[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls
From: Bret Watson (lists_at_ticm.com)
Date: 08/27/03
- Previous message: Mikael Olsson: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- In reply to: Marcus J. Ranum: "[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: Frederick M Avolio: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Reply: Frederick M Avolio: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 27 Aug 2003 07:30:16 +0800
OK maybe I forgot to give a detail..
H.323 is the IP Telephony protocol.. Netmeeting uses it, but so does many
other system, such as picturetel and cisco's stupidly expensive wifi IP
phones..
Why do we want to use IP telephony? well its useful, cheaper than paying
for a PABX multi-national roaming system, and allows roaming phone calls
even to executives in airport lounges...
So it ain't going away in a hurry - no matter how much we say "its bad"
The solution I proposed I believe does "the right thing" it puts it behind
an application proxy where it belongs..
Cheers,
Bret
PS - what is not mission critical now? My last client listed its mission
critical systems, 2 out of the 10 most critical were internet facing, and
had to be internet facing since they were its webserver and ftp server..
At 17:07 26/08/03 -0400, Marcus J. Ranum wrote:
>Bret Watson wrote:
> >A better solution is this..
> >
> >in the DMZ place a H323 gatekeeper with routed proxying turned on,
> restrict the port ranges to the number of simultaneous connections you
> expect to receive..
>
>Y'know, I think I must just be "retro" but I think there's no how, no way
>that netmeeting has any business entering or exiting a mission-critical
>network. I.e..: if it's worth firewalling, it's best to not allow this kind of
>stuff at all. Of course the users will scream. But they will always
>scream anyhow. How long will it be before someone writes a worm
>that uses it? Then everyone'll be scrambling for a "solution" to the
>problem once the horse has left the barn. There's a "solution" for
>this crud and that's not to run the risk in the first place...
>
>Sorry - I'm feeling extremely curmudgeonly today. In my inbox I had
>*5* reports of mission-critical networks that were taken down by
>various worms in the last week. Why's that? On the surface, the
>answer is "RPC bug" but the REAL answer is "people should not
>be connecting mission-critical networks to the Internet - even with
>firewalls." A small handful of us have been singing this song quietly
>in the corner for about 12 years, now. Is anyone going to ever "get it"??
>
>mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mikael Olsson: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- In reply to: Marcus J. Ranum: "[fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Next in thread: Frederick M Avolio: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Reply: Frederick M Avolio: "Re: [fw-wiz] Re: Setting up H323 IP telephony etc - was Re: [fw-wiz] Apple's iSight and Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
