Firewalls [was: H.320 gateways a MEG

Sengodan Senthil NRC/Boston sengodan at NASBPD01BS.NTC.NOKIA.COM
Thu Apr 1 13:03:52 EST 1999


IMHO, I think that the issue comes down to trust. The SAs need to be so constructed that the trust model is satisfied.

In case 3, where SA2 is an ESP SA between EP1-EP2: Such a deployment may be chosen when EP1 does not trust SG1 and EP2 does not trust SG2 to look inside the packet. The SPD present at EP1 would reflect the policy that currently exists in firewalls. The firewall functionality has essentially been distributed to the edge (EP1) in this case.

If the SG is trusted - which is the case with most firewalls - then, the scenario in case 3 should probably not be chosen. An ESP SA can exist between SG1 and SG2. If there is a problem of snooping within the AD, then an ESP SA can be established between EP1 - SG1 and SG2-EP2 as well.

 - Senthil
From: Mailing list for parties associ
To: ITU-SG16
Subject: Re: Firewalls [was: H.320 gateways a MEGACO / ITU]
Date: Thursday, April 01, 1999 3:08PM

At 19:03 1999-03-31 -0800, Matt Holdrege wrote:
>If you are using ESP, there are no worries. The endpoints unwrap the
>original packet and process it as normal. The firewall doesn't know or care
>about the original internal packet.

In Melinda's case, and I think it applies to the megaco messages as well,
if that pdu contains protocol addresses, and the firewall wants/needs to
unblock them (but not translate them), it certainly does care. I think we
are talking about firewalls that filter/block all but a few configured
ports, and open others when genuine needs are detected.

>But if we are talking about MEGACO and I originally thought we were, you
>don't need to use ESP if you don't want to. For security's sake, you may
>wish to use AH in which case the firewall will simply authenticate the
>packet and pass it through without any worries.

Assume for the moment that the MG lives behind a firewall, and the MGC is
"out there", communicating on the well known and open port allocated to
megaco. An RTP session needs to be opened, on a dynamically allocated port
that the firewall is blocking. The session is to be made from another
dynamically allocated port, on a different MG, somewhere "out there".

For security reasons, the megaco protocol exchanges between the MGC and MG
are encrypted, according to a security association between themselves. The
firewall is seeing encrypted pdu's that it cannot examine for addresses.
How will media flow to these blocked ports?

I think that the other questions were similar, but the messages were Q.931
setup, or H.245 OLC and the firewall problem was the PER coding. It's worse
with ESP/TLS than with PER, but it's still the same-ish problem.

Using AH does not provide privacy. An eavesdropper can snoop dial strings,
which can be sensitive. An eavesdropper can spot IP/port pairs, which it
knows are going to be opened by the firewall, for targeting denial of
service attacks. It would not be impossible to find ESP being used on megaco.

>The only worries are if you are using NAT.

And yes, the problem also arises with NAT, where the firewall also wants to
_change_ the pdu.

.txt :-)

>At 11:14 AM 4/1/99 +1000, Douglas Clowes wrote:
>>Hi Matt,
>>I've read 2401 (IPsec), 2402 (AH), and 2406 (ESP) before. I've also
>>skimmed, but probably not understood, the ones on IKE and ISAKMP and OAKLEY
>>too. I've just re-skimmed 2401/2/6 and still don't have the answer.
>>Re-reading the postings, they're about H.323 proxies, call signalling, and
>>H.245 - some people are talking about H.323 rather than megaco/H.gcp, and
>>that's part of the problem: different threads by different people.
>>My points are several, and relate to firewalls (as noted by the subject
>>In a mode 3 security association:
>>> 3. neither endpoint is the same -- The inner and outer
>>>    tunnels could each be either AH or ESP.
>>> Host 1 --- Security ---- Internet -- Security --- Host 2
>>>  |          Gwy 1                      Gwy 2         |
>>>  |            |                          |           |
>>>  |            --Security Assoc 1 (tunnel)-           |
>>>  |                                                   |
>>>  -----------Security Association 2 (tunnel)-----------
>>where Security Association 2 is ESP, how is SG1 or SG2 going to do packet
>>filtering and port opening?
>>Or, if SG1/SG2 is a single entity, as in Case 4:
>>>  ======================================================
>>>  |                                                    |
>>>  |==============================                      |
>>>  ||                            |                      |
>>>  ||                         ---|----------------------|---
>>>  ||                         |  |                      |  |
>>>  H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
>>>        ^                    |           Intranet)        |
>>>        |                    ------------------------------
>>>  could be dialup              admin. boundary (optional)
>>>  to PPP/ARA server
>>or SG2, here, is "just" a firewall, instead of a Signalling Gateway.
>>Assuming that the SA between H1 and H2 involves payload encryption, such as
>>ESP, and is call signalling or H.245, how does SG2 cope with finding the
>>IP/port pairs, even in a text based protocol?
>>My interest extends beyond megaco/H.gcp, and includes Annex G. How do we
>>handle this in the more general case?
>>At 16:05 1999-03-31 -0800, Matt Holdrege wrote:
>>>You can read RFC 2401 & 2402 to find out about IPsec and AH. And this
>>>discussion is about MEGACO/H.GCP which is not the same as H.323.

More information about the sg16-avd mailing list