Re: Firewalls [was: H.320 gateways a MEG

Douglas, IMHO, I think that the issue comes down to trust. The SAs need to be so constructed that the trust model is satisfied. In case 3, where SA2 is an ESP SA between EP1-EP2: Such a deployment may be chosen when EP1 does not trust SG1 and EP2 does not trust SG2 to look inside the packet. The SPD present at EP1 would reflect the policy that currently exists in firewalls. The firewall functionality has essentially been distributed to the edge (EP1) in this case. If the SG is trusted - which is the case with most firewalls - then, the scenario in case 3 should probably not be chosen. An ESP SA can exist between SG1 and SG2. If there is a problem of snooping within the AD, then an ESP SA can be established between EP1 - SG1 and SG2-EP2 as well. - Senthil ---------- From: Mailing list for parties associ To: ITU-SG16 Subject: Re: Firewalls [was: H.320 gateways a MEGACO / ITU] Date: Thursday, April 01, 1999 3:08PM At 19:03 1999-03-31 -0800, Matt Holdrege wrote:
In Melinda's case, and I think it applies to the megaco messages as well, if that pdu contains protocol addresses, and the firewall wants/needs to unblock them (but not translate them), it certainly does care. I think we are talking about firewalls that filter/block all but a few configured ports, and open others when genuine needs are detected.
Assume for the moment that the MG lives behind a firewall, and the MGC is "out there", communicating on the well known and open port allocated to megaco. An RTP session needs to be opened, on a dynamically allocated port that the firewall is blocking. The session is to be made from another dynamically allocated port, on a different MG, somewhere "out there". For security reasons, the megaco protocol exchanges between the MGC and MG are encrypted, according to a security association between themselves. The firewall is seeing encrypted pdu's that it cannot examine for addresses. How will media flow to these blocked ports? I think that the other questions were similar, but the messages were Q.931 setup, or H.245 OLC and the firewall problem was the PER coding. It's worse with ESP/TLS than with PER, but it's still the same-ish problem. Using AH does not provide privacy. An eavesdropper can snoop dial strings, which can be sensitive. An eavesdropper can spot IP/port pairs, which it knows are going to be opened by the firewall, for targeting denial of service attacks. It would not be impossible to find ESP being used on megaco.
The only worries are if you are using NAT.
And yes, the problem also arises with NAT, where the firewall also wants to _change_ the pdu. See: http://www.ietf.org/internet-drafts/draft-ietf-nat-protocol-complications-00 .txt :-)
participants (1)
-
Sengodan Senthil NRC/Boston