Regarding Bypassing the firewall

Do you mean that you want audio/video to be allowed to pass by some unnamed firewall?

If so, what audio/video are we talking about, what firewall, ...?

Joachim

Your question is to general to be easily answered. What type of firewall?

Hi,

Thanx for your response but i only want to know that Some people claims that we can by pass the firewall without configuration in instant messanger (i am not 100% sure about this). any one can give me enough information, links.

Regards, Ravi.

T. Sean We> > Hi all,

Thanx walter,

Can u give me some link regarding my query

"can we by pass the firewall without configuration in instant messanger/"

I want to explore more.

I hope u will reply me soon.

Ravi

Walter Robers> > :Some people claims that we can by pass the firewall without

Hi ,

my question is clear. I just try to understand my question again briefly. Actually I am doing work on vedio confrencing product So Regarding this I have a question:

Q- When we will in Confrence then for the protection of our confrence we have to configure our firewall regarding out side attack and I want entry of that person who is authorised to do confrence this means that we have to do some configuration manually in firewall setting.So I just want to know that there is any method for which Without configurating the firewall we can give the permission to authorised person or in another word without configuration bypasss the firewall.

Ravi

Walter Robers> > :Can u give me some link regarding my query

In article , wrote: :Some people claims that we can by pass the firewall without :configuration in instant messanger (i am not 100% sure about this). any :one can give me enough information, links.

*Possibly* they are referring to a UPnP (Universal Plug And Play) interaction with a firewall. If you have an NT/XP based system and a UPnP equipped firewall, then applications can send instructions to the firewall to open ports.

Alternately, *possibly* is referring to H.323 / SIP / RSTP interaction with a capable firewall. Some firewalls monitor connections for those protocols, see the port numbers mentioned in the negotiations, and automatically open incoming and outgoing connections as needed to support the calls. (One example: CIsco PIX firewalls.)

I would not, however, call either of these "bypassing" the firewall: they both involve well-defined interactions with the firewall.

With the UPnP scenario, one has the worry that a rogue program will open too much, but one also has the flexibility that new port sets can be activated by simple software download; in the case of protocol "inspection" on a firewall, the inspections are restricted to well-defined bounds and rogue programs cannot simply open arbitrary incoming ports to all comers, but one loses in flexibility by only having support for whatever kind of inspections that the firewall manufacturer has supplied.

On 23 Jun 2005 05:06:17 -0700, snipped-for-privacy@gmail.com spoketh

Your question, in your mind, is absolutely very clear. We know that you know what it is you are saying. However, something is getting lost in the translation, which makes it difficult for us to understand what it is you want to do.

Although the question is becoming clearer, there's still some room for interpretation.

If the video conferencing is initialized on the inside of your network, you should only have to create one rule one time to allow the video conferencing device (one single static IP) to make an outbound connection. Allowing this outbound connection should not create any significant avenue of attack for any outsiders, as inbound access is still limited.

If the video conferencing is initialized on the outside, then you need a rule on the firewall to allow this traffic from the outside to the video conferencing device, which does create some additional risk. The rule should be very specific to only allow the traffic to the video conferencing device, which should be off and/or disconnected when not in use. Also consider using a DMZ for this, to prevent any issues on your protected network.

But, if you don't want to leave it open on your firewall all the time, then you'll need to enable/disable the rule(s) on the firewall each time.

Lars M. Hansen

'badnews' with 'news' in e-mail address)

In article , wrote: :Can u give me some link regarding my query

:"can we by pass the firewall without configuration in instant :messanger/"

Sorry, no, I do not understand it as phrased. I suggested some meanings earlier, but you did not clarify what you were trying to do.

- What does it mean to "bypass the firewall" ?

- What does it mean "without configuration" ?

-Does the preposition "in" bind to "configuration" or was the wrong preposition used, or is there a missing comma apposition?

Sorry, that question is probably not at all clear to someone who has not taken endless hours of English grammar. Let me try a different way: Because the 'in' is beside 'configuration' without any break such as a comma, your sentance as written is talking about not needing to configure *instant messenger*.

e.g., "How can I survive without cold beer in the fridge" is not asking how you will survive in the fridge if you do not have cold beer during your stay there: the "in" phrase modifies the closets thing it can, "cold beer", so the example sentance is talking about the cold beer that is {not} located in the fridge.

Similarily, your sentance as written is referring to reconfiguration work that would be done in Instant Messenger. I suspect, though, that you mean to talk about reconfiguration of the firewall, and that you are asking about how you could use Instant Messenger to trigger bypassing the firewall.

- Or perhaps you are asking whether it is true that someone who was using Instant Messenger could bypass your firewall? And you want to know how to prevent that??

- Any discussion about the bypassing or not of firewalls would depend on the firewall features, so we would need to know which manufacturer and model and software version are involved.

I am not clear as to whether you are trying to prevent bypassing the firewall, or if you want to bypass the firewall and you are asking for instructions on how to use Instant Messenger to do so??

Some firewalls yes, some firewalls no. Again, the question is to general. You don't even specify if you are talking about external hardware or host based software firewalls.

Hi,

regarding my query I have gone through the cisco site where they they are writing some thing "Cisco Secure IS uses Context-based Access Control (CBAC)" and they are writing that:

" CBAC maintains the connection state information for individual connections. This state information is used to make intelligent decisions about whether packets should be permitted or denied, and dynamically creates and deletes temporary openings in the firewall.

Understanding the particular TCP or UDP ports used for communication between the client and the server is important for the administration and verification of multimedia traffic through the firewall. The RTSP client uses TCP port 554 or 8554 to open a multimedia connection with a server. The data channel or data control channel (using RTCP) between the client and the server is dynamically negotiated between the client and the server using any of the high UDP ports (1024 to 65536).

I am giving you the link regarding this above statment:

after going through the link any body can tell me that it is possible that bypass the firewall without configuration.

Waiting for suggestions.

Regards, Ravi.

T. Sean We> > Hi,

Depends, but probably (almost definitely) some config changes will need to be made on the firewall.

You still have not answered the question: what type of firewall.

You imply it is a cisco router with IOS firewalling with that link, and not a true dedicated firewall. Can you confirm?

What I need to know is the EXACT make and model we are talking about here. All firewalls are different.

In article , wrote: :I am giving you the link regarding this above statment:

:

:after going through the link any body can tell me that it is possible :that bypass the firewall without configuration.

Please re-read Lars's reply. *You* know what you mean, but we don't.

I will try a guess at what you mean. Do I understand correctly that:

1) you already have a Cisco IOS router

2) the IOS image you have supports the Firewall Feature Set

3) you have RTSP, SIP, and RTCP inspection support turned on in the CBAC rules section of your router

4) you have *outside* users who need to be able to engage in multimedia connections to your servers

5) your multimedia connections will negotiate dynamic ports through the standard RTSP mechanisms

6) the connection for those outside users is initiated from outside, rather than being initiated by the internal servers

7) the IP address of those outside users are effectively not fixed -- either the IP addresses are dynamic, or the set of authorized users changes too frequently to make it practical to maintain an explicit list

8) that everyone else, not authorized, should not even be able to get as far as the servers -- that either your servers do not have good authentication or you need to block potential Denial of Service problems before they reach the servers

9) that even the people who are, generally speaking, authorized, should not have the ability to connect to the servers at arbitrary times -- for example, they might only be granted access when they have paid for access to particular news stories you carry

10) that although your server authentication is not sufficient to generally restrict unauthorized users to your satisfaction, that your server authentication -is- sufficient to ensure that the authorized people are accessing the -correct- content. Or, alternately, that your servers have no authentication mechanisms and that the way you are controlling access is to use different port numbers for the different users, with you counting on the router firewall features to ensure that it is only a particular IP that is granted access to that particular port.

11) that in your situation, it is not feasible to handle access control by returning unique resource names to the various users, with a back-end checking the resource names to match them up with the appropriate authorized user before granting access

12) that your various security mechanims are sufficient to be able to distinguish between different users with the same IP address (e..g., AOL uses private IP addresses internally for users, and uses Network Address Translation when users connect to non-AOL resources.)

13) that you have -some- authentication method which is able to determine the user IP address before the user attempts the connection to the content server, and you desire that that authentication method can authorize temporary server access without you having to reconfigure the router.

Here, by "some authentication method", I include a scenario such as, "Hi Bram, it's Ravi from Marketting in my hotel room at the trade convention in Athens. Listen, I have a 2 o'clock video conference with the VP of Marketting, so could you arrange so that my laptop here at the hotel can get through?"

Hi,

sorry i didn't give u answer that which type of firewall i am using.Regarding this: We have a two office A and B. A is Head quater and B is branch office. I have a server in A(HQ) and in branch office(B) NETGEAR prosafe VPN firewall router in branch office. So For confrencing I have to configure my communicator firewall setting but i want to know that any other way is possible that we take part in confrancing without configure our wirewall setting(just bypass the firewall without configuration).

Regards, Ravi.

T. Sean We>

OK, FIRST you post the question "can we by pass the firewall without configuration in instant messanger", but we then find out what what you are likely trying to do is pass video conferencing, possibly over a VPN.

DUH.

Seriously. You need to learn how to state your questions. Tell people what you are actually trying to do. Don't throw out buzzwords. You were assuming a question that in fact had NOTHING TO DO with what you were trying to accomplish would have relevency.

In fact, it's still not clear. One of the sites has a netgear prosafe. But you still don't say which model, and given that they are radically different, we can't answer unless we know! Does the other site also have a prosafe vpn rouyer? If so, are the two sites set up to use a VPN between eachother? Is it these two sites you are trying to conference between?

When you say "I have to configure my communicator firewall setting" are you refering to a firewall on the PC or a the netgear prosafe?