
    > If it's a site-to-site video confererencing system, where both sides are
    > firmly under your control (Corp HQ to Corp Office, etc), I'd strongly
    > recommend a VPN tunnel, which solves most of the Swiss-cheese problems.
    > This is something you should already have, anyway.
    >
    > Just a thought...
    >
    > Dave Killion
    > Senior Security Engineer
    > Security Group, NetScreen Technologies, Inc.
    >
    >
    >
    > -----Original Message-----
    > From: jseymour@LinxNet.com [mailto:jseymour@LinxNet.com]
    > Sent: Tuesday, August 19, 2003 5:43 PM
    > To: firewall-wizards@honor.icsalabs.com
    > Subject: [fw-wiz] Apple's iSight and Firewalls
    >
    >
    > Hi All,
    >
    > My company would like to set up inexpensive video-conferencing.
    > They've been bugging me for a solution for some time. The partner
    > company, being All Windows, All The Time, of course immediately
    > suggested NetMeeting. ISTR a discussion about NetMeeting here, perhaps
    > prompted by me, and, IIRC, it pretty much requires one make swiss
    > cheese of their firewall for it to work. I vetoed it, and management
    > backed me up. Doing a search on "NetMeeting" on SecurityFocus was not
    > encouraging, either.
    >
    > Recently they bought me an iBook to do some WebObjects development
    > with. It just hit me today that maybe Apple's iSight product would do
    > the trick for video conferencing.
    >
    > Problem is: I've no idea what iSight would need through the firewall.
    >
    > There's this:
    >
    > http://www.macosxhints.com/article.php?story=20030623203213301
    >
    > If 5060 and 16384 through 16403 UDP are all that are required, and I
    > can specify the only allowed IP address inside they would forward to,
    > well, that might be acceptable.
    >
    > Comments? Opinions? Suggestions? Flames? ;)
    >
    > Thanks,
    > Jim
    > --
    > Jim Seymour | PGP Public Key available at:
    > jseymour@LinxNet.com |
    > http://www.uk.pgp.net/pgpnet/pks-commands.html
    > http://jimsun.LinxNet.com |
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: black_at_galaxy.silvren.com: "RE: [fw-wiz] Apple's iSight and Firewalls"

    Relevant Pages

    • Re: Is the Gaobot virus blocked with a firewall?
      ... It would depend, I think, upon the type of firewall used and how it is ... Lock down the open ports and nothing is getting in. ... To have an IRC channel, there is an open port through ... >> You're confusing how it infects with how attackers can use an IRC ...
      (microsoft.public.windowsxp.general)
    • Re: What is the best method for .NET App inter process communication?
      ... You should use the HTTP channel for avoiding firewall problems though it's a bit slower and has an heavier ... remoting with Named Pipes(To be developed as custom channel) ...
      (microsoft.public.dotnet.framework.remoting)
    • Re: .net remoting over internet
      ... look inline your code: ... //put there the external IP of your firewall ... //this makes the channel to use the machine name we sppecified ... > serverProvider); ...
      (microsoft.public.dotnet.framework.remoting)
    • Re: Is the Gaobot virus blocked with a firewall?
      ... So the answer is, "yes, a firewall will block the Gaobot virus." ... > If you knew how a firewall works you'd have seen the answer in what I ... > Alan wrote: ... >> channel. ...
      (microsoft.public.windowsxp.general)