OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: H.323

Re: H.323

Chris Shenton (cshentonuucom.com)
10 Mar 1999 16:53:23 -0500

> I am interested in obtaining "lessons learned" from those of you who may
> have implemented H.323 (especially if you used NetMeeting). Specifically, I
> am interested in the following:

When I was at NASA I wrote a paper on NetMeeting's (non-)
security. You might find it helpful.

http://www.shenton.org/~chris/nasa-hq/netmeeting/

After this analysis we decided not to deploy across the WAN. Just no
way to make it secure.

After I released it I got some mail from a couple firewall developers
who said they were working on actual app proxies but that they were
very complex. Maybe they exist now in a useable form -- I haven't
looked into this recently.

> 4. Any security issues? Note, H.323 v2 has enhanced security to include
> authentication, integrity, privacy, and non-repudiation, although we may
> be using NetMeeting... In reviewing last year's thread (Jun-Sep), I saw a
> concern about the "shared application execution facility enabling remote
> users to execute unintended program on other participant's workstations"
> but I never really saw anything specific.

NetMeeting doesn't even have a concept of *user* authentication. It
assumes there's one human per IP address. Clearly developed by a
PC-mentality coder. It certainly could n't be mistaken for anything
resembling strong authentication.

In short, it's a naively designed and poorly implemented product which
can't be securred by 3rd-party gateways, protocol convertors, etc. At
least I didn't find a way back when I was investigating it. If you do,
let me know.

Thanks.

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:16 CDT