[3365] in WWW Security List Archive
Re: MS NetMeeting sevurity issues?
daemon@ATHENA.MIT.EDU (Brian W. McKenney)
Thu Oct 24 10:38:54 1996
Date: Thu, 24 Oct 96 08:28:09 EDT
To: George Loudon <forest@aztec.co.za>
From: mckenney@smiley.mitre.org (Brian W. McKenney)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>Can someone point out any major security issues that pertain to the use of
>MS NetMeeting as a corporate conference tool. Can it be regarded as a
>reasonably 'safe' meeting place?
The use of NetMeeting within a protected enclave is OK. However, if you
want to initiate NetMeeting sessions over an untrusted network, then you
have a problem. NetMeeting, by itself, provides no security. At some
point, NetMeeting may provide security (e.g., user-level authentication)
and take advantage of the MS CryptoAPI. Beta 2 is now out.
I can think of some bad scenarios if the unsuspecting user clicks OK to
have a NetMeeting session with a malicious user, such as denial of service,
offensive writing on white board, offensive chat messages, modification of
shared document, trashing of files, etc.
We are examining NetMeeting and other collaborative applications in
conjunction with IP-level encryption (IPSEC), desktop-to-desktop. Hence,
one could initiate NetMeeting sessions over an untrusted network and be
protected by the security services (authentication, integrity checking,
data privacy) provided by IPSEC. This is transparent to the NetMeeting
user. The use of IPSEC does not secure NetMeeting but it does enable users
to collaborate over secured channels.
The other issue is that NetMeeting protocols may not be permitted through
your firewall. Hence, you need to examine NetMeeting protocols and assess
whether they can be passed through your firewall. The risks of each
protocol need to be examined.
I would be interested in your examination.
-Brian
>
>Thanks in advance.
>
>George Loudon
>Managing Member
>Forest Projects
