From "Brien L. Wheeler" Organization Raptor Systems, Inc. Date Thu, 15 Jan 1998 14:00:26 -0500 Newsgroups comp.security.firewalls Message-ID <34BE5CCA.1169@raptor.com> References 1 Disclaimer: I work for Raptor Systems, a firewall company. Michael Pelletier wrote: > I found Microsoft's documentation for this topic, despite pathetic > keywords like "netmtgw95 kbenv kbhowto", document number "Q158623". > However, I'm a little puzzled by the port-availability recommendations > they make: > > - Pass through primary TCP connections on ports 522, 1503, and 1731 > - Pass through secondary UDP connections on dynamically assigned > ports (1025-65536). Also TCP ports 389 and 1720, and secondary TCP connections on ports 1024-65535. Essentially what Microsoft is saying is that you must open up all these ports, and then open up everything else. Not a very palatable solution from a security perspective. > First of all, what do they mean by "pass through"? In which > direction? And secondly, there's no such thing as a "UDP connection", > so any idea what they're talking about here? And considering the > problems involved with opening up 1024 and up for UDP (for example, > NFS), I'd like a little more specifics before I jump in and do that. NetMeeting is an H.323 endpoint implementation. H.323 uses control channels to negotiate numerous connectivity relationships (both TCP and UDP) between communicating systems. This dynamic nature of the traffic poses a real problem for static packet filtering. Here are the ports that are used for various functions: 389/TCP Internet Location Service 522/TCP User Location Service 1503/TCP Data Conferencing content channel (T.120) 1720/TCP H.323 call setup (Q.931) 1731/TCP Audio call control dynamic/TCP H.323 content channel control (H.245) dynamic/UDP Audio and video content channels (RTP/RTCP) So, here's what it all means: If you only want data conferencing, open TCP ports 389, 522, and 1503. This will provide chat, whiteboard, application sharing, and file transfer. If you want audio and video as well, you need to open TCP ports 1024-65535 (which includes 1720) and UDP ports 1024-65535. Without the range 1024-65535 for TCP you will not be able to establish the H.245 control channel, and without the range 1024-65535 for UDP you will not be able to pass audio/video content. As for directionality, all the TCP connections will be made from the originator of the call to the receiver of the call. UDP packets will flow in both directions, depending on who is sending audio or video. > Anyone out there doing this sort of thing? I'd appreciate some > pointers, thanks! The difficulty with packet-filtering protocols like H.323 that negotiate connectivity relationships is correlating the secondary data streams with the primary connection request to determine access control. Parsing and analysis of the call setup and control channel connections is required to make educated decisions, but the protocols are in ASN.1, not a friendly encoding for packet- filtering implementations. Brien Wheeler Principal Engineer Raptor Systems, Inc.