| Author |
Message |
Pete
Guest
|
 Posted:
Fri Jul 09, 2004 7:39 am Post subject:
why isn't the set of open ports a security problem? |
|
|
I use a Windows XP Pro PC from behind a router with a NAT
firewall. Just started using NetMeeting recently. Found MS
article 158623 about port usage and set up these open
ports on my router. NetMeeting works fine.
I'm concerned about all these open ports and whether this
makes my PC susceptible to hackers. I ran Symantec's
security check - it says that the PC's ports still operate
in "stealth" mode and that it is secure.
Can someone explain why this is so? I would like to get
more comfortable that leaving the ports open for easy
NetMeeting use is not creating a security risk.
Thanks. |
|
| Back to top |
|
 |
Brian Sullivan MVP
Guest
|
| Posted:
Fri Jul 09, 2004 4:09 pm Post subject:
Re: why isn't the set of open ports a security problem? |
|
|
Pete wrote:
| Quote: | I use a Windows XP Pro PC from behind a router with a NAT
firewall. Just started using NetMeeting recently. Found MS
article 158623 about port usage and set up these open
ports on my router. NetMeeting works fine.
|
What ports did you set to "open"?
| Quote: |
I'm concerned about all these open ports and whether this
makes my PC susceptible to hackers. I ran Symantec's
security check - it says that the PC's ports still operate
in "stealth" mode and that it is secure.
|
I am not exactly sure what you have done or want to do.
Generally the way to get full operation of NetMeeting behind a router is to
set the NetMeeting machine as the dmz device. This means that the dmz
machine is exposed to all unsolicited traffic from the internet so a
software firewall on the target machine is recommended.
If you just wanted NetMeeting data function-- no forwarding of ports would
be required for outgoing calls, incoming calls would require only tcp 1503
be forwarded. In that case though there is still the potential risk of
receiving ( and running) a virus infected file, of allowing outside users to
control the machine but that would require a knowing or unknowing accomplice
to be a risk.
Unless you are running a true border firewall where ports can be "opened" or
"closed" for all machines on the network in both directions, the security
risk in "opening" ports on a soho router is that you are forwarding an
incoming port to a single machine. If that machine is compromised or if the
program listening on the forwarded port is flawed there is a security risk.
| Quote: |
Can someone explain why this is so? I would like to get
more comfortable that leaving the ports open for easy
NetMeeting use is not creating a security risk.
|
As I said before "opening"/fowarding ports to a machine can be a risk if the
target machine is compromised or the program listening ( NetMeeting) is
flawed. Since NetMeeting requires dmz function for full use there is more of
a risk since the attack surface is larger,
--
Brian Sullivan
Meeting by Wire ( http://www.meetingbywire.com)
------------
Is your PC protected? --
http://www.microsoft.com/security/protect/default.asp |
|
| Back to top |
|
|
Guest
|
| Posted:
Sun Jul 11, 2004 1:31 am Post subject:
Re: why isn't the set of open ports a security problem? |
|
|
Hi,
MS article 158623 says that NetMeeting (NM) needs these
ports:
primary TCP connections on 389, 522, 1503, 1720, 1731.
secondary UDP connections dynamically assigned to ports
1024-65536.
also mentions dynamic assignment of a TCP port by the
H.323 call-control protocol although does not state which
ports involved. Since it says dynamic, I allowed that it
might also be in 1024-65536.
Therefore, on my Belkin F5D5230-4 router following Belkin
tech support's guidance I did this:
Created a Virtual Server setting to pass through each of
the five individual numbered ports as TCP ports to the PC
on my LAN that uses NetMeeting.
Used the Special Application Ports to ENable the range of
ports 1024-65536 for both UDP and TCP pass-through.
I did NOT put the entire PC in the DMZ zone since I want
to avoid that degree of an insecure interface.
This worked. I am able to make incoming and outgoing
calls, share aplications, and use audio connectivity
albeit with significant audio delay.
Note: I only need limited functionality on NM: Establish
incoming AND outgoing calls using an IP address that
either the other party or I enters. Share applications
during a call such as PowerPoint, Excel, and Word. I do
NOT need the audio functionality. It might be nice to be
able to run a video clip and use the whiteboard although I
don't have this need now.
Thanks for your follow-through! |
|
| Back to top |
|
|
Brian Sullivan MVP
Guest
|
| Posted:
Sun Jul 11, 2004 2:06 am Post subject:
Re: why isn't the set of open ports a security problem? |
|
|
anonymous@discussions.microsoft.com wrote:
| Quote: | Hi,
MS article 158623 says that NetMeeting (NM) needs these
ports:
primary TCP connections on 389, 522, 1503, 1720, 1731.
secondary UDP connections dynamically assigned to ports
1024-65536.
|
Yes but 389 is used outgoing -- 522 and 1731 may have been used in very old
versions of NetMeeting (V1 ) but not for along time
| Quote: |
also mentions dynamic assignment of a TCP port by the
H.323 call-control protocol although does not state which
ports involved. Since it says dynamic, I allowed that it
might also be in 1024-65536.
|
Yes that is true.
| Quote: |
Therefore, on my Belkin F5D5230-4 router following Belkin
tech support's guidance I did this:
Created a Virtual Server setting to pass through each of
the five individual numbered ports as TCP ports to the PC
on my LAN that uses NetMeeting.
|
NetMeeting listens on tcp 1503 and 1720
| Quote: |
Used the Special Application Ports to ENable the range of
ports 1024-65536 for both UDP and TCP pass-through.
|
I am not sure how the "Special Application Ports" feature you mention works.
The usual strategy is to use the dmz feature of the router. That passes all
unsolicited traffic to the target machine -- overkill but usually easier to
do.
| Quote: |
I did NOT put the entire PC in the DMZ zone since I want
to avoid that degree of an insecure interface.
|
Well if what you have done works it is slightly more secure ( not much). I
would still recommend a software firewall on the target machine though.
| Quote: |
This worked. I am able to make incoming and outgoing
calls, share aplications, and use audio connectivity
albeit with significant audio delay.
|
I doubt the audio delay is from your router so it sounds like you have full
function.
| Quote: |
Note: I only need limited functionality on NM: Establish
incoming AND outgoing calls using an IP address that
either the other party or I enters. Share applications
during a call such as PowerPoint, Excel, and Word. I do
NOT need the audio functionality. It might be nice to be
able to run a video clip and use the whiteboard although I
don't have this need now.
Thanks for your follow-through!
|
If you have any data function you should have whiteboard function. There is
no facility to "play a video clip" in NetMeeting and have it transmitted.
--
Brian Sullivan
Meeting by Wire ( http://www.meetingbywire.com)
------------
Is your PC protected? --
http://www.microsoft.com/security/protect/default.asp |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in