|
|
Freeverse, Inc.'s SOUND STUDIO 3.5.5 - Sound Studio is for anyone
who needs to record or edit audio with a professional tool, but at
a consumer price. Perfect for Podcasts, Music, More! Now updated
for OS X 10.5 Leopard. <http://www.freeverse.com/soundstudio>
|
![[F]](/Images/i7/site.gif) TidBITS  TidBITS TidBITS Talk
iChat AV versus my home router (SIP, NAT and firewalls oh my)![[Peterson, Bob]](/webx/?31@@305ead07@2) Bob Peterson - 06:37am Jan 26, 2008 PSTIChat AV video conferencing does not work with every Mac user I have tried it with. Sometimes I can't videochat at all. Sometimes only I can invite them. Sometimes they have to enable their router's DMZ feature for me to eve contact them. I think I have found out why iChat AV video conferencing does not always "just work". iChat AV (I'm on Leopard/10.5.1) uses a variant of SIP, Session Initiation Protocol. Which is related to VoIP. SIP seems to bury your machine's IP address in the packets, but not where firewalls and NAT servers normally look. Hence attempts to receive or send an invitation to a videochat can fail. There are hacks that have been proposed (Microsoft's unsafe Universal Plug-and-Play UPnP, STUN, TURN) but it seems the best solution today, short of an IEEE standards fix, is a SIP or VoIP-friendly home firewall/NAT router. Such as an Airport Express or Extreme, but Apple's certified some others. Simply opening ports in the firewall is not enough if NAT is involved, and there are differing NAT methods to complicate matters even more. One other wrinkle is that some ISPs block SIP too, whether by design or accident does not matter. the best test here is to connect the Mac directly to the cable or DSL modem. If iChat AV works for inviting and being invited, it's the router. My $5 questions are: Have I summarized the sad state of affairs correctly? Does anyone have information to add? My $100 question is: Does iChat AV video conferencing fully work with the new batch of home routers being advertised as supporting VoIP and/or SIP? You see, my hubby uses Windows (it's a mixed marriage) so he's a security need for a highly-configurable firewall router. He picked out our (now old) Zyxel Prestige 324. But it won't allow iChat AV (or indeed any SIP app) to work. So I am pressing for a more powerful router, while he's pressing for one that's no less safe than the Zyxel for his immune-deficient XP and Vista machines. What are people's experience with modern Airport Extreme protecting Windows machines?
tsiegel (apparently)
-
Jan 28, 2008 9:56 am
(#1 Total: 5)
|
 |
|
|
 |
| Posts: 2 |
Re: iChat AV versus my home router (SIP, NAT and firewalls oh my)
This is a personal opinion, so take it as you will.
First off, there's no substitute for a good firewall on your pc regardless of what else is or isn't
protecting your system, whether it be a router with dmz capabilities, nat addressing, or just
plain noforwarding of ports. There's ways to fool all of these things into allowing access to the
machine behind the device.
However, if the machine itself also has a firewall installed, then that adds another layer for any
wood-be malware/crackers to penetrate.
The tendancy of folks to drop in a router, enable the firewall capabilities, then leave the
machine wide open isn't a very good practice.
It's kind of the equivalent of locking the front door, but not having doors on any of the bank
vaults.
This may seem like overkill, but as far as I'm concerned, you can never have enough protection,
and not having any at the os level is just asking for trouble.
Too many times, I've had to remove the router/hub/switch for replacement or configuration,
and while that device is gone, there's no firewalling going on unless there's software on the
machines themselves.
Install a good firewall software, then buy the router of choice that handles what you need it to
do.
A router won't do you any good if it's the best firewall in the world, but it doesn't let you
accomplish what you need to get done.
|
|
 | |
Bob Peterson
-
Jan 29, 2008 11:33 am
(#2 Total: 5)
|
|
|
|
|
| Posts: 11 |
Re: iChat AV versus my home router (SIP, NAT and firewalls oh my)
Thanks. I'm sure he has a firewall on his Windows machines, too. I'm still more interested in what people know about using videochat through home routers with NATs and firewalls.
|
|
| |
Chris Page (apparently)
-
Jan 30, 2008 2:18 pm
(#3 Total: 5)
|
|
|
|
|
| Posts: 62 |
Re: iChat AV versus my home router (SIP, NAT and firewalls oh my)
On Jan 28, 2008, at 08:56 AM, Travis Siegel wrote:
> However, if the machine itself also has a firewall installed, then
> that adds another layer for any
> wood-be malware/crackers to penetrate.
Per-computer firewalls provide the following important protections,
which centralized firewalls cannot:
1. Make it more difficult for malware that makes its way onto a
computer on the LAN from making malicious outgoing connections.
2. Make it more difficult for compromised machines to attack other
machines on the LAN (because each machine protects itself from other
machines on the LAN).
--
Chris Page - Computer Professional
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents. -- Nathaniel Borenstein
|
|
| |
Nik (apparently)
-
Jan 30, 2008 7:15 pm
(#4 Total: 5)
|
|
|
|
 |
| Posts: 377 |
Re: iChat AV versus my home router (SIP, NAT and firewalls oh my)
I spent some weeks trying to get iChat AV to crack through my NAT
router. I'm running OpenWRT, so I have very fine-grained control over
my routing/firewall rules, and I'm pretty good at messing with them.
After lots of work and experimentation, I finally gave up and
installed UPNP on my router, and now everything works just great.
The only downside is that UPNP is inherently insecure. But I suppose
my innate paranoia is overwhelmed by my family's need to video chat
with my daughter.
And, FWIW, Skype never had any problem with my router. No need for
UPNP or any other firewall rules.
--Nik
|
|
| |
johnbaxterlists (apparently)
-
Jan 30, 2008 7:15 pm
(#5 Total: 5)
|
|
|
|
|
| Posts: 601 |
Re: iChat AV versus my home router (SIP, NAT and firewalls oh my)
On Jan 30, 2008, at 1:18 PM, Chris Page wrote:
> Per-computer firewalls provide the following important protections,
> which centralized firewalls cannot:
And one significant disadvantage: the ability of malware to turn them
off, a game which has been played for years now. That's what makes it
so annoyingly hard to turn a typical software firewall off when you
want to (on Windows).
I think both border firewalls and per-machine firewalls are needed.
--John
|
|
|
TidBITS TidBITS TidBITS Talk iChat AV versus my home router (SIP, NAT and firewalls oh my)
|
|
