Firewalls [was: H.320 gateways a MEGACO / ITU]

Wed Mar 31 19:05:59 EST 1999

You can read RFC 2401 & 2402 to find out about IPsec and AH. And this
discussion is about MEGACO/H.GCP which is not the same as H.323.

At 09:31 AM 4/1/99 +1000, Douglas Clowes wrote:
>There seems to be a discussion on firewalls, without a common thread.
>
>The problems are several, but relate to the ability of a firewall to
>identify the address/port pairs in protocol messages. There is also the
>additional requirement that it understand what they are for, and know what
>to do with them.
>
>Simply being able to recognize something that looks like an IP address, and
>possible port number is not enough to do a good job of firewalling. If it
>means that the firewall is simply going to open every address it sees in
>data flowing through it, then it is not a very good protection mechanism.
>
>Whether the firewall is prevented from seeing the address information
>because it is PER-encoded, or because it is triple-DES encrypted, is not
>particularly material. IP addresses in non-standard or vendor-extension
>fields will cause the same problems.
>
>While Matt seems to be focused on NAT translating those addresses, I think
>that Melinda is fixed on firewalls that block everything, but open up for
>IP addresses in data streams.
>
>Can somebody please explain to this poor old boy, confused by firewalls,
>how either NAT or firewalls opening dynamic ports work (and especially)
>when the data stream is encrypted? That is, without opening up the
>possibility of man-in-the-middle attacks?
>
>Douglas
>
>At 14:36 1999-03-31 -0800, Matt Holdrege wrote:
>>Yes. Going back to my original point about IPsec, if you use AH then you
>>shouldn't need to do port-based filtering. If you don't use port-based
>>filtering and you don't need NAT, then you don't need proxies, right?
>>
>>And I don't think anything in MEGACO (yet) uses dynamic ports anyway, right?
>>
>>
>>At 05:08 PM 3/31/99 -0800, Gary A. Thom wrote:
>>>This problem is independent of the type of encoding being used (PER or
>>text). The problem that
>>>you describe is related more to the use of dynamic ports which prevents
>>simple packet filtering.
>>>An h.323 proxy must parse the call signalling and H.245 messages to find
>>the dynamic ip
>>>address/port pair assignments. The h.323 proxy will be required whether
>>the encoding is asn.1 or
>>>text or anything else.
>>>
>>>Gary
>>>
>>>------------------------
>>>  From: Melinda Shore <shore at ITHACA-VIENNASYS.COM>
>>>  Subject: Re: H.320 gateways a MEGACO / ITU
>>>  Date: Wed, 31 Mar 1999 16:45:05 -0500
>>>  To: ITU-SG16 at MAILBAG.INTEL.COM
>>>
>>>
>>>> There's a problem in that it makes the signaling channel sufficiently
>>>> complicated to parse that you end up having to put a proxy, or something
>>>> that looks an awful lot like a proxy, on the firewall in order to
>>>> pick up dynamically-allocated address/port tuples.  This has somewhat
>>>> negative architectural implications in that in a multi-firewall
>>>> environment (which is, alas, the norm when traversing multiple
>>>> administrative domains) you end up with tandemed signaling loops.
>>>>
>>>> The short answer is that IP is supposed to be end-to-end
>>>> and that firewalls create a big disconnect between the IP network
>>>> and the IP telephony application-layer network.
>>>>
>>>> Melinda
>>>>
>>>
>>>------------------------------------------------------
>>>Name   : Gary A. Thom
>>>Company: Delta Information Systems, Inc.
>>>Address: 300 Welsh Rd., Bldg 3
>>>         Horsham, PA 19044 USA
>>>Phone  : +1-215-657-5270         Fax : +1-215-657-5273
>>>E-mail : gthom at delta-info.com
>>>------------------------------------------------------
>>>
>>
>>
>