Transcript 20031014-Video-Gemmill

Secure
Videoconferencing
Today
Jill Gemmill
University of Alabama at Birmingham
[email protected]
Why is security for
videoconferencing needed
today?

Some applications require privacy:
Telemedicine: for patient comfort and
HIPAA requirements
 Sensitive meetings: grant reviews;
counter-terrorism planning


The Internet is no longer a friendly
place: any network connected system
is a target for attacks.
What is meant by
“videoconference security”?

At a “gut level”, we might think of:
No eavesdropping
 No denial of service or break-ins
 No “spamming” (video/voice from
unwanted visitors)
 Making sure resources like MCU’s are
used only by those authorized

Standards for Security:
ITU X.800 and IETF RFC 2828
Authentication
 Access Control
 Data Confidentiality
 Data Integrity
 Nonrepudiation
 Availability Service

Standard Security Mechanisms
ITU X.800








Encryption
Digital Signature
Access Control
Data Integrity
Authentication
Exchange
Traffic Padding
Routing Control
Notarization





Trusted
Functionality
Security Label
Event Detection
Security Audit Trail
Security Recovery
“Legacy” Videoconference
Security (H.320)
Used leased telephone line (ISDN)
lines – you were buying your own
private circuit
 No IP connection used
 Expensive
 “Nailed Down”, not reconfigurable.

Basic Security Concerns
(H.323 and SIP)



Remote management interfaces:
 use strong password for remote logins
(Tandberg alone in offering SSL)
 Turn off streaming
 Disable FTP, HTML, Telnet and SNMP
functions
Disable Viavideo web interface by
clearing password
Watch for security patches and update
systems immediately.
Downside of basic
security….
Usually breaks ability for video
support organization to
monitor/manage your systems
 Makes it harder to update software
(no FTP)
 Solution: put systems behind a firewall

Firewalls and NATs

Found especially in medical centers
Firewall: Blocks incoming network
traffic
 Network Address Translator (NAT):
Hides your network addresses so they
can’t be reached from outside


For videoconferencing, these
protections become OBSTACLES to
overcome (securely, of course!)
Encryption



For total privacy, encryption is needed.
All encryption methods are designed to
protect data in transit, so that it is readable
only at the source and destination
Some encryption methods are tied to user
authentication, so that you are assured of
who the data came from and that it can be
read only by the intended recipient
Encrypt End-to-End or per
Link/Hop?
*



End-to-End approach encrypts at source and
decrypts at destination
 Good news: can’t be read in the middle
 Issue: routers need to read addresses. Data
is secure, destination address is not.
Per Link/Hop Encryption: decrypt/encrypt at
router
 More time consuming (increases latency)
 Unencrypted data at router is vulnerable
It is possible to use both approaches
simultaneously
 Overhead includes increased bandwidth and
latency
Where to encrypt?

APPLICATIONS


TRANSPORT (TCP/UDP)
NETWORK (IP)
Data Link (hardware address)
Physical Layer (wires)

Encryption managed
by the application
Encryption managed
near transport layer
Encryption managed in
the network layer
By design, each layer
is unaware of what
occurs at other layers
Virtual Private Network
(VPN)
IPSec
 Capable of
encrypting/authenticating
ALL data at the IP layer
 Transparent to
applications (no changes
needed)
APPLICATIONS
TRANSPORT (TCP/UDP)
NETWORK (IP)
Data Link (hardware address)
Physical Layer (wires)
Secure Socket Layer (SSL)




Created and torn
down on a persession basis
Frequently used on
web servers –
https://
Transparent to the
application
Note: over TCP
only
APPLICATIONS
SSL / TLS
UDP
TCP
TRANSPORT
NETWORK (IP)
Physical Layer (wires)
Application Specific
Encryption
Examples
 E-Mail



APPLICATIONS
S/MIME
PGP
Kerberos
TRANSPORT (TCP/UDP)
NETWORK (IP)

Video / Voice ????
Physical Layer (wires)
Does the videoconferencing
application do encryption?

Not really
Standards exist (next speakers)
 Not implemented in the market
 Certain vendors offer proprietary use
of standard encryption algorithms and
claim to have a “standards-based
solution” BUT no inter-operability
(Tandberg, VCON)

Encryption political issues
Encryption software is slow;
Encryption hardware is expensive and
increases the cost of the product
 Encryption algorithms may be covered
by patents and use requires licensing
(eg: RSA)
 Encryption algorithms may be subject
to export control (eg: DES)

Let’s Consider the
videoconferencing application
Hop to Hop
Communication
End-to-End
Communication
Model for both H.323 and SIP architectures
Things to notice in the model




SIP Call Control is over
TCP
H.323 Call control is
UDP at ends and TCP
in the middle
Media streamS –
separate voice, video,
data, etc. Perhaps two
video streams (one in
each direction)
UDP precludes use of
SSL
Review:
Encryption can be done with IPSec,
SSL or by Application
 No application-layer encryption for VC
 No SSL for VC due to UDP
 Guess that leaves IPSec and “clever
hacks”

Let’s place the model in a
university medical center



Videoconferencing
uses dynamic ports
– BLOCKED
Outside calls
coming in –
BLOCKED
Willingness to
reconfigure firewall
- NONE
One approach to secure
videoconferencing today
Unencrypted here
“Secure Telemedicine Utilizing State-Wide Internet”
NIH-SBIR Phase 1. Jim Chamberlain, AZ Technology. Julie
Harper, Jill Gemmill UAB.
Pros and Cons



PRO
Very inexpensive if
you already own the
firewall
Relatively simple to
install and operate
Requires cooperation
of firewall
management




CON
Requires remote VC
station that can load
VPN client software
Suitable for fixed
point to point only
Requires cooperation
of firewall
management
VC station must be
able to send VPN IP
address, not its own
Another approach: a pair of
departmentally managed VPN’s
Pros and Cons


PRO
Can be installed at
departmental level
Works with
“appliance” VC units
like Polycoms



CON
VC units must be
able to send VPN IP
address as reply
address rather than
their own
Added expense of
firewall/VPN units
Fixed locations only
IP Freedom Solution
Encryption
Module
Announced
& due in
market
shortly
Works with
SIP and
H.323 Call
Servers
Pros and Cons







PRO
Extremely easy to install;
no need to contact
network staff
Flexible connectivity
Available as an I2
Commons service
Transparent to end users
Works for both SIP and
H.323
Client software is free
Supports mobile users




CON
Expensive
Encryption module :
more expensive
Licensing is based on
number of concurrent
users; number shrinks
with bandwidth used,
and encryption
Proprietary technology
(but only need one!)
“Clever hack”
Other gotcha’s
If your campus has a bandwidth
manager (Packeteer-type device) your
VC multimedia may be mistaken for
annoying video/music and have its
bandwidth limited
 Result – can degrade or terminate VC
session

Action Items ?
Collect “Best Practices” for Secure
Videoconferencing?
 Feedback to I2/federal agencies on
importance of Application-layer
security for video/voice applications
 Other ?

Acknowledgments
“ViDe.Net: Middleware for Scalable Video
Services for Research and Higher Education”
NSF ANI-022710 (Gemmill, Chatterjee,
Johnson)
“Alabama Internet2 Middleware Initiative”, NSF
EPSCoR, EPS-0091853 via UA-01-016)
(Shealy, Gemmill)
“Secure Telemedicine Utilizing State-Wide
Internet” NIH-SBIR Phase 1. Jim Chamberlain,
AZ Technology. Julie Harper, Jill Gemmill UAB.
Any opinions, findings or recommendations expressed in this material are
those of the authors and do not necessarily reflect the views of the
National Science Foundation.