There seems to be a discussion on firewalls, without a common thread.
The problems are several, but relate to the ability of a firewall to identify the address/port pairs in protocol messages. There is also the additional requirement that it understand what they are for, and know what to do with them.
Simply being able to recognize something that looks like an IP address, and possible port number is not enough to do a good job of firewalling. If it means that the firewall is simply going to open every address it sees in data flowing through it, then it is not a very good protection mechanism.
Whether the firewall is prevented from seeing the address information because it is PER-encoded, or because it is triple-DES encrypted, is not particularly material. IP addresses in non-standard or vendor-extension fields will cause the same problems.
While Matt seems to be focused on NAT translating those addresses, I think that Melinda is fixed on firewalls that block everything, but open up for IP addresses in data streams.
Can somebody please explain to this poor old boy, confused by firewalls, how either NAT or firewalls opening dynamic ports work (and especially) when the data stream is encrypted? That is, without opening up the possibility of man-in-the-middle attacks?
Douglas
At 14:36 1999-03-31 -0800, Matt Holdrege wrote:
Yes. Going back to my original point about IPsec, if you use AH then you shouldn't need to do port-based filtering. If you don't use port-based filtering and you don't need NAT, then you don't need proxies, right?
And I don't think anything in MEGACO (yet) uses dynamic ports anyway, right?
At 05:08 PM 3/31/99 -0800, Gary A. Thom wrote:
This problem is independent of the type of encoding being used (PER or
text). The problem that
you describe is related more to the use of dynamic ports which prevents
simple packet filtering.
An h.323 proxy must parse the call signalling and H.245 messages to find
the dynamic ip
address/port pair assignments. The h.323 proxy will be required whether
the encoding is asn.1 or
text or anything else.
Gary
From: Melinda Shore shore@ITHACA-VIENNASYS.COM Subject: Re: H.320 gateways a MEGACO / ITU Date: Wed, 31 Mar 1999 16:45:05 -0500 To: ITU-SG16@MAILBAG.INTEL.COM
There's a problem in that it makes the signaling channel sufficiently complicated to parse that you end up having to put a proxy, or something that looks an awful lot like a proxy, on the firewall in order to pick up dynamically-allocated address/port tuples. This has somewhat negative architectural implications in that in a multi-firewall environment (which is, alas, the norm when traversing multiple administrative domains) you end up with tandemed signaling loops.
The short answer is that IP is supposed to be end-to-end and that firewalls create a big disconnect between the IP network and the IP telephony application-layer network.
Melinda
Name : Gary A. Thom Company: Delta Information Systems, Inc. Address: 300 Welsh Rd., Bldg 3 Horsham, PA 19044 USA Phone : +1-215-657-5270 Fax : +1-215-657-5273 E-mail : gthom@delta-info.com