3Com SuperStack 3 NBX Administrator's Manual page 435

Special Issues 435
3Com recommends that a high-performance PC be dedicated to the
ConneXtions software.
The question of whether an operating system is adequately "secure" is a
subject of debate. The concern is that Windows has many IP ports of its
own. One way to deal with these ports is to set up a firewall that limits
the range of externally accessible ports. However, some organizations
connect the ConneXtions gateway directly to the Internet through a
second NIC that bypasses the firewall protecting the rest of the local
network. ConneXtions supports either configuration.
Organizations that want to completely bypass firewall delays can research
the large volume of security information on the subject.
These descriptions focus on the firewall-protected approach, and offer
guidelines for programming a firewall that can be used to support H.323
connections that are accessible to the public internet.
Outbound Calls
Most firewalls do not restrict outbound packets or IP packets that
respond to outbound initiatives. They are configured for unrestricted
outbound packets with unrestricted reply packets. They do not have to be
changed to support outbound H.323 calls from an NBX system.
Inbound Calls
Firewalls usually discriminate against incoming packets. The network
administrator configures a list of acceptable sources for each destination
address within a protected network. The configuration list includes a list
of entries that the firewall compares to the IP address of the local H.323
gateway and the IP address of an external caller. The configuration list
also discriminates for or against specific types of packets. IP addresses
and packet types must match for packets to pass.
The H.323 protocol uses TCP packets for call setup, and UDP packets to
carry the voice payload. Each type of packet includes an array of port
addresses that are used during the connection. Ports 1720 negotiates
which of the other available ports is used to carry the connection.