Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

Re: NetMeeting with NAT
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Sun, 19 Nov 2000 18:16:54 +0100

Justin Laporte wrote:

I have encountered problems with trying to get Netmeeting or similar
applications to function with dynamic nat translation on Cisco IOS. Is there
a noted fix for this? I have been told by other engineers in my organization
that it is a noted issues with Cisco, however I have not seen documentation
to resolve this. Any help or direction would be greatly appreciated.

Easily fixed: Remove your firewall.

+ It works, every time
+ You get more or less the same security as with a 
  firewall capable of passing netmeeting
+ The users are happy, for a change
- You're out of a job :P

(Hint: the problem is dynamic back channeling, which assumes that an
application running on one port on a given computer is authorative for 
access to all other ports (applications) on that same computer. This 
is hardly ever true. Ref: The FTP fun from the turn of the millenium.)

My solution for people that want to run netmeeting is usually
to create a separate security zone (secondary DMZ, if you like)
and chuck netmeeting-enabled computers there. Of course, those
computers CANNOT speak to the internal network and CANNOT 
contain sensitive data, but that's what you get for wanting to 
run an application that requires public access to all ports 
1024-65535 and speaks a protocol (H.323) that is so complex that 
there's only a handful of people in the world that truly
comprehend the security implications in it.

Hope this helps,
/Mikael Olsson

Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

firewall-wizards mailing list
firewall-wizards () nfr com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]