Introduce Secure VoIP

Download Report

Transcript Introduce Secure VoIP

Deploying Secure
Videoconferencing Over an
IP Network
Gordon Daugherty
Chief Marketing Officer
Topics to be Covered
• Basics about IP Video
• Design Considerations in the LAN and WAN
• QoS
• Firewalls & NAT
• Management & Administration
• Common Oversights
Ultimate Objective Checklist

 Security

 Connectivity

 Management & Administration

 Transparency (Seamless Use)
The Basics about IP Video
• How much bandwidth is consumed?
– Don’t forget the overhead
• Separate audio and video streams
• Point-to-point versus multipoint versus
multicast
– Esp think about the aggregated bandwidth coming into
the MCU (WAN link)
• TCP for signaling/control and UDP for media
LAN Considerations
• The easiest part
• Switches are a must to reduce contention
and retransmissions due to collisions
• Predict usage patterns before the
deployment
– Average and peak # simultaneous conferences
– Average conference data rate
– Usage of pt-to-pt versus multipoint versus multicast
• 802.1p/q QoS should not be needed if LAN is
properly provisioned
Considerations with Routers
• Can work for you or against you, depending on how
the router is configured
• Likely the best place to implement QoS of some sort
– IP Precedence or DiffServ
• Check to see if any traffic shaping or filtering is
already being done based on packet types or ports
– This could cause some unpredictable results if the policies
overlap with the protocols or ports used for IP video
• Check to see if any tail drop or early detection
policies are already implemented
– If so, try to use “class-based” (like WRED) to have QoS
markings taken into consideration
QoS Via Differentiated Services
Router Priority Queues
Inbound Stream
Outbound Stream
• Configure routers for Priority Queuing or Class-Based Queuing
• VCON endpoints mark media packets (UDP) for IP Precedence
by default. Can customize for different values or for DiffServ
PHBs instead.
Best Effort packets (email, internet browsing, etc)
Prioritized packets (audio, video, etc)
The “Multi-Hop Router Effect”
Chicago
Audio
Stream
A13
New York
Video
Stream
A13
V13
A12
V12
A11
V11
A10
V10
Jitter
A12
V11
A11
Duplicate
V12
A10
V13
V10
Out of
Order
A10
Dallas
Raleigh
No Lip Sync
WAN Considerations
• Similar to the LAN – mostly a mathematical
bandwidth consumption issue
• Be aware of the following things:
– Hop count
– Weakest link syndrome
– ARS (might send audio stream one way and video stream
another)
– Unmanaged links, like the Internet
• If using a service provider, work required
policies into the SLR
Management & Administration
• H.323 gatekeeper is critical
– Bandwidth management (per zone & per user)
– Authentication and access control
– Address translation
– Alerts & alarms
• Remote device administration tool is
extremely valuable
– CoS policies for resource usage (MCU, GW, etc)
– Call activity reports can assist with identifying needed
network design modifications
– Remote endpoint configuration &
troubleshooting
Overcoming NAT and
Firewall Issues
Firewalls and IP-Based
Communications
• The role of a firewall is to apply RULES that provide
some level of network security
– Protocols allowed (inbound versus outbound)
– IP addresses (from-to)
– Port usage (“well known” versus application-specific)
• When a session is initiated from “inside” the firewall,
usually returned data streams to the originating IP
address and port are allowed
– However, H.323 allows for a dynamically-selected and very wide
range of ports to be used for these return streams
NAT and IP-Based Communications
• Network Address Translation (NAT) allows many
private (non-routable) IP addresses to share fewer
(even a single) public IP address
– Outbound connections allowed, but the IP address in the packet
header gets translated
– Unfortunately, there is also IP address information in the payload of
voice/video over IP packets, which does not get translated
– No way to initiate connections from the outside because the IP
addresses on the inside are “invisible”
• Network Address Port Translation (NAPT)
– Conflicts with “well known” ports that are used for voice/video over IP
Messages Involved
• Gatekeeper registration
• Call setup messages
• Call signaling
• Keep-alive messages
• Audio and video media streams
• Neighbor gatekeeper messages
• Remote device administration
• Far-end camera control
UDP & TCP
Streams
Static & Dynamic
Ports
Each Location Provides a
Different Challenge
Branch Office or
Business Partner
Headquarter
Public IP
Network
GK
Home Office
GW
MCU
ISDN
PSTN
Solution Alternatives
Client/Endpoint-Based
Deployment Alternatives
• Place voice/video endpoints outside the firewall with
public IP addresses
– Might be OK for settop appliances, but not desktop systems
– Consumes a public IP address for each endpoint
• NAT IP address mask
– Allows the endpoint to embed a routable, public IP address in the IP
packet payload
– Requires static mappings of IP addresses for voice/video endpoints
• Port range configuration
– Directs the endpoint to use specific UDP and TCP ports instead of a
wide dynamic range
– Requires these ports to be opened in the firewall and not subjected to
port translation
Client/Endpoint-Based
Deployment Alternatives
• Port pinholing
– Returned streams use the same ports as the original incoming
streams
– Requires calls to be initiated from inside the firewall
– Does not work when both endpoints are behind a firewall/NAT
• VPN
– Commonly used for home office workers already, but more
complicated to use with branch offices
– Encryption and authentication built-in
– May give access to more network resources than desired
A combination of the above alternatives can be
implemented. However, they typically only serve as a
partial workaround solution.
Server-Based Deployment
Alternatives
• Protocol-aware firewall
– Able to identify valid voice/video messages and dynamically act
accordingly
• Example: H.323 snooping allows ports to be opened for a
validated session and then closed when done
– Does not necessarily solve the inbound NAT connection problem or
the dual-firewall/NAT problem
• Application Level Gateway (ALG) or other proxybased solution
– Protocol aware: only processes messages that it understands
– Makes all resources appear local, while still requiring that traffic
pass through the firewall for security
– Commonly combined with encryption option for added security
Private Network
Architecture of a Proxy-Based
Solution
LANSide
Proxy
Firewall
or NAT
WANSide
Proxy
Public IP
Network
• Prevents direct connections between private and public
network devices
• Firewall does not need to accommodate requests for dynamic
or random ports
• All traffic still passes through the firewall
The VCON SecureConnect Solution
• Able to securely proxy:
– Gatekeeper registration
– Call setup messages & signaling
– Media streams (audio & video)
– Neighbor gatekeeper messages
– VCON Interactive Multicast streams
– MXM admin console login and
remote device administration
– Far-end camera control messages
• Overcomes firewall and NAT hurdles without
jeopardizing security
• Encryption option (DES, 3DES, AES)
• Highly scalable
Other Considerations and Common
Oversights - Firewall Traversal
• Don’t forget about conferencing requirements with
locations/devices not under your control
– Customer
– Business partners
• QoS provisioning: does the solution selected preserve it?
• Gatekeeper registration is still very much needed
– Networked gatekeepers (neighbored or hierarchical) require special
considerations
• Online directories still must be “visible” by all endpoints
• A solution that works for PC-based devices may not
necessarily work for appliance devices (settop, GW, MCU)
• Scalability is important – what happens if the
voice/video network grows dramatically?
Common Oversights - General
• Don’t think about dial plan for video devices after
it’s too late
– The gatekeeper will have a default dial plan, but it’s
probably not optimal
• Don’t forget about extended enterprise workers
connected over the Internet
• Interoperability between endpoints, gatekeeper,
MCU and gateway
– Check with the vendors to see what software versions are
known to be interoperable
• Opportunities to incorporate multicasted video is
often overlooked
Common Oversights - continued
• Broadband connections are commonly asymmetric
– The broadband connected user might get good quality, but
the remote participant might not
– Many ADSL/cable providers have other options with better
uplink bandwidth
Ultimate Objective Checklist

 Security

 Connectivity

 Management & Administration

 Transparency (Seamless Use)