Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Videoconferencing Today Jill Gemmill University of Alabama at Birmingham

Published byColleen Gillian Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Videoconferencing Today Jill Gemmill University of Alabama at Birmingham"— Presentation transcript:

1 Secure Videoconferencing Today Jill Gemmill University of Alabama at Birmingham jgemmill@uab.edu

2 Why is security for videoconferencing needed today? Some applications require privacy: Telemedicine: for patient comfort and HIPAA requirements Sensitive meetings: grant reviews; counter-terrorism planning The Internet is no longer a friendly place: any network connected system is a target for attacks.

3 What is meant by “videoconference security”? At a “gut level”, we might think of: No eavesdropping No denial of service or break-ins No “spamming” (video/voice from unwanted visitors) Making sure resources like MCU’s are used only by those authorized

4 Standards for Security: ITU X.800 and IETF RFC 2828 Authentication Access Control Data Confidentiality Data Integrity Nonrepudiation Availability Service

5 Standard Security Mechanisms ITU X.800 Encryption Digital Signature Access Control Data Integrity Authentication Exchange Traffic Padding Routing Control Notarization Trusted Functionality Security Label Event Detection Security Audit Trail Security Recovery Non-trivial

6 “Legacy” Videoconference Security (H.320) Used leased telephone line (ISDN) lines – you were buying your own private circuit No IP connection used Expensive “Nailed Down”, not reconfigurable.

7 Basic Security Concerns (H.323 and SIP) Remote management interfaces: use strong password for remote logins (Tandberg alone in offering SSL) Turn off streaming Disable FTP, HTML, Telnet and SNMP functions Disable Viavideo web interface by clearing password Watch for security patches and update systems immediately.

8 Downside of basic security…. Usually breaks ability for video support organization to monitor/manage your systems Makes it harder to update software (no FTP) Solution: put systems behind a firewall

9 Firewalls and NATs Found especially in medical centers Firewall: Blocks incoming network traffic Network Address Translator (NAT): Hides your network addresses so they can’t be reached from outside For videoconferencing, these protections become OBSTACLES to overcome (securely, of course!)

10 Encryption For total privacy, encryption is needed. All encryption methods are designed to protect data in transit, so that it is readable only at the source and destination Some encryption methods are tied to user authentication, so that you are assured of who the data came from and that it can be read only by the intended recipient

11 Encrypt End-to-End or per Link/Hop? End-to-End approach encrypts at source and decrypts at destination Good news: can’t be read in the middle Issue: routers need to read addresses. Data is secure, destination address is not. Per Link/Hop Encryption: decrypt/encrypt at router More time consuming (increases latency) Unencrypted data at router is vulnerable It is possible to use both approaches simultaneously Overhead includes increased bandwidth and latency *

12 Where to encrypt? Encryption managed by the application Encryption managed near transport layer Encryption managed in the network layer By design, each layer is unaware of what occurs at other layers Physical Layer (wires) Data Link (hardware address) NETWORK (IP) TRANSPORT (TCP/UDP) APPLICATIONS

13 Virtual Private Network (VPN) IPSec Capable of encrypting/authenticating ALL data at the IP layer Transparent to applications (no changes needed) Physical Layer (wires) Data Link (hardware address) NETWORK (IP) TRANSPORT (TCP/UDP) APPLICATIONS

14 Secure Socket Layer (SSL) Created and torn down on a per- session basis Frequently used on web servers – https:// Transparent to the application Note: over TCP only Physical Layer (wires) NETWORK (IP) TRANSPORT APPLICATIONS TCPUDP SSL / TLS

15 Application Specific Encryption Examples E-Mail S/MIME PGP Kerberos Video / Voice ???? Physical Layer (wires) NETWORK (IP) TRANSPORT (TCP/UDP) APPLICATIONS

16 Does the videoconferencing application do encryption? Not really Standards exist (next speakers) Not implemented in the market Certain vendors offer proprietary use of standard encryption algorithms and claim to have a “standards-based solution” BUT no inter-operability (Tandberg, VCON)

17 Encryption political issues Encryption software is slow; Encryption hardware is expensive and increases the cost of the product Encryption algorithms may be covered by patents and use requires licensing (eg: RSA) Encryption algorithms may be subject to export control (eg: DES)

18 Let’s Consider the videoconferencing application Hop to Hop Communication End-to-End Communication Model for both H.323 and SIP architectures

19 Things to notice in the model SIP Call Control is over TCP H.323 Call control is UDP at ends and TCP in the middle Media streamS – separate voice, video, data, etc. Perhaps two video streams (one in each direction) UDP precludes use of SSL

20 Review: Encryption can be done with IPSec, SSL or by Application No application-layer encryption for VC No SSL for VC due to UDP Guess that leaves IPSec and “clever hacks”

21 Let’s place the model in a university medical center Videoconferencing uses dynamic ports – BLOCKED Outside calls coming in – BLOCKED Willingness to reconfigure firewall - NONE

22 One approach to secure videoconferencing today “Secure Telemedicine Utilizing State-Wide Internet” NIH-SBIR Phase 1. Jim Chamberlain, AZ Technology. Julie Harper, Jill Gemmill UAB. Unencrypted here

23 Pros and Cons PRO Very inexpensive if you already own the firewall Relatively simple to install and operate Requires cooperation of firewall management CON Requires remote VC station that can load VPN client software Suitable for fixed point to point only Requires cooperation of firewall management VC station must be able to send VPN IP address, not its own

24 Another approach: a pair of departmentally managed VPN’s

25 Pros and Cons PRO Can be installed at departmental level Works with “appliance” VC units like Polycoms CON VC units must be able to send VPN IP address as reply address rather than their own Added expense of firewall/VPN units Fixed locations only

26 IP Freedom Solution Encryption Module Announced & due in market shortly Works with SIP and H.323 Call Servers

27 Pros and Cons PRO Extremely easy to install; no need to contact network staff Flexible connectivity Available as an I2 Commons service Transparent to end users Works for both SIP and H.323 Client software is free Supports mobile users CON Expensive Encryption module : more expensive Licensing is based on number of concurrent users; number shrinks with bandwidth used, and encryption Proprietary technology (but only need one!) “Clever hack”

28 Other gotcha’s If your campus has a bandwidth manager (Packeteer-type device) your VC multimedia may be mistaken for annoying video/music and have its bandwidth limited Result – can degrade or terminate VC session

29 Action Items ? Collect “Best Practices” for Secure Videoconferencing? Feedback to I2/federal agencies on importance of Application-layer security for video/voice applications Other ?

30 Acknowledgments “ViDe.Net: Middleware for Scalable Video Services for Research and Higher Education” NSF ANI-022710 (Gemmill, Chatterjee, Johnson) “Alabama Internet2 Middleware Initiative”, NSF EPSCoR, EPS-0091853 via UA-01-016) (Shealy, Gemmill) “Secure Telemedicine Utilizing State-Wide Internet” NIH-SBIR Phase 1. Jim Chamberlain, AZ Technology. Julie Harper, Jill Gemmill UAB. Any opinions, findings or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

Download ppt "Secure Videoconferencing Today Jill Gemmill University of Alabama at Birmingham"

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.

Software Bundle ViPNet Secure Remote Access Arrangement using ViPNet Mobile © Infotecs.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Lecture 22 Internet Security Protocols and Standards

Lecture 22 Internet Security Protocols and Standards
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Similar presentations

Ads by Google