the H.323 - Firewall riddle
the H.323 - Firewall riddle
the H.323 - Firewall riddle
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>the</strong> <strong>H.323</strong> - <strong>Firewall</strong> <strong>riddle</strong><br />
Rolf Gartmann<br />
SWITCH Security Group<br />
2003 © SWITCH
Agenda<br />
• what is this all about<br />
• why is <strong>H.323</strong> different from o<strong>the</strong>r IP based services<br />
• different approaches to solutions<br />
• what else to think about<br />
• conclusion<br />
• questions<br />
2003 © SWITCH 2
‚Good‘ old Times<br />
2003 © SWITCH 3
What is this all about<br />
• convergence of audio/video & data<br />
• based on existing IP Infrastructure<br />
• new service fi new protocols fi new threats<br />
• can be influenced by existing services<br />
• can influence existing services<br />
• <strong>H.323</strong> clients can be based on a common OS with<br />
additional running services<br />
• <strong>H.323</strong> security measures must fit into your current<br />
security policy<br />
2003 © SWITCH 4
<strong>H.323</strong> Protocol Overview<br />
Registration<br />
Admission<br />
Status<br />
Call<br />
Signaling<br />
Call<br />
Control<br />
RAS Q.931 H.245<br />
Video<br />
Codecs<br />
H.261<br />
H.263<br />
Audio<br />
Codecs<br />
G.711<br />
G.728<br />
G.729<br />
G.722<br />
Data<br />
Protocols<br />
T.120<br />
H.225 Packetization<br />
TPKT<br />
RTP/RTCP<br />
UDP<br />
TCP<br />
UDP<br />
TCP<br />
IP / Data Link / Physical<br />
2003 © SWITCH 5
<strong>H.323</strong> Ports Overview<br />
Function<br />
Gatekeeper discovery<br />
Gatekeeper RAS<br />
Q.931 Call Setup<br />
H.245 Control Channel<br />
RTP/RTCP<br />
( Video / Audio )<br />
H.235 secure signaling<br />
T.120<br />
Port<br />
1718<br />
1719<br />
1720<br />
1024-65535<br />
1024-65535<br />
1300<br />
1503<br />
Type<br />
UDP<br />
UDP<br />
TCP<br />
TCP<br />
UDP<br />
TCP<br />
TCP<br />
2003 © SWITCH 6
Why is <strong>H.323</strong> different ?<br />
HTTP:<br />
TCP Port 80<br />
Client<br />
Server<br />
FTP (passive mode):<br />
TCP Port 20<br />
Client<br />
dyn. open<br />
TCP Port 59132<br />
( 230*254+252 )<br />
Server<br />
PASV<br />
227 Entering Passive Mode (195,176,255,9,230,252)<br />
2003 © SWITCH 7
Why is <strong>H.323</strong> different ? (2)<br />
<strong>H.323</strong>:<br />
TCP Port 1720<br />
TCP Port 1064<br />
UDP RTP/RTCP<br />
Client<br />
Q.931 ( ASN.1 parsed )<br />
Q.931<br />
Message type: CONNECT (0x07)<br />
ITU-T Recommendation H.225.0<br />
h323_uu_pdu (H323-UU-PDU)<br />
h323_message_body (connect)<br />
connect<br />
h245Address (ipAddress)<br />
ipAddress<br />
ip: mcu.switch.ch (195.176.255.34)<br />
port: 1064<br />
Client<br />
H.245 (ASN.1 parsed )<br />
Source: idefix (130.59.4.167)<br />
Destination: mcu.switch.ch (195.176.255.34)<br />
TCP, Src Port: 1261 (1261), Dst Port: 1064 (1064)<br />
request<br />
openLogicalChannel<br />
forwardLogicalChannelNumber: 257<br />
dataType (audioData)<br />
audioData: g7231<br />
h2250LogicalChannelParameters<br />
iPAddress<br />
network: idefix (130.59.4.167)<br />
tsapIdentifier: 49609<br />
2003 © SWITCH 8
H.245 audio/video channel setup<br />
h323-client.switch.ch<br />
OpenLogicalChan<br />
‹<br />
‹<br />
OpenLogicalChan<br />
OpenLogicalChan ack<br />
‹<br />
OpenLogicalChan ack<br />
‹<br />
Port<br />
1423<br />
5136<br />
5138<br />
1425<br />
5139<br />
1422<br />
5137<br />
1424<br />
H.245 data<br />
G.722 / 5137<br />
5422<br />
G.722 / 5423<br />
H.263 / 5139<br />
5136<br />
H.263 / 5425<br />
5138<br />
5424<br />
Data Type<br />
RTP / G.722 fi<br />
‹ RTP / G.722<br />
‹ RTP / H.263<br />
RTP / H.263 fi<br />
‹ RTCP<br />
RTCP fi<br />
‹ RTCP<br />
RTCP fi<br />
webcam.switch.ch<br />
fi<br />
OpenLogicalChan ack<br />
OpenLogicalChan<br />
fi<br />
fi<br />
OpenLogicalChan<br />
fi<br />
OpenLogicalChan ack<br />
Port<br />
5422<br />
3543<br />
3545<br />
5424<br />
3544<br />
5423<br />
3542<br />
5425<br />
2003 © SWITCH 9
Different approaches<br />
• stateless / stateful packet filtering<br />
• <strong>H.323</strong> aware FW ( able to parse ASN.1 in Q.931 call setup<br />
and H.245 call control )<br />
• <strong>H.323</strong> tunneling / proxies<br />
• separate network for <strong>H.323</strong> ( <strong>H.323</strong> DMZ )<br />
2003 © SWITCH 10
<strong>H.323</strong> unaware <strong>Firewall</strong>s<br />
• because of dynamic allocated Ports only limited<br />
protection possible<br />
• all non-privileged Ports ( UDP/TCP >= 1024 ) must be<br />
opened to / from <strong>H.323</strong> clients<br />
• almost none traffic control possible<br />
• strong considerations about common OS ( Windows )<br />
based <strong>H.323</strong> clients ( because of additional running<br />
services like SQLservice )<br />
2003 © SWITCH 11
<strong>H.323</strong> unaware <strong>Firewall</strong>s (2)<br />
practical example<br />
let’s assume you have<br />
• normal <strong>Firewall</strong> ( not <strong>H.323</strong> aware )<br />
• Windows 2000 based <strong>H.323</strong> Client<br />
• Visio installed ( which additionally installs MSDE )<br />
• changed your FW rules to enable <strong>H.323</strong><br />
( allowing TCP/UDP high ports to that system )<br />
SQLslammer would have enjoyed <strong>the</strong> ride ....<br />
2003 © SWITCH 12
<strong>H.323</strong> aware <strong>Firewall</strong>s<br />
• Call Setup Port ( TCP 1720 ) to <strong>H.323</strong> clients must be<br />
opened<br />
• dynamic rules to / from <strong>H.323</strong> clients necessary<br />
• only more sophisticated FW’s can handle that<br />
• you have to trust <strong>the</strong> dynamic rule setup<br />
fi are dynamically opened ports closed after a call ?<br />
fi what about ungratefully terminated calls ?<br />
• which <strong>H.323</strong> versions ( 2,3,4 ) are supported by a specific<br />
FW ?<br />
2003 © SWITCH 13
<strong>H.323</strong> aware <strong>Firewall</strong>s (2)<br />
some FW’s which claim to handle <strong>H.323</strong> dynamically:<br />
• Cisco Secure IS<br />
• Cisco PIX<br />
• Checkpoint FW-1<br />
• Netscreen<br />
2003 © SWITCH 14
<strong>H.323</strong> Tunneling<br />
• possibility to limit ports, based on well known<br />
environment<br />
• can also be used with NAT<br />
• no additional rules necessary for new <strong>H.323</strong> clients<br />
• no <strong>H.323</strong> aware FW necessary<br />
• additional systems required<br />
• proprietary solution available:<br />
Ridgeway: http://www.ridgewaysystems.com (IPFreedom)<br />
costly license schema<br />
2003 © SWITCH 15
<strong>H.323</strong> Tunneling (2)<br />
idea<br />
• IPFreedom client connects to <strong>the</strong> IPFreedom server on fixed ports:<br />
* All client connections are outbound<br />
* All client connections go only to <strong>the</strong> IPFreedom server<br />
* Connections are only through two ports<br />
• IPFreedom proxies <strong>the</strong> gatekeeper so it appears at <strong>the</strong> IPFreedom<br />
client.<br />
• Endpoints set IPFreedom client as <strong>the</strong>ir gatekeeper. Endpoint<br />
registrations <strong>the</strong>n appear in <strong>the</strong> gatekeeper as ports on <strong>the</strong><br />
IPFreedom server, each with a unique <strong>H.323</strong> alias.<br />
• All TCP traffic goes over <strong>the</strong> pre-established TCP connection.<br />
• As UDP streams are needed <strong>the</strong> IPFreedom client pushes a stream<br />
out to <strong>the</strong> server that <strong>the</strong> server can use for return traffic. (outbound,<br />
fixed ports)<br />
• The IPFreedom server has <strong>the</strong> intelligence to resolve <strong>the</strong> private<br />
internal IP addresses.<br />
2003 © SWITCH 16
<strong>H.323</strong> Tunneling (3)<br />
Client<br />
Client<br />
TCP/UDP Port 2776<br />
UDP 2777<br />
IP Freedom<br />
Client<br />
IP Freedom<br />
Server<br />
2003 © SWITCH 17
NAT<br />
• Network Address Translation (NAT) breaks <strong>the</strong> Q.931 Call<br />
Setup ( wrong IP addresses and Ports )<br />
• some workarounds are available but only for dedicated<br />
systems and mostly outgoing calls<br />
• gnuGK does have some limited support<br />
• if applicable use a dedicated <strong>H.323</strong> DMZ outside your<br />
NAT network<br />
2003 © SWITCH 18
What else to care about ?<br />
• configuration changes ( let’s forward your calls to ... )<br />
• administration interface of clients ( e.g HTTP )<br />
• ga<strong>the</strong>ring personal information ( e.g SNMP )<br />
• capture audio / video streams ( e.g vomit )<br />
• <strong>H.323</strong> phone clients can not be used anymore as an ‘out<br />
of band’ communication channel if network is down<br />
• T.120 data (ab)use<br />
• <strong>H.323</strong> aware FW will not work with <strong>H.323</strong> encryption<br />
mode<br />
2003 © SWITCH 19
Conclusion<br />
• <strong>H.323</strong> protocol is complex:<br />
- a lot of ports are involved<br />
- dynamic assigned UDP / TCP ports<br />
- suggested ports inside ASN.1 encoded data stream<br />
fi no simple, but strict <strong>Firewall</strong> rule set possible<br />
fi <strong>H.323</strong> aware FW or <strong>H.323</strong> tunneling / proxies preferred<br />
• clients:<br />
- be aware of OS specific vulnerabilities<br />
- use standalone / dedicated <strong>H.323</strong> devices if possible<br />
• consider a separate <strong>H.323</strong> LAN<br />
• unfortunately no ‘silver bullet’ solution around for <strong>H.323</strong><br />
and firewalls<br />
2003 © SWITCH 20
Additional information<br />
• http://www.ja.net/development/video/vip/reports/south6.pdf<br />
• http://www.h323forum.org/papers/H323_SIP_<strong>Firewall</strong>_Cookbook_Q1<br />
_2002_Ori_Davidson_RADVISION.pdf<br />
• http://www.videnet.gatech.edu/cookbook/network.html<br />
• http://www.dfn.de/projekte/symposium/symposium01/roedig_sympo<br />
sium01_firewalls.pdf<br />
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12<br />
0newft/120t/120t7/fw_rtsp.htm#xtocid1876414<br />
• http://www.kom.e-technik.tu-darmstadt.de/KOMproxd/<br />
• http://www.gnugk.org<br />
2003 © SWITCH 21
Questions ?<br />
2003 © SWITCH 22