Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Slides:

Advertisements

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Advertisements

Encrypting Wireless Data with VPN Techniques

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.1 Firewalls.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

Chapter 17 Networking Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

H. 323 Chapter 4.

H.323 Recommended by ITU-T for implementing packet-based multimedia conferencing over LAN that cannot guarantee QoS. Specifying protocols, methods and.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Packet Based Multimedia Communication Systems H.323 & Voice Over IP Outline 1. H.323 Components 2. H.323 Zone 3. Protocols specified by H Terminal.

CCNA – Network Fundamentals

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Chapter 6: Packet Filtering

H.323 Onno W. Purbo Referensi.. Dr. Andreas Steffen, Komunikationsysteme.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.

ACM 511 Chapter 2. Communication Communicating the Messages The best approach is to divide the data into smaller, more manageable pieces to send over.

Greg Van Dyne December 4, Agenda Introduction Technical Overview Protocols Demonstration Future Trends References.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

I. Basic Network Concepts. I.1 Networks Network Node Address Packet Protocol.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

1 Networking Chapter Distributed Capabilities Communications architectures –Software that supports a group of networked computers Network operating.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Module 10: How Middleboxes Impact Performance

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.

Computer Networks & FirewallsUniversity IT Security Office - Tom Davis, CISSP University IT Security Officer Office of the Vice.

© 2006 Intertex Data AB 1 Connect your LAN to the SIP world, while keeping your existing firewall*! The IX67 LAN SIParator (Part of the SIP Switch option.

VPN Alex Carr. Overview  Introduction  3 Main Purposes of a VPN  Equipment  Remote-Access VPN  Site-to-Site VPN  Extranet Based  Intranet Based.

Network Layer IP Address.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.

Defining Network Infrastructure and Network Security Lesson 8.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—9-1 Lesson 9 Advanced Protocol Handling.

Firewalls, Network Address Translators(NATs), and H.323

Fortinet VoIP Security June 2007 Carl Windsor.

Introducing To Networking

NET323 D: Network Protocols

6.6 Firewalls Packet Filter (=filtering router)

* Essential Network Security Book Slides.

I. Basic Network Concepts

NET323 D: Network Protocols

The Video over IP Company

AbbottLink™ - IP Address Overview

Introduction to Network Security

Virtual Private Network

Presentation transcript:

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS

Firewalls block H.323 ports

H.323 ports

Security issues n For the H.323 protocol to cross a firewall, the specific static ports and all ports within the dynamic range must be opened for all traffic. n This clearly causes a security issue that could render a firewall ineffective.

Firewall and Proxy Server n A firewall is a set of security mechanisms that an organisation implements to prevent unsecured access from the outside world to its internal network. n Firewalls usually work by blocking access of certain network protocols to specific ports. n The firewall can also control what Internet resources the organisations users may access. n Firewalls usually include or work in conjunction with a Proxy Server.

Proxy n A Proxy Server acts as an intermediary server that makes network requests on behalf of internal users, so that organisations can ensure security, control and caching services. n Proxy Servers are now equipping themselves with security features such as Network Address Translation (NAT). n The NAT or Proxy Server works on the concept that there is an outside world (Internet) and an inside world (intranet) and it separates and protects the intranet from the Internet. n VCON's SecureConnect family includes a Firewall Proxy specifically designed to allow Video Conferencing sessions through an existing firewall.

NAT n The latest releases of Sony's, Polycom's and VCON's software all support NAT and allow you to specify the external IP address of the selected endpoint.

TCP & UDP use n Reliable transport is required for control signals and data because they must be received in the proper order and cannot be lost. n Consequently, TCP is used with the H.245 control channel, the T.120 data channel and Call control. n Unreliable UDP is used for audio and video streams were time sensitive issues become a priority.

H.323 and Intelligent Firewalls: n Q.931 is the Call Signalling protocol used in setting-up and terminating a call. H.323 uses TCP on port 1720 for Q.931 and negotiates which dynamic port range to use between the endpoints for H.245 Call Parameters, data, audio and video. n Clearly, to open all ports within the dynamic range would cause security issues, so the firewall must be able to allow H.323 related traffic through on an intelligent basis.

Intelligent Firewalls n The firewall can do this by snooping on the control channel to determine which dynamic ports are being used and then only allowing these ports to pass traffic when the control channel is busy.

Firewall n The latest releases of Sony's, Polycom's and VCON's endpoint software all allow you to specify the dynamic port ranges to be used by TCP and UDP. n This allows you to reduce the number of ports that need to be open, and hence the security risk. n Furthermore, these latest versions support 'Port Pinholing', so that inbound data can be returned using the same port as the initiating outbound call.

Using Proxy Server to Enhance Security: n When H.323 terminals communicate directly with each other, they must have direct access to each others IP address. n This exposes key network information to a potential attacker. n By using a Proxy Server, only limited number of addresses are exposed, keeping the majority of address information hidden.

Using Proxy Server n Conferencing successfully through a firewall depends upon how well the firewall is capable of dealing with the complexities of the H.323 protocol. n If the firewall cannot provide dynamic access control based on looking at the control channel status, then a Proxy Server inside the firewall can be used to provide access control. n Since only the Gatekeeper, via RAS on port 1719 and the Proxy via Call Setup on port 1720 are the only devices that interact with H.323 device outside the firewall, access control lists on the firewall can be set to pass traffic destined for the Gatekeeper or Proxy direct to them.

VCON's SecureConnect n VCON's SecureConnect family includes an ALG Proxy Server specifically designed to allow Video Conferencing sessions through an existing firewall. It works in conjunction with MXM, which provides Gatekeeper functionality to the registered endpoints. n The ALG Proxy Server setup overcomes the connectivity problems that are presented by firewalls and NAT servers. n To accomplish this, the ALG Proxy Servers require that the firewall has pinholes opened outbound to the public network through 4 specific ports. n No ports need opening inbound and traffic through the pinholes is only between ALG units.

Using Encryption or VPN: n VCON's Advanced Encryption Server works in conjunction with their PC-based Encryption Client and/or the ALG Proxy Server in order to fully encrypt video conferences or other data transmissions across public or private networks.

Using Encryption or VPN: n The Encryption Client acts as a virtual network card within the PC and exchanges keys using SSL with the Advanced Encryption Server via port 443. n The Advanced Encryption Server allocates a virtual address to each Client. n A conference is then established between Clients by creating a specific VPN through the Firewall and using the virtual addresses. n The Firewall must support VPN pass-through and have a port open for this purpose; typically port 2061.