the H.323 - Firewall riddle

the H.323 - Firewall riddle
Rolf Gartmann
SWITCH Security Group
2003 © SWITCH

Agenda
• what is this all about
• why is H.323 different from other IP based services
• different approaches to solutions
• what else to think about
• conclusion
• questions
2003 © SWITCH 2

‚Good‘ old Times
2003 © SWITCH 3

What is this all about
• convergence of audio/video & data
• based on existing IP Infrastructure
• new service fi new protocols fi new threats
• can be influenced by existing services
• can influence existing services
• H.323 clients can be based on a common OS with
additional running services
• H.323 security measures must fit into your current
security policy
2003 © SWITCH 4

H.323 Protocol Overview
Registration
Admission
Status
Call
Signaling
Call
Control
RAS Q.931 H.245
Video
Codecs
H.261
H.263
Audio
Codecs
G.711
G.728
G.729
G.722
Data
Protocols
T.120
H.225 Packetization
TPKT
RTP/RTCP
UDP
TCP
UDP
TCP
IP / Data Link / Physical
2003 © SWITCH 5

H.323 Ports Overview
Function
Gatekeeper discovery
Gatekeeper RAS
Q.931 Call Setup
H.245 Control Channel
RTP/RTCP
( Video / Audio )
H.235 secure signaling
T.120
Port
1718
1719
1720
1024-65535
1024-65535
1300
1503
Type
UDP
UDP
TCP
TCP
UDP
TCP
TCP
2003 © SWITCH 6

Why is H.323 different ?
HTTP:
TCP Port 80
Client
Server
FTP (passive mode):
TCP Port 20
Client
dyn. open
TCP Port 59132
( 230*254+252 )
Server
PASV
227 Entering Passive Mode (195,176,255,9,230,252)
2003 © SWITCH 7

Why is H.323 different ? (2)
H.323:
TCP Port 1720
TCP Port 1064
UDP RTP/RTCP
Client
Q.931 ( ASN.1 parsed )
Q.931
Message type: CONNECT (0x07)
ITU-T Recommendation H.225.0
h323_uu_pdu (H323-UU-PDU)
h323_message_body (connect)
connect
h245Address (ipAddress)
ipAddress
ip: mcu.switch.ch (195.176.255.34)
port: 1064
Client
H.245 (ASN.1 parsed )
Source: idefix (130.59.4.167)
Destination: mcu.switch.ch (195.176.255.34)
TCP, Src Port: 1261 (1261), Dst Port: 1064 (1064)
request
openLogicalChannel
forwardLogicalChannelNumber: 257
dataType (audioData)
audioData: g7231
h2250LogicalChannelParameters
iPAddress
network: idefix (130.59.4.167)
tsapIdentifier: 49609
2003 © SWITCH 8

H.245 audio/video channel setup
h323-client.switch.ch
OpenLogicalChan
‹
‹
OpenLogicalChan
OpenLogicalChan ack
‹
OpenLogicalChan ack
‹
Port
1423
5136
5138
1425
5139
1422
5137
1424
H.245 data
G.722 / 5137
5422
G.722 / 5423
H.263 / 5139
5136
H.263 / 5425
5138
5424
Data Type
RTP / G.722 fi
‹ RTP / G.722
‹ RTP / H.263
RTP / H.263 fi
‹ RTCP
RTCP fi
‹ RTCP
RTCP fi
webcam.switch.ch
fi
OpenLogicalChan ack
OpenLogicalChan
fi
fi
OpenLogicalChan
fi
OpenLogicalChan ack
Port
5422
3543
3545
5424
3544
5423
3542
5425
2003 © SWITCH 9

Different approaches
• stateless / stateful packet filtering
• H.323 aware FW ( able to parse ASN.1 in Q.931 call setup
and H.245 call control )
• H.323 tunneling / proxies
• separate network for H.323 ( H.323 DMZ )
2003 © SWITCH 10

H.323 unaware Firewalls
• because of dynamic allocated Ports only limited
protection possible
• all non-privileged Ports ( UDP/TCP >= 1024 ) must be
opened to / from H.323 clients
• almost none traffic control possible
• strong considerations about common OS ( Windows )
based H.323 clients ( because of additional running
services like SQLservice )
2003 © SWITCH 11

H.323 unaware Firewalls (2)
practical example
let’s assume you have
• normal Firewall ( not H.323 aware )
• Windows 2000 based H.323 Client
• Visio installed ( which additionally installs MSDE )
• changed your FW rules to enable H.323
( allowing TCP/UDP high ports to that system )
SQLslammer would have enjoyed the ride ....
2003 © SWITCH 12

H.323 aware Firewalls
• Call Setup Port ( TCP 1720 ) to H.323 clients must be
opened
• dynamic rules to / from H.323 clients necessary
• only more sophisticated FW’s can handle that
• you have to trust the dynamic rule setup
fi are dynamically opened ports closed after a call ?
fi what about ungratefully terminated calls ?
• which H.323 versions ( 2,3,4 ) are supported by a specific
FW ?
2003 © SWITCH 13

H.323 aware Firewalls (2)
some FW’s which claim to handle H.323 dynamically:
• Cisco Secure IS
• Cisco PIX
• Checkpoint FW-1
• Netscreen
2003 © SWITCH 14

H.323 Tunneling
• possibility to limit ports, based on well known
environment
• can also be used with NAT
• no additional rules necessary for new H.323 clients
• no H.323 aware FW necessary
• additional systems required
• proprietary solution available:
Ridgeway: http://www.ridgewaysystems.com (IPFreedom)
costly license schema
2003 © SWITCH 15

H.323 Tunneling (2)
idea
• IPFreedom client connects to the IPFreedom server on fixed ports:
* All client connections are outbound
* All client connections go only to the IPFreedom server
* Connections are only through two ports
• IPFreedom proxies the gatekeeper so it appears at the IPFreedom
client.
• Endpoints set IPFreedom client as their gatekeeper. Endpoint
registrations then appear in the gatekeeper as ports on the
IPFreedom server, each with a unique H.323 alias.
• All TCP traffic goes over the pre-established TCP connection.
• As UDP streams are needed the IPFreedom client pushes a stream
out to the server that the server can use for return traffic. (outbound,
fixed ports)
• The IPFreedom server has the intelligence to resolve the private
internal IP addresses.
2003 © SWITCH 16

H.323 Tunneling (3)
Client
Client
TCP/UDP Port 2776
UDP 2777
IP Freedom
Client
IP Freedom
Server
2003 © SWITCH 17

NAT
• Network Address Translation (NAT) breaks the Q.931 Call
Setup ( wrong IP addresses and Ports )
• some workarounds are available but only for dedicated
systems and mostly outgoing calls
• gnuGK does have some limited support
• if applicable use a dedicated H.323 DMZ outside your
NAT network
2003 © SWITCH 18

What else to care about ?
• configuration changes ( let’s forward your calls to ... )
• administration interface of clients ( e.g HTTP )
• gathering personal information ( e.g SNMP )
• capture audio / video streams ( e.g vomit )
• H.323 phone clients can not be used anymore as an ‘out
of band’ communication channel if network is down
• T.120 data (ab)use
• H.323 aware FW will not work with H.323 encryption
mode
2003 © SWITCH 19

Conclusion
• H.323 protocol is complex:
- a lot of ports are involved
- dynamic assigned UDP / TCP ports
- suggested ports inside ASN.1 encoded data stream
fi no simple, but strict Firewall rule set possible
fi H.323 aware FW or H.323 tunneling / proxies preferred
• clients:
- be aware of OS specific vulnerabilities
- use standalone / dedicated H.323 devices if possible
• consider a separate H.323 LAN
• unfortunately no ‘silver bullet’ solution around for H.323
and firewalls
2003 © SWITCH 20

Additional information
• http://www.ja.net/development/video/vip/reports/south6.pdf
• http://www.h323forum.org/papers/H323_SIP_Firewall_Cookbook_Q1
_2002_Ori_Davidson_RADVISION.pdf
• http://www.videnet.gatech.edu/cookbook/network.html
• http://www.dfn.de/projekte/symposium/symposium01/roedig_sympo
sium01_firewalls.pdf
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12
0newft/120t/120t7/fw_rtsp.htm#xtocid1876414
• http://www.kom.e-technik.tu-darmstadt.de/KOMproxd/
• http://www.gnugk.org
2003 © SWITCH 21

Questions ?
2003 © SWITCH 22