i have a Linksys WRT54GS. i'd like to set up port forwarding to be able to use Netmeeting.
i went to the ms website and it lists a whole bunch of ports to be opened when using a firewall and it is very confusing. can somebody tell me if there is an easy way to accomplish this?
thank you very much, NH
There's a problem with Netmeeting. It's H.323 which uses random port numbers and requires that the router sniff the packet contents for the port numbers. The usual advice is to open a wide range of ports as in: |
Be sure to setup your desktop with a static IP address.
Another recommendations is to use the DMZ feature, which redirects literally everything to your computer. Also, a bad idea: |
Frankly, I don't know of a secure way to do Netmeeting with the WRT54G. There are routers that sniff the packets looking for specific types and open ports on the fly as needed. However, the WRT54G apparently doesn't do that.
This mess is one of the reasons MS is going to other conferencing programs. The lastest Windoze Messenger will do everything that Netmeeting does.
You're correct that if you trust the personal firewall, such an arrangement will work just fine. Perhaps I'm a bit paranoid about doing this as I was finding far too many machines infested with spyware, running trojans, lacking in Windoze updates, and misconfigured or missing firewalls. I see huge numbers of shares open to the internet. Perhaps it's because I only see broken machines. I'm sure there are users with properly configured machines and firewalls, but I just don't see those. If you're sure your computah is safe and secure, then by all means, do the DMZ or massive port redirection solution.
You might find the following 5 page article illuminating:
Perhaps I'm overly paranoid but I would prefer not to almost totally disable my routers firewall for the benifit of one program that is easily replaced by something less demanding.
Otherthan that, if the router is not h.323 compliant put the machine into the DMZ of the router and have a personal firewall solution that can deal with H.323 to protect it.
Duane :)
It would be no worse than taking a machine and doing a direct connect to the Internet with a personal FW solution providing the protection, while using Netmeeting. If the machine had a PFW on it when it was put into the DMZ for a short period of time and then taken out of the DMZ where is the harm?
Duane :)
I beg to differ somewhat. It is my contention that manufacturers of wireless contraptions have done a positively dismal job of delivering out of the box secure wireless. Demanding that the user compensate for their laziness and ineptitude is not a suitable answer. Look at the boxes made by 2wire.com for a clue. WEP enabled by default. Cryptic WEP key pre-installed. Unique SSID. How hard is that?
I don't seriously expect the GUM (Great Unwashed Masses) to ever understant even the basics of encryption and security. Even the ones that do run into absurdities such as creative ASCII to Hex conversions, cryptic settings, creative protocols, and stupid security ideas such as broadcasting NULL's for the SSID.
The user should be presented with a selection template on installation. There should be a choice of common applications with presets for each such as Corporate Network, Hot Spot, Open Access, VPN Gateway, and of course, custom settings. Expecting the user to know about access point isolation, VPN passthrough, and ACL's, is a bit like requireing the automobile buyer to learn auto mechanics before being allowed to drive. Such templates are common in Cisco IOS based routers, where the complexity of the initial setup is often well beyond the abilities of even experienced users.
I'm not a big fan of Steve Gibson and calling anyone that has never attended a security conference or appears on a security mailing list, as security expert is ludicrous. However, he does have a point with his snake oil security tests. I read his stuff, extract what I can, and ignore his alarmist conclusions and warnings. There's value in there somewhere. The same applies to others that have found individual flaws, potential security holes, and exploits. I once found a real security hole in a commerical Unix OS, but was ignored by the manufactory. Only when someone else wrote and exploit tool was the problem addressed and fixed. Careful what you call snake oil.
I have a problem with personal firewall software (Zone Alarm, Windoze XP SP2 firewall, etc). They are "user decision based" firewalls. In other words, they only work if the user makes the correct decision when the popup appears demanding a decision. My experience with inspecting ZoneAlarm, Norton, McAfee and WFW configurations is that users constantly make the wrong decisions. I've found numerous machines with active trojan horse's running, where the user simply clicked "accept" because he got tired of having the popup warning appear. This is ludicrous, stupid, worthless, and dangerous. As I previously ranted, a personal firewall is a great tool in the hands of an experienced and conciencious user. However, with the commonly inexperienced member of the GUM, it's of limited value.
Trick question: How does a member of the GUM disable shares or even see them? Perhaps they are swift enough to know about the: NET VIEW \\\\your_IP (or NETBIOS machine name) trick that will show the visible shares. But what about the hidden C$ administrative share and XP's default shared folder? I have a hell of time just finding which directory is being shared. I constantly see machines that use Briefcase to replicate files have the entire C: drive shared just to get the stupid Briefcase to work. I also find XP boxes with proper user login passwords assigned, but a blank password for administrator. I would normally just disable all sharing, but crippled XP Home doesn't allow disabling simple file sharing. I have to kill the shares one by one. Of course every user login is an administrator by default, which is convenient, but insuring that a mistake is universally destructive. I won't even go into what can be done to XP with physical access.
This is hardened security?
This is an excellent list. I can tell whomever wrote it has had some experience. Securing the backup tapes and cdroms is not often included in such a list. Were I interested in attacking a specific machine, it's much easier to steal the backups than to attack the machine directly. Now, getting the backup vendors to use real encryption is another story. I have friends in the business and they claim it's not a useful requirement and will ruin their data integrity checking.
Does informing you of defects make an automobile safe? There's some arguementation over the principle, but the consensus seems to be that manufacturers are responsible for delivering safe products. Methinks that extends to data security and safety, but your EULA may say otherwise.
The clueless don't read such links or they wouldn't be clueless. Even if they do read the recommendations, many of the tweaks are undone almost immediately after a hardware reset, operating system upgrade, or manufacturers "system restore" cerimony. Is eternal vigilance also the cost of security?
Make up your mind. Is the personal firewall like a lock and key barrier to access, or is it a burglar alarm that informs the user that they've been screwed? With user decision based PFW solutions, methinks the burglar alarm is the proper analogy. It doesn't really prevent access, but does inform the user that someone is trying to drill through the door. I have yet to see a PFW that does both adequately.
I get far too few calls from customers asking for clarification of some of the pop-up messages deliverded by ZoneAlarm, MS Anti-Spyware beta 1, and other impediments to computing. Even I have to decode the cryptic mumbo-jumbo that some of these deliver in my face. Self-respawning spyware will create the same warning over and over until the user selects "accept" just to make the messages go away. Recovering from the wrong decision is also a common exercise on behalf of my customers.
Nice article. One problem. The user would be expected to know and recognize the difference between normal and bogus processes and drivers. I can barely keep up on the myriad of driver names and would never expect a member of the GUM to be able to do the same.
All stateful packet inspection does is offer the router a way to determine which side of the firewall a packet is coming from in order to prevent a WAN side attacker from spoofing an inside IP address. This is an important feature and very useful, but does not mean that firewalls that lack SPI are garbage. The same thing can be done with packet filters.
The endless discussions on what features constitute a "true" firewall has wasted considerable time in the various networking newsgroups and mailing lists. There are some that suggest that anything that does not pass the ICSA Labs certification tests are worthless. I don't know (or care). I have very few problems dealing with attacks originating from the internet with common cheap NAT routers. Well, I do have some problems from the internet with users that do considerable port forwarding that point to flawed or insecure inside services. I just had the web server on my weather station successfully compromised by an attack from the internet because I was one version behind on updates and fixes. Anyway, I consider the typical NAT firewall to be good enough, even without SPI, ACL's, and certification. However, setting up a DMZ defeats all the protection and relies totally on the user decision based personal firewall, which I have almost no confidence in staying alive or secure.
I'll resist the temptation to ask what features are missing in a cheap NAT router that are required for a "true" firewall. I can list a considerable number of protocols and features that a typical Cisco router supports, but how many of those features are useful for the average home user, and how many of them are comprehensible by the user or even the installer? Adding features do not necessarily equate to better security.
I guess I cheat. Our neighborhood LAN uses a Cisco 2514 router (with the fan ripped out so I don't have to listen to the noise). My local ISP's free wireless setup uses a Cisco 2611 router. It turns out that the most useful features of these "true" routers are SNMP management for traffic monitoring, bandwidth management, and ACL's for security.
Well, isn't that what you suggested is acceptable for dealing with brain dead protocols like H.323 and Netmeeting? In my never humble opinion, the problem is not the inability of the router to deal with badly writting protocols, but the protocol itself. Dump the application and get something that works (i.e. SIP based messageing).
I haven't seen too many that will do ACL's or accept X.509 certificates for authentication. Few will terminate an IPSec or PPTP VPN. Monitoring is at best a limited joke. Per-user keys, authorization, and authentication are rarely found in these low end boxes. I don't think they come close to what's needed for my vision of proper security.
Nice article on firewall technology. I don't know any cheapo NAT routers that also have an applications level gateway or per-session authorization. In most cases, a SOCKS5 proxy server configure individually for each allowed service type would be more secure than any attempt to turn a cheap NAT router into a "real" firewall.
Wrong link. It's an explanation of NAT.
Nice article. Doesn't really cover VPN issues but that's in another article. Doesn't mention authorization or authentication, end to end encryption, and wireless but those are possibly seperate topics.
I can debate the point but I think I covered my main points previously in this rant. The basic criteria for me is:
By the above criteria, most cheap routers are "good enough" but not far from what I consider acceptable. I can find solutions that meet all the above, but my customers frequently cannot bear the cost or inconvenience. Perhaps instead of a "true" firewall, the correct term would be a "useful" firewall.
Summary: Agreed. It's better than nothing. However, it's like my previous rant on multiple layers of encryption technology being used to fix the defects of the underlying encryption layers. Adding multiple firewalls in series to form an obstacle course will do wonder for attacks originating from the internet, but won't do anything for an attack from the LAN or downloaded via a rogue web pile or email. Therefore, the value of a fancy firewall solution is limited by how well the operating system and personal firewall can defend the system against local LAN based attack. My contention is that due to the inadequacies and limitations of user decision based firewall solutions, the usefulness of a personal firewall is rather limited.
Bottom line: Dump Netmeeting and get something that doesn't demand that the NAT firewall be essentially disabled.
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
Well, end-users need to learn how to secure the situation.
1) By knowing how to use the PFW solution properly as machine level protection (can't call it a FW as it's not). And not depending on things such as App Control or the rest of the stuff within them that is snake- oil. 2) If one has an Windows O/S where it has security and it has been harden to attack or secured by disabling *shares*, securing user accounts, using the proper file system such as NTFS and implementing security with the file system, disabling vulnerable services like not using the F&P sharing service if it's not needed. That's the key is to secure the O/S when exposing a Windows based O/S to the Internet or doing a machine direct connect with a PFW solution or sticking one into the DMZ of a router.There are other links besides the one above that will clue in the clueless.
If the machine has been compromised and the malware executed, it has been compromised and no snake oil solution that has been spawned by Gibson is going to stop it. If the machine has been compromised, a PFW, host based network FW, router or FW appliance solution is not going to stop malware and its outbound traffic initially.
The key is to not allow the malware to reach the machine and practice safe hex. The other key is to recognize dubious activities once the machine has been compromised by using the proper tools and one looks around for themselves from time to time and not depend solely on solutions that can be circumvented and defeated.
I do use the tools in the link form time to time like Active Ports and Process Explorer and look for myself and what is happening on the machine.
Yeah, one can run the tests there is no harm in doing that.
No NAT router for home usage is running *true* FW software. It may be using NAT and some other FW like features like SPI but its not running FW software in the traditional sense.
Of course you have some high-end NAT routers that come close to being a FW appliance but they are not running true FW software. And you can use a NAT router as a border device considered to be a total FW solution designed to protect a network.
A NAT router for home usage is good enough in the home protection by not forwarding unsolicited requests to the network, until one starts doing high risk things like *port forwarding*.
If the NAT router cannot meet the specs in the link for *What does a FW do?*, then it's not an appliance that's running *true* FW software. However, some high-end NAT routers come very close to being a FW appliance.
But for the most part, I just keep the machines behind the protection of the FW appliance and have done a couple of things for the time being to harden the NT based O/S to attack.
Duane :)
I want to correct this.
And you can use a NAT router as a border device considered to be part of a total FW solution designed to protect a network.
Duane :)
Thanks guys for all the responses. i think i'm going to ditch Netmeeting and use a different conferencing program.
NH
Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:
Although this is a wireless NG, my statements are not concerning wireless security features.
I cannot disagree but again I thought we were talking about FW(s).
I cannot disagree but .........
I would agree that such person(s) that do security checking of O/S(s) are needed. However, other than an AV solutions most things like software to remove *cookies* off of the machine, standalone App Control applications, built-i App Control in PFW(s), third part software tools to protect a machine running Web services and things of that nature, I consider snake oil.
Then it's snake-oil to those users and why have the solution ask the questions. They should be able to disable that and many other features in PFW(s) or manufactures shouldn't incorporate such features in the solutions. And these solutions are not in the hands of experienced and aware users. They are in the hands of the (GUM). And all the snake-oil crap in these PFW(s) are there to protect the (GUM) from himself or herself.
Obviously, it's not working and some sit there behind a NAT router with the solutions running on a machine and make the same mistakes.
One puts the machine behind the protection of a $20 NAT router to protect the services, shares and whatnot a border device sitting in front of the machine.
The same holds true for wireless as the manufacturers pop out these devices a dime a dozen but many don't provide any documentation on wireless security that the home user should implement out of the box.
What are you going to do? If you push that reset button, then you have to put everything back. And if one is doing an O/S upgrade or restore, then one had better know the consequecnse of such actions. But many users don't know.
What's a FW personal or otherwise have to do with a user with the happy fingers the clicks on unknown links or emails with attachments that leads to the compromise of the machine? When the machine has been compromised, the end-user had some involvement in it 99% of the time. If the machine has been compromised it's compromised. One can have all the locks and burglar alarms he or she wants. But if he or she opens the door and let's it in, hey what can be said about it?
It's snake-oil in the solution.
Some users do have that savvy and that's why I post it hoping it will help some.
That all depends on what the needs are for a given situation if a NAT router is good enough.
Well I won't resist.
I'll get around again to opening Web services on one of my machines to the public Internet. I want the insurance that if I port forward port 80 to an ip/machine that only HTTP traffic is going to come down that port or FTP only down the FTP ports.
If I need to block a particular IP from accessing my site that I can set a rule that blocks that IP at the border.
If it so happens that one of my machines is compromised by malware, that I can set rules to stop outbound to the remote IP until such time that I can find the compromise.
Nor do I want that machine to be able to access other machines on the network so I set rules to block outbound from that machine, if need be.
I want the client/server model broken by the FW that allows a direct connection to be made between the two endpoints.
I don't want probes that came through the NAT router at SQL Server running on the machines to reach them with all ports on the NAT router closed by default, like a hot knife through butter.
But that just my needs and other users don't have my needs.
Well the OP has the following resolutions:
1) The OP can open all the ports that are needed for Netmeeting 2) The OP can get an H.323 compliant router. 3) The OP can put the machine into the DMZ protected properly and use Netmeeting. 4) The OP can use something else other than Netmeeting.Either way, it makes no difference to me as it's not my problem and anything else is a moot. ;-)
It's only a link to FW technology for those who are reading the posts between you and I in the hopes that someone may need to know the difference between a NAT router for home usage and FW appliances that may have other needs or other plans for their home networking situation like (throwing up a Web server) -- a whole different topic. ;-)
There are affordable low-end FW appliances that are being made for the SOHO consumer.
And some people assume that because they have NAT on a router that it's FW software and it's not. NAT is a *natural* FW is some statements I have gotten back. My low-end FW appliances has NAT too. ;-)
It will never happen.
It will never happen.
It will never happen.
Not with most NAT routers.
Well it all depends on the needs of the user. Some users even in a home situation need more than what a NAT router can provide, but some don't know that and settle on the NAT router thinking it's a FW based on the hype that manufactures call these appliances FW solutions and they are not that.
The reality is nothing can be done behind the wall and one can run all the little bells and whistles on them. Most people home users or otherwise don't do what it takes to secure the LAN O/S or otherwise.
NAT is not FW software.
Impostors
When discussing firewalls, packet screening methods, and how firewalls function, there are a few misconceptions that need to be addressed. Network Address Translation (NAT)
One technology that is commonly thought to act as a firewall solution is Network Address Translation (NAT). NAT translates "internal" IP addresses on one network to "external" IP addresses on another network. There are three methods NAT uses to accomplish address translation.
*Static NAT - maps a specific single address to another specific single address. Example: 10.0.0.1 -mapped to- 168.13.1.1
*Pooled NAT- dynamically maps all specific single addresses to a pool or range of external addresses. Example: 10.0.0.1-10.0.0.254 -mapped to- 168.13.1.1-168.13.1.254
*Port Level NAT- dynamically maps all specific single internal addresses to a specific single external address. The internal address is mapped or identified by the specific external address in combination with a unique port number.
Example:
10.0.0.1 -mapped to- 168.13.1.1:1084 10.0.0.2 -mapped to- 168.13.1.1:1085 10.0.0.3 -mapped to- 168.13.1.1:1086By comparing the way NAT functions between two networks, and the way packet screening methods function between two networks, you can see that NAT does not adhere to the firewall definition. NAT does not control access between the networks. Some may argue that NAT does control access because you cannot "see" the internal network. NAT does this not by using rules or filters, however, but through concealment. It hides the network from outside users.
However, a NAT router is good for some but not good enough for others and it all depends on the needs of the user.
The discussion about a NAT router has been held more than a few times in the Firewall and Security NG(s).
You should drop a line in one of them about it.
Duane :)
For RDS, Netmeeting is not a bad choice has I use it on the LAN between machines and over the Internet through a NAT router using port forwarding with BlackIce running on the machine limiting what IP(s) could reach the machine. As for conferencing coming through a NAT router that's not H.323 compliant, it's a PITA.
Duane :)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.