Hello-
I need to provide NetMeeting dial-in/out access to all points of my
network. I have NetMeeting currently working, although in a dial-out
fashion only (I use hide NAT for user access to the Internet over a
restricted set of protocols). NetMeeting does not work well with Hide NAT
if the internal user is trying to receive NetMeeting calls. I have been
instructed to find a way to make that function work. Here is what I came up
with, I would like to float the idea by this group to gain their insight,
see if this method creates an unacceptable security compromise that I am not
aware of, or see if there will be problems with the firewall (Checkpoint-1)
with this configuration.
Initial configuration:
I have a routable Class-B TCP/IP address pool. I have set aside 2
Class-C networks and configured them as one network with a 23-bit subnet
mask. This network exists between the Internet router and the external
interface of the firewall. The router knows only of this single internal
network (and, of course the router's path to the Internet). The router does
not currently know of the 253 other Class-C network possibilities inside the
firewall.
The firewall is set up and currently working. I use static NAT to
provide external access to select internal servers, and hide NAT to provide
Internet access to internal clients. The NATted TCP/IP addresses of the
servers and client subnets are taken from the pool of addresses external to
the firewall. The firewall has routes to all the internal subnets where
clients reside. For the purpose of the example below, I have the following
network objects:
Object Address Mask
NAT Address
internalnet1 aaa.sss.210.0
255.255.255.0 aaa.sss.0.101
externalrouter aaa.sss.0.1
255.255.254.0
I have also made changes to the firewall services configuration to
allow additional protocols in for the use of NetMeeting. These new
protocols are collected in a service group named 'NetMeeting'. These
additional services are TCP ports, I do not know enough to add expected
details from packet headers, etc. The ports are TCP 389, 522, and 1731. I
found these ports on a Microsoft document regarding NetMeeting.
Here is the initial solution:
1. create internalnet1-nonat object. No NAT address is associated
with this object. This object represents the same subnet as the
internalnet1 object.
internalnet1-nonat aaa.sss.210.0
255.255.255.0
2. create 3 rules on the firewall at the bottom of the rulebase
(just above the any-any-any-drop rule).
rule source destination service
action track
Any internal1-nonat negate(netmeeting)
drop long
Any internal1-nonat netmeeting
accept long
internal1-nonat Any netmeeting
accept long
3. add a route on my router to make it aware of the internal
network, using the firewall as the next hop.
route add aaa.sss.210.0 MASK 255.255.255.0 aaa.sss.0.100
I have tested this for only a few minutes to verify that it does
work, then disabled the configuration. I have not yet tried to breach the
firewall with the changes in place, that is my next step.
Are there large security issues with this configuration? What am I
opening myself up to?
Paul Olson
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
