Re: NetMeeting with NAT

[Mikael Olsson <mikael.olsson () enternet se>]

Justin Laporte wrote:
> I have encountered problems with trying to get Netmeeting or similar
> applications to function with dynamic nat translation on Cisco IOS. Is there
> a noted fix for this? I have been told by other engineers in my organization
> that it is a noted issues with Cisco, however I have not seen documentation
> to resolve this. Any help or direction would be greatly appreciated.

Easily fixed: Remove your firewall.

Pros/cons:
+ It works, every time
+ You get more or less the same security as with a 
  firewall capable of passing netmeeting
+ The users are happy, for a change
- You're out of a job :P

(Hint: the problem is dynamic back channeling, which assumes that an
application running on one port on a given computer is authorative for 
access to all other ports (applications) on that same computer. This 
is hardly ever true. Ref: The FTP fun from the turn of the millenium.)

My solution for people that want to run netmeeting is usually
to create a separate security zone (secondary DMZ, if you like)
and chuck netmeeting-enabled computers there. Of course, those
computers CANNOT speak to the internal network and CANNOT 
contain sensitive data, but that's what you get for wanting to 
run an application that requires public access to all ports 
1024-65535 and speaks a protocol (H.323) that is so complex that 
there's only a handful of people in the world that truly
comprehend the security implications in it.

Hope this helps,
/Mikael Olsson

-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, SE-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 29 92 00         Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636        Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/       E-mail: mikael.olsson () enternet se

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards