Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer."— Presentation transcript:

1 Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer

2 Topics to be Covered Basics about IP Video Design Considerations in the LAN and WAN QoS Firewalls & NAT Management & Administration Common Oversights

3 Ultimate Objective Checklist  Security  Connectivity  Management & Administration  Transparency (Seamless Use)

4 The Basics about IP Video How much bandwidth is consumed? –Don’t forget the overhead Separate audio and video streams Point-to-point versus multipoint versus multicast –Esp think about the aggregated bandwidth coming into the MCU (WAN link) TCP for signaling/control and UDP for media

5 LAN Considerations The easiest part Switches are a must to reduce contention and retransmissions due to collisions Predict usage patterns before the deployment –Average and peak # simultaneous conferences –Average conference data rate –Usage of pt-to-pt versus multipoint versus multicast 802.1p/q QoS should not be needed if LAN is properly provisioned

6 Considerations with Routers Can work for you or against you, depending on how the router is configured Likely the best place to implement QoS of some sort –IP Precedence or DiffServ Check to see if any traffic shaping or filtering is already being done based on packet types or ports –This could cause some unpredictable results if the policies overlap with the protocols or ports used for IP video Check to see if any tail drop or early detection policies are already implemented –If so, try to use “class-based” (like WRED) to have QoS markings taken into consideration

7 Inbound StreamOutbound Stream Router Priority Queues Best Effort packets (email, internet browsing, etc) Prioritized packets (audio, video, etc) Configure routers for Priority Queuing or Class-Based Queuing VCON endpoints mark media packets (UDP) for IP Precedence by default. Can customize for different values or for DiffServ PHBs instead. QoS Via Differentiated Services

8 A13 A12 A11 A10 V13 V12 V11 V10 A13 A12 A11 A10 V12 V11 V13 V10 A10 Duplicate Out of Order Jitter No Lip Sync Audio Stream Video Stream DallasRaleigh ChicagoNew York The “Multi-Hop Router Effect”

9 WAN Considerations Similar to the LAN – mostly a mathematical bandwidth consumption issue Be aware of the following things: –Hop count –Weakest link syndrome –ARS (might send audio stream one way and video stream another) –Unmanaged links, like the Internet If using a service provider, work required policies into the SLR

10 Management & Administration H.323 gatekeeper is critical –Bandwidth management (per zone & per user) –Authentication and access control –Address translation –Alerts & alarms Remote device administration tool is extremely valuable –CoS policies for resource usage (MCU, GW, etc) –Call activity reports can assist with identifying needed network design modifications –Remote endpoint configuration & troubleshooting

11 Overcoming NAT and Firewall Issues

12 Firewalls and IP-Based Communications The role of a firewall is to apply RULES that provide some level of network security –Protocols allowed (inbound versus outbound) –IP addresses (from-to) –Port usage (“well known” versus application-specific) When a session is initiated from “inside” the firewall, usually returned data streams to the originating IP address and port are allowed –However, H.323 allows for a dynamically-selected and very wide range of ports to be used for these return streams

13 NAT and IP-Based Communications Network Address Translation (NAT) allows many private (non-routable) IP addresses to share fewer (even a single) public IP address –Outbound connections allowed, but the IP address in the packet header gets translated –Unfortunately, there is also IP address information in the payload of voice/video over IP packets, which does not get translated –No way to initiate connections from the outside because the IP addresses on the inside are “invisible” Network Address Port Translation (NAPT) –Conflicts with “well known” ports that are used for voice/video over IP

14 Messages Involved Gatekeeper registration Call setup messages Call signaling Keep-alive messages Audio and video media streams Neighbor gatekeeper messages Remote device administration Far-end camera control UDP & TCP Streams Static & Dynamic Ports

15 Each Location Provides a Different Challenge MCU GK Headquarter Branch Office or Business Partner Home Office Road Warriors Public IP Network GW PSTN ISDN

16 Solution Alternatives

17 Client/Endpoint-Based Deployment Alternatives Place voice/video endpoints outside the firewall with public IP addresses –Might be OK for settop appliances, but not desktop systems –Consumes a public IP address for each endpoint NAT IP address mask –Allows the endpoint to embed a routable, public IP address in the IP packet payload –Requires static mappings of IP addresses for voice/video endpoints Port range configuration –Directs the endpoint to use specific UDP and TCP ports instead of a wide dynamic range –Requires these ports to be opened in the firewall and not subjected to port translation

18 Client/Endpoint-Based Deployment Alternatives Port pinholing –Returned streams use the same ports as the original incoming streams –Requires calls to be initiated from inside the firewall –Does not work when both endpoints are behind a firewall/NAT VPN –Commonly used for home office workers already, but more complicated to use with branch offices –Encryption and authentication built-in –May give access to more network resources than desired A combination of the above alternatives can be implemented. However, they typically only serve as a partial workaround solution.

19 Server-Based Deployment Alternatives Protocol-aware firewall –Able to identify valid voice/video messages and dynamically act accordingly Example: H.323 snooping allows ports to be opened for a validated session and then closed when done –Does not necessarily solve the inbound NAT connection problem or the dual-firewall/NAT problem Application Level Gateway (ALG) or other proxy- based solution –Protocol aware: only processes messages that it understands –Makes all resources appear local, while still requiring that traffic pass through the firewall for security –Commonly combined with encryption option for added security

20 Architecture of a Proxy-Based Solution Public IP Network Firewall or NAT LAN- Side Proxy Private Network Prevents direct connections between private and public network devices Firewall does not need to accommodate requests for dynamic or random ports All traffic still passes through the firewall WAN- Side Proxy

21 The VCON SecureConnect Solution Able to securely proxy: –Gatekeeper registration –Call setup messages & signaling –Media streams (audio & video) –Neighbor gatekeeper messages –VCON Interactive Multicast streams –MXM admin console login and remote device administration –Far-end camera control messages Overcomes firewall and NAT hurdles without jeopardizing security Encryption option (DES, 3DES, AES) Highly scalable

22 Other Considerations and Common Oversights - Firewall Traversal Don’t forget about conferencing requirements with locations/devices not under your control –Customer –Business partners QoS provisioning: does the solution selected preserve it? Gatekeeper registration is still very much needed –Networked gatekeepers (neighbored or hierarchical) require special considerations Online directories still must be “visible” by all endpoints A solution that works for PC-based devices may not necessarily work for appliance devices (settop, GW, MCU) Scalability is important – what happens if the voice/video network grows dramatically?

23 Common Oversights - General Don’t think about dial plan for video devices after it’s too late –The gatekeeper will have a default dial plan, but it’s probably not optimal Don’t forget about extended enterprise workers connected over the Internet Interoperability between endpoints, gatekeeper, MCU and gateway –Check with the vendors to see what software versions are known to be interoperable Opportunities to incorporate multicasted video is often overlooked

24 Common Oversights - continued Broadband connections are commonly asymmetric –The broadband connected user might get good quality, but the remote participant might not –Many ADSL/cable providers have other options with better uplink bandwidth

25 Ultimate Objective Checklist  Security  Connectivity  Management & Administration  Transparency (Seamless Use)

Download ppt "Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer."

Similar presentations

© 2000, Cisco Systems, Inc. www.cisco.com Cisco Video Conferencing Gatekeeper Design Scott Kirby Distinguished Systems Engineer.

© 2000, Cisco Systems, Inc. Cisco Video Conferencing Gatekeeper Design Scott Kirby Distinguished Systems Engineer.
09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.

09999/2106 Practical Experiences Overcoming Firewalls and Limited Bandwidth for H.323 Video Conferencing AREN.
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
H. 323 Chapter 4.

H. 323 Chapter 4.
TANDBERG Video Communication Server March 2008. TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
VCON Falcon Settop Videoconferencing. 2 IP data rates up to 768Kbps T.120 for Data Sharing over ISDN Dual-mode models: 1-BRI & 3-BRI Call Transfer and.

VCON Falcon Settop Videoconferencing. 2 IP data rates up to 768Kbps T.120 for Data Sharing over ISDN Dual-mode models: 1-BRI & 3-BRI Call Transfer and.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Wi-Fi Structures.

Wi-Fi Structures.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

Similar presentations

Ads by Google