Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 551: Lecture “Secure Videoconferencing: Balancing Performance and Security Tradeoffs” Prasad Calyam, Ph.D. Senior Systems Developer/Engineer, Ohio.

Similar presentations


Presentation on theme: "CSE 551: Lecture “Secure Videoconferencing: Balancing Performance and Security Tradeoffs” Prasad Calyam, Ph.D. Senior Systems Developer/Engineer, Ohio."— Presentation transcript:

1 CSE 551: Lecture “Secure Videoconferencing: Balancing Performance and Security Tradeoffs” Prasad Calyam, Ph.D. Senior Systems Developer/Engineer, Ohio Supercomputer Center 11 th February 2009

2 Topics of Discussion r Introduction to H.323 r Issues with H.323 and Firewalls r Firewall Traversal Solutions r Signaling and Media Flow Architectures r Performance comparison of Traversal Solutions m Interoperability m Load Tolerance m Robustness against Vulnerabilities r Best Practices for Secure Videoconferencing r Conclusion 2

3 Voice and Video over IP (VVoIP) r Large-scale deployments of VVoIP are on the rise m VoIP Skype, Yahoo Messenger, Google Talk m Video streaming (one-way voice and video) MySpace, Google Video, YouTube, IPTV, … m Video conferencing (two-way voice and video) Polycom, WebEx, Acrobat Connect, … r VVoIP popularity reasons m Increased access to broadband m Advances in standardization of H.323 and SIP protocols r Today’s protocols allow a wide variety of communication devices to talk to each other 3

4 VVoIP Deployment 4

5 VVoIP Deployment (2) Switched Circuit Network (POTS and ISDN) Gatekeeper H.323 H.320 (over ISDN) H.324 (over POTS) Speech-Only (telephones) Corporate LAN Gateway SIP Internet Router Multipoint Control Unit 5

6 Desktop and Room Videoconferencing Systems 6

7 3 Ways to Videoconference over the Internet 1. Point-to-Point 7

8 3 Ways to Videoconference over the Internet (Contd.) 2. Multi-Point Star Topology 8

9 3 Ways to Videoconference over the Internet (Contd.) 3. Multi-Point Multi-Star Topology 9

10 Signaling Protocols Terminology r Call Establishment and Teardown r Call Control and Supplementary Services m Call waiting, Call hold, Call transfer r Capability Exchange r Admission Control r Protocol Encoding (ASN1, HTTP) 10

11 H.323 – ITU Standard r H.323 is a popular standard for Internet Videoconferencing m Supports real-time voice and video communications m Uses some fixed (e.g. 1719, 1720) and some dynamic ports (port range: >2 10 & <2 16 ) during sessions r Devices: Terminals, Gatekeepers and MCUs r Codecs: m Video: H.261, H.263, H.264 m Audio: G.711, G.722, G.723.1 r Signaling: H.225, H.245 r Transport Mechanisms: TCP, UDP, RTP and RTCP r Data collaboration: T.120 r Many others… 11

12 H.323 Protocol Stack 12

13 H.323 Call setup and teardown 13

14 H.323 Call setup and teardown (Contd.) 14

15 15 H.323 Call Establishment via Gatekeeper [christian-sura06]

16 H.323 and Firewalls r H.323 is a popular standard for Internet Videoconferencing r Firewalls protect networks against cyber-attack threats m Firewalls control incoming/outgoing traffic by blocking ports m Also provide NAT functionality Allows multiple hosts in a private network to access the Internet using a single public IP address r But, H.323 + Firewalls = Poor performance! 16

17 H.323 + Firewalls = Poor performance!  Unusable or unexpected behaviour for several reasons m Per-packet inspection by firewalls of address, port and message type slows down video and voice traffic m Other application packet-processing loads on firewalls aggravate slowness m Complex and ever-changing security policies at last-mile sites m Encrypted video (H.235) blocked by firewalls – blank screen at receiver  Hence, reproducing problems and finding a general solution is challenging 17

18 18 H.323 and Firewalls – Problem Case Study r Example Problem report due to mis-configuration m Intermittent frame freezing m Lot of pixilation m No significant audio problems m Sudden disconnections r H.323 Beacon tool test report for troubleshooting m Sluggish call-setup m Delayed packet-events m Initial jitter variations in poor range (a) Effect of a mis-configured firewall (b) Jitter variations measured by H.323 Beacon Firewall re-configuration solved the problem!

19 19 “Firewall Traversal” Solutions r Open – no intermediate firewalls between end-points m Security of data is compromised to support video requirements Not practical given the security risks on the Internet m Could use separate video VLANs that bypass firewall blocking Not scalable, limited mobility, not practical since there could be a firewall at a downstream router or remote end-point may be behind a firewall r End-point behind Firewall m Static (open ports in pre-configuration) Pro: Can be implemented with any firewall Con: Increased security risk, not scalable m Dynamic (open ports using stateful-packet-inspection) Pro: Greatly reduced security risk Con: Need specialized (expensive) firewalls - E.g., Cisco PIX H.323 fixup, need to keep up with software upgrades, and test extensively after upgrade Stateful-Packet-Inspection: - Firewall keeps track of out-bound packets, and associates in-bound packets with hosts of out-bound packets - Thus allows safe handling of traffic without complex configuration of firewall rules

20 “Firewall Traversal” Solutions (2) r End-point in DMZ alongside Firewall r Gatekeeper-proxy in DMZ alongside Firewall m Polycom V 2 IU, GNU Gatekeeper r Standalone Gatekeeper-proxy with Integrated Firewall m Polycom V 2 IU End-points can be anywhere inside the firewall-protected network 20 DMZ (De-Militarized Zone): - Military term – “Nations separate armies through the use of a DMZ” - Provides a buffer zone that separates an internal network from the often hostile territory of the Internet

21 End-Point (EP) in DMZ alongside Firewall r Pro: m Security of data not compromised to support video requirements m No need to buy and maintain a gatekeeper-proxy device r Con: m Requires special room for videoconferencing connected to DMZ Users cannot videoconference from their desktops m Need to register local EPs with an external gatekeeper 21

22 Gatekeeper-Proxy (GP) in DMZ alongside Firewall r Pro: m Security of data not compromised to support video requirements m Users need not be in DMZ – can videoconference from their desktop r Con: m Need to buy a gatekeeper-proxy (GP) device and maintain it m If the GP is compromised, hacker has access to internal network! 22

23 23 Standalone GP with Integrated Firewall r Pro: m Security of data not compromised to support video requirements m No need for DMZ – users can videoconference from their desktop m GP is less vulnerable to attacks due to integrated firewall Vendor makes a focused effort to harden the Gatekeeper-proxy appliance m Gatekeeper-proxy/firewall (GP-FW) can be in parallel with any other existing firewall Sites can continue to use an already configured and deployed firewall if so desired r Con: m Need to buy a GP-FW device and maintain it

24 24 ITU-T H.460 Standard r H.460 allows firewall traversal for EPs behind firewalls (that block incoming ports) using a remote GP or GP-FW m H.460.18 (signal proxy for H.225/H.245), H.460.19 (media proxy for RTP) Ratified by ITU-T in 2005 m EP must be capable of H.460 signaling m Private-side EP initiates session with remote EP behind a GP or GP-FW Upon session initiation, the proxy knows if an EP is behind firewall and hence rewrites all the signaling addresses to the (detected) public IP on the firewall m Keep-alive messages are sent by EP to keep the firewall open (Default: 30s) m Outgoing ports shown below must be open H.323 ProtocolTransport ProtocolPort Numbers RASUDP1719 Q.931 (H.225)TCP1720 H.245TCP14085:15084 RTPUDP16386:34386

25 25 Polycom V 2 IU Solution r Widely used and well-supported appliances built on a hardened Linux operating system m Gatekeeper-proxy (GP) V 2 IU Traversal devices m Gatekeeper-proxy with Integrated Firewall (GP-FW) V 2 IU Enterprise devices –H.460 compliant r Both provide: m Traffic shaping, router functionality, NAT server, DHCP server m Guaranteed QoE for Video traffic using prioritization and best effort QoS for data service m “Stateful-packet-inspection firewall” to dynamically open ports Opens pinholes in firewall to allow voice and video traffic pass through

26 26 GNU Gatekeeper (GNU GK) Solution r GNU Gatekeeper (GNU GK) - http://www.gnugk.org m Open-source Gatekeeper m Proxy feature in GNU GK provides firewall traversal solution m Software specs: Secured and hardened Linux OS m Supports ITU-T E.164/IETF ENUM standards; H.460 compliant r Success stories in Internet2 and ViDeNet H.323 communities [kewin-sura06] [christian-sura06] m Supporting > 500 calls per month in University of Washington, USA and Max-Planck, Germany

27 Securing Linux OS r To avoid malicious compromise of system resources for DDoS attacks, following issues need to be addressed r Use strong passwords – lock account if multiple login failures r Install only the required software packages r Do you need Apache? r Regularly patch the OS r Check listening ports and verify if those are required r Use “netstat” r Run only required system services r Use “chkconfig” to list all services started at bootup r Avoid telnet, rlogin and rsh – use scp/sftp instead r Secure NFS if sharing files over network  Etc... r For more details - http://www.puschitz.com/SecuringLinux.shtml

28 28 Signaling-and-Media Flow Patterns r Figure shows EP Registration and GP/GP-FW Neighboring in a distributed and heterogeneous proxy environment m GP-FW-1 knows GP-FW-2, GP-FW-1 knows GP-DMZ, hence EP-5 knows EP-3

29 29 Signaling-and-Media Flow Patterns (2) EP-PairSignaling Flow PathMedia Flow Path EP-1 ↔ EP-2GP-FW-1None EP-1 ↔ EP-3GP-FW-1, GP-DMZGP-DMZ EP-1 ↔ EP-4GP-FW-1 EP-1 ↔ EP-5GP-FW-1, GP-FW-2GP-FW-2 EP-2 ↔ EP-3GP-FW-1, GP-DMZGP-DMZ EP-2 ↔ EP-4GP-FW-1 EP-2 ↔ EP-5GP-FW-1, GP-FW-2GP-FW-2 EP-3 ↔ EP-4GP-DMZ, GP-FW-1 EP-3 ↔ EP-5GP-DMZ, GP-FW-1, GP-FW-2 GP-DMZ, GP-FW-2 EP-4 ↔ EP-5GP-FW-1, GP-FW-2 End-PointConfiguration EP-1EP behind Firewall EP-2EP in DMZ EP-3EP inside private network with GP in DMZ and 3 rd party firewall EP-4EP inside private network with GP integrated firewall EP-5EP inside private network with GP integrated firewall r Worst case scenario can have media between EPs passing through 2 GPs r Actual large-scale deployment of GPs and GP-FWs at NOECA [polycom-twppt04

30 Secure Videoconferencing Project at OSC r OSCnet supports H.323-based videoconferences for Ohio universities and Internet2 Commons r Need for deploying videoconferencing end-points in a secure manner at several OSCnet customer- campuses r Goals of the “Secure Videoconferencing” Project m Survey state-of-the-art: (i) Firewall Traversal Solutions (ii) Signaling-and-Media Flow Architectures m Evaluate different Firewall Traversal Solutions: (i) Interoperability Testing (ii) Load Testing (iii) Vulnerability Testing

31 31 Goals for Experiments at OSC r Goal-1: Interoperability Testing - Verify interoperability of firewall traversal solutions m V 2 IU – Open m V 2 IU – V 2 IU m V 2 IU – PIX with H.323 fixup m V 2 IU – GNU GK r Goal-2: Load Testing - Compare performance of firewall traversal solutions with standard-definition and high- definition videoconferencing m Polycom V 2 IU 4350-T, Polycom V 2 IU 5300-S, GNU Gatekeeper Proxy (GNU GK), Cisco PIX with H.323 fixup m Experiments in controlled traffic load scenarios in a LAN Traffic loads: Low, Medium, High r Goal-3: Vulnerability Testing - Assess V 2 IU and GNU GK for robustness against attacks m Nessus Port Scan to check severity of security loop holes

32 32 Goals for Experiments at OSC r Goal-1: Interoperability Testing - Verify interoperability of firewall traversal solutions m V 2 IU – Open m V 2 IU – V 2 IU m V 2 IU – PIX with H.323 fixup m V 2 IU – GNU GK r Goal-2: Load Testing - Compare performance of firewall traversal solutions with standard-definition and high- definition videoconferencing m Polycom V 2 IU 4350-T, Polycom V 2 IU 5300-S, GNU Gatekeeper Proxy (GNU GK), Cisco PIX with H.323 fixup m Experiments in controlled traffic load scenarios in a LAN Traffic loads: Low, Medium, High r Goal-3: Vulnerability Testing - Assess V 2 IU and GNU GK for robustness against attacks m Nessus Port Scan to check severity of security loop holes

33 33 Testbed Setup for Interoperability Testing r Connections with all combinations successful! NOTE: For V 2 IU - PIX with H.323 fixup test case, V 2 IU only in GK mode

34 34 Goals for Experiments at OSC r Goal-1: Interoperability Testing - Verify interoperability of firewall traversal solutions m V 2 IU – Open m V 2 IU – V 2 IU m V 2 IU – PIX with H.323 fixup m V 2 IU – GNU GK r Goal-2: Load Testing - Compare performance of firewall traversal solutions with standard-definition and high- definition videoconferencing m Polycom V 2 IU 4350-T, Polycom V 2 IU 5300-S, GNU Gatekeeper Proxy (GNU GK), Cisco PIX with H.323 fixup m Experiments in controlled traffic load scenarios in a LAN Traffic loads: Low, Medium, High r Goal-3: Vulnerability Testing - Assess V 2 IU and GNU GK for robustness against attacks m Nessus Port Scan to check severity of security loop holes

35 35 Testbed Setup for Load Testing (a) Setup for GNU GK Testing (b) Setup for Polycom V 2 IU Testing

36 36 Performance Evaluation Metrics for Load Testing r To evaluate video or voice signal degradation of a video call through the V 2 IU and GNU GK solutions under different traffic loads m Subjective MOS (1 – 5) Human subject testing m Objective MOS (1 – 5) NTIA-VQM Tool – uses PSNR analysis m Mouth-to-Ear (M2E) Delay (ms) Using Oscilloscope and Pulse generator

37 37 QoE for V 2 IU-4350 under different loads Network Load – Iperf cross-traffic –Low ~ 15Mbps; Medium ~ 40Mbps; High ~ 70Mbps Results measured for a video call –Both subjective and objective QoE measurements show notable degradation in device performance for network loads > 30 Mbps due to processing power limitations –Switch is not a bottleneck even at high network loads Good Acceptable Poor

38 38 M2E Delay for V 2 IU 4350 under different Loads Highly variable with peaks > 300ms – high jitter Noticeable fluctuations - low jitter No fluctuations - zero jitter Network Load (Mbps) Network Load – Iperf cross-traffic from 0 – 70 Mbps Results measured for a video call –Peak M2E delay measurements show notable degradation for network loads for network loads > 30 Mbps (consistent with QoE results) –Peak delay >300ms is considered to hamper interactive communications (ITU G.114) –Control M2E Delay due to (Encode + Switch Propagation + Decode) processing

39 39 QoE for V 2 IU-5300 under different loads Network Load – Iperf cross-traffic –Low ~ 15Mbps; Medium ~ 40Mbps; High ~ 70Mbps Results measured for a video call –Both subjective and objective QoE measurements show negligible degradation in device performance even for network loads up to 70 Mbps – thus, shows high-end processing power of the unit –Switch is not a bottleneck even at high network loads Good Acceptable Poor

40 40 M2E Delay for V 2 IU 5300 under different Loads Network Load (Mbps) Network Load – Iperf cross-traffic from 0 – 90 Mbps Results measured for a video call –Peak M2E delay measurements show no degradation even for network loads up to 70 Mbps (consistent with QoE results) –Control M2E Delay due to (Encode + Switch Propagation + Decode) processing

41 41 QoE for GNU GK under different loads Good Acceptable Poor Network Load – Videoconferencing cross-traffic –Testing was done up to 15 Mbps load of just videoconferencing cross-traffic (NOTE: GNU GK does not pass through Iperf traffic because it is only a video proxy device) Results measured for a video call –Both subjective and objective QoE measurements show negligible degradation while using commodity hardware

42 42 M2E Delay for GNU GK under different Loads Noticeable fluctuations - low jitter Network Load (Mbps) Network Load – Videoconferencing cross-traffic from 0 – 15 Mbps Results measured for a video call –Peak M2E delay measurements show negligible but increasing degradation (consistent with QoE results) in device performance –Control M2E Delay due to (Encode + Switch Propagation + Decode) processing

43 43 Results Summary of Load Testing Traversal Solution SuitabilityDMZ Requirement Proxy/Firewall Requirement Level of Maintenance Setup Complexity Cisco PIX with “H.323 Fixup” Enterprise and ISP (can sustain video+data loads up to 70 Mbps and possibly beyond) NoNo Proxy required; Device is an H.323 protocol aware firewall High (software upgrades, testing after major rule updates) High (requires skilled engineering expertise) Polycom V 2 IU 4350 Enterprise (cannot sustain video+data loads beyond 30 Mbps) NOTE: If video traffic prioritization set, vendor guarantees 3 Mbps video and 30 Mbps data Yes - if used only as proxy; No - if used as a firewall or in parallel with 3 rd party firewall Device acts as a Proxy and has integrated firewall; Third party firewall required that needs high maintenance and setup complexity Low (software upgrades, extensive testing to verify upgrade done by vendor) Low (requires video conferencing administrator expertise) Polycom V 2 IU 5300 Enterprise and ISP (can sustain video+data loads up to 70 Mbps and possibly beyond) NOTE: If video traffic prioritization set, vendor guarantees 10/25 Mbps video and 90/ 75 Mbps data, respectively Yes - if used only as proxy; No - if used as a firewall or in parallel with 3 rd party firewall Device acts as a Proxy and has integrated firewall; Third party firewall required that needs high maintenance and setup complexity Low (software upgrades, extensive testing to verify upgrade done by vendor) Low (requires video conferencing administrator expertise) GNU Gatekeeper Enterprise (can sustain video loads up to 15 Mbps, and may not sustain video loads more than 20 Mbps; highly dependent on the device hardware) Yes - only used as proxy Device acts as a Proxy and has integrated firewall; Third party firewall required that needs high maintenance and setup complexity High (software upgrades of GNU GK and Linux OS, extensive testing after upgrades) Medium (requires skilled sys admin for OS hardening, and video conferencing adminstrator)

44 44 NOTES for Results Summary of Load Testing r Typical enterprise or small campus (e.g. K-12 school) will have video traffic loads that are less than 5 Mbps m One-to-three simultaneous high-quality SD or HD videoconferences may occur m Recommended Solutions: Polycom V 2 IU 4350, GNU GK r Typical ISP or large campus (e.g. OSU or UC) will have video traffic loads that are less than 25 Mbps m Ten or so simultaneous high-quality SD or HD videoconferences may occur m Recommended Solutions: Polycom V 2 IU 5300, GNU GK, Cisco PIX with H.323 fixup r Under special circumstances, an ISP’s peak video-only load if cascading multiple MCUs (e.g. Megaconferences, Key Stone Conferences) will be less than 40 Mbps m Ten or so MCUs may be cascaded to support 200+ participants simultaneously in a large-scale videoconference m Recommended Solutions: Polycom V 2 IU 6400 * * NOTE: Polycom V 2 IU 6400 solution has not been evaluated by OSC; vendor specifications suggest it can handle 85 Mbps of video traffic

45 45 Goals for Experiments at OSC r Goal-1: Interoperability Testing - Verify interoperability of firewall traversal solutions m V 2 IU – Open m V 2 IU – V 2 IU m V 2 IU – PIX with H.323 fixup m V 2 IU – GNU GK r Goal-2: Load Testing - Compare performance of firewall traversal solutions with standard-definition and high- definition videoconferencing m Polycom V 2 IU 4350-T, Polycom V 2 IU 5300-S, GNU Gatekeeper Proxy (GNU GK), Cisco PIX with H.323 fixup m Experiments in controlled traffic load scenarios in a LAN Traffic loads: Low, Medium, High r Goal-3: Vulnerability Testing - Assess V 2 IU and GNU GK for robustness against attacks m Nessus Port Scan to check severity of security loop holes

46 Nessus Scanner for Vulnerability Testing r A network security auditing tool r Allows testing of security modules to find vulnerabilities r Generates reports of vulnerability Define Custom Policy Checks Use Standard Policy Compliance Plugins

47 47 Vulnerability Testing Results r V 2 IU devices show low severity problems upon Nessus scanning m 3 open ports with factory default settings; device could be further locked down to only 1 open port (1720 – h323hostcall) with Ping (i.e., ICMP) answer turned-off r GNU GK robustness depends on the Linux server hardening effort

48 48 Best Practices for Secure Videoconferencing r Choose GP or GP-FW type (i.e., price-performance) based on expected peak loads of data and video traffic m If deploying MCU behind GP or GP-FW, account for: Load due to conference size Load due to possible cascading of multiple MCUs, GP or GP-FWs m EP assignment to MCU and cascading MCUs should consider both bandwidth as well as GP or GP-FW load handling limitations r Have an extra GP or GP-FW deployed for redundancy purposes r Avoid configuring V 2 IU and Cisco H.323 fixup simultaneously – competing solutions may cause unexpected problems r Cisco H.323 fixup may not work well if AES encryption is turned ON in EPs – remote EP sees black screen r If using GNU GK proxy, dedicate a machine for video; do not run other services (e.g. web server) m Remember to regularly update security patches r Have compatibility of EPs and GP or GP-FW with dialing schemes and H.460 protocols, and document them

49 References r [christian-sura06] C. Schlatter, “The new ITU Standards for H.323 Firewall and NAT Traversal”, SURA/ViDeNet Spring Conference, 2006. r [kewin-sura06] K. Stoeckigt, “Proxy Systems for H.323”, SURA/ViDeNet Spring Conference, 2006. r [kewin-questnet05] K. Stoeckigt, “Secure Audio/Video Services – H.323, H.350, and Firewalls”, QUESTNet Conference, 2005. r [GNUGK-manual] GNU Gatekeeper - http://www.gnugk.org/gnugk- manual.htmlhttp://www.gnugk.org/gnugk- manual.html r [cisco-twpaper02] “Configuring Application Inspection (Fixup)”, Cisco Technical Whitepaper, 2002. r [roberts-twpaper01] J. Roberts, “Integrating Cisco Secure PIX Firewall and IP/VC Videoconferencing Networks”, Cisco Technical Whitepaper, 2001. r [wainhouse-twpaper02] “Traversing Firewalls and NATs with Voice and Video over IP”, Wainhouse Research Whitepaper, 2002. r [polycom-twppt04] “NOECA V 2 IU Deployment Core Design”, Polycom Technical Whitepaper, 2004. r [uwex-online07] “Firewalls and H.323”, University of Wisconsin-Extension’s WisLine Videoconferencing Service Recommendations– http://www.uwex.edu/ics/support/video/H323/firewalls http://www.uwex.edu/ics/support/video/H323/firewalls 49

50 Summary r Introduction to H.323 r Issues with H.323 and Firewalls r Firewall Traversal Solutions r Signaling and Media Flow Architectures r Performance comparison of Traversal Solutions m Interoperability m Load Tolerance m Robustness against Vulnerabilities r Best Practices for Secure Videoconferencing 50

51 Questions?


Download ppt "CSE 551: Lecture “Secure Videoconferencing: Balancing Performance and Security Tradeoffs” Prasad Calyam, Ph.D. Senior Systems Developer/Engineer, Ohio."

Similar presentations


Ads by Google