Firewalls [was: H.320 gateways a MEGACO / ITU]

Wed Mar 31 18:31:03 EST 1999

There seems to be a discussion on firewalls, without a common thread.

The problems are several, but relate to the ability of a firewall to
identify the address/port pairs in protocol messages. There is also the
additional requirement that it understand what they are for, and know what
to do with them.

Simply being able to recognize something that looks like an IP address, and
possible port number is not enough to do a good job of firewalling. If it
means that the firewall is simply going to open every address it sees in
data flowing through it, then it is not a very good protection mechanism.

Whether the firewall is prevented from seeing the address information
because it is PER-encoded, or because it is triple-DES encrypted, is not
particularly material. IP addresses in non-standard or vendor-extension
fields will cause the same problems.

While Matt seems to be focused on NAT translating those addresses, I think
that Melinda is fixed on firewalls that block everything, but open up for
IP addresses in data streams.

Can somebody please explain to this poor old boy, confused by firewalls,
how either NAT or firewalls opening dynamic ports work (and especially)
when the data stream is encrypted? That is, without opening up the
possibility of man-in-the-middle attacks?

Douglas

At 14:36 1999-03-31 -0800, Matt Holdrege wrote:
>Yes. Going back to my original point about IPsec, if you use AH then you
>shouldn't need to do port-based filtering. If you don't use port-based
>filtering and you don't need NAT, then you don't need proxies, right?
>
>And I don't think anything in MEGACO (yet) uses dynamic ports anyway, right?
>
>
>At 05:08 PM 3/31/99 -0800, Gary A. Thom wrote:
>>This problem is independent of the type of encoding being used (PER or
>text). The problem that
>>you describe is related more to the use of dynamic ports which prevents
>simple packet filtering.
>>An h.323 proxy must parse the call signalling and H.245 messages to find
>the dynamic ip
>>address/port pair assignments. The h.323 proxy will be required whether
>the encoding is asn.1 or
>>text or anything else.
>>
>>Gary
>>
>>------------------------
>>  From: Melinda Shore <shore at ITHACA-VIENNASYS.COM>
>>  Subject: Re: H.320 gateways a MEGACO / ITU
>>  Date: Wed, 31 Mar 1999 16:45:05 -0500
>>  To: ITU-SG16 at MAILBAG.INTEL.COM
>>
>>
>>> There's a problem in that it makes the signaling channel sufficiently
>>> complicated to parse that you end up having to put a proxy, or something
>>> that looks an awful lot like a proxy, on the firewall in order to
>>> pick up dynamically-allocated address/port tuples.  This has somewhat
>>> negative architectural implications in that in a multi-firewall
>>> environment (which is, alas, the norm when traversing multiple
>>> administrative domains) you end up with tandemed signaling loops.
>>>
>>> The short answer is that IP is supposed to be end-to-end
>>> and that firewalls create a big disconnect between the IP network
>>> and the IP telephony application-layer network.
>>>
>>> Melinda
>>>
>>
>>------------------------------------------------------
>>Name   : Gary A. Thom
>>Company: Delta Information Systems, Inc.
>>Address: 300 Welsh Rd., Bldg 3
>>         Horsham, PA 19044 USA
>>Phone  : +1-215-657-5270         Fax : +1-215-657-5273
>>E-mail : gthom at delta-info.com
>>------------------------------------------------------
>>
>
>