You also have to open TCP ports 1024-65535 Outbound (Dynamic) for the negotiated H.323
Call Control (done as part of the negotiation over port 1720). Although I have seen
many concerned thoughts about this aspect of H.323, that it is a "huge security hole",
it is not really an issue the way you have it setup (which is the way I recommend)
since the ports are only opened for calls/packets initiated from within the network,
which does not open you up to external packets being passed into the network (i.e. you
have it setup with reflexive access control).
I would like to also add a second point concerning the H.323 security issue:
Even if you opened up TCP ports 1024-65535 Inbound to receive inbound NM calls, the
security risk is in principal only, and I am not aware of any exploits that are
generated from attack vectors on these ports. The only way an external attack/hack
can be successful is if there are threads listening to the ports from which the attack
takes place, and if these threads actually gain/allow access to system resources
(files, access control, configs, etc...). The ports with Winsock/Socks listening
threads are 21, 25, 135, 137, 139, etc.....none over 1024. In particular, those using
Windows platforms should be especially concerned with TCP ports 135 (RPC) and 137,139
(NetBIOS over TCP), as these have complete access to the system, and are extremely
vulnerable to external attack (reference Common Insecurities Fail Scrutiny - C.I.F.S.
document by Hobbit, which is an extremely detailed, packet level analysis of how to
walk right into a Windows platform using SAMBA on Linux). Although I agree with the
principal and recommend against opening the Inbound 1024+ TCP Ports on principal, it
is not as monstrous a security hole as has been hyped up in some of the articles I
have seen. Opening up the dynamic ports reflexively for outbound only (as you will
need to do) poses no security risk.
There....I'm done ranting and raving :)
Paul Eftis
----------
From: Michiel van der Linden
Sent: Wednesday, August 18, 1999 8:19 AM
To: [EMAIL PROTECTED]
Subject: [NetMeeting] MS proxy server settings for Netmeeting
Hi all,
I'm having some trouble getting MS Proxy 2.0 to let me use alle the
multimedia functionality of Netmeeting. Here is what happens: I can make a
call to someone, and I can be called, however, after that no audio and video
connection. We can use the chat function. Also I'm visible twice for the
other party in a call.
I have setup MS Proxy According to the suggested settings in Netmeeting
Resource Kit, that is one LDAP protocol, (port 389, TCP outbound), one ULS
(port 522, TCP, outbound), one T.120 (port 1503, TCP, outbound), one H.323
call setup (port 1720, TCP, outbound), one audio call control (port1731,
TCP, outbound). For all protocols I added subsequent connections port range
0 - 65535, UDP, inbound and outbound.
I'm not sure if i've covered H.323 call control/streaming protocol with
these settings.
Can anyone enlighten me? Thanks
Michiel
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
-----------------------------------------------------------------------
http://www.meetingbywire.com/Mailinglist.htm for unsubscribe information
-----------------------------------------------------------------------
application/ms-tnef
