deploying secure videoconferencing over an ip network
DESCRIPTION
Deploying Secure Videoconferencing Over an IP Network. Gordon Daugherty Chief Marketing Officer. Topics to be Covered. Basics about IP Video Design Considerations in the LAN and WAN QoS Firewalls & NAT Management & Administration Common Oversights. Ultimate Objective Checklist. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/1.jpg)
Deploying Secure Deploying Secure Videoconferencing Over an Videoconferencing Over an
IP NetworkIP Network
Gordon DaughertyChief Marketing Officer
![Page 2: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/2.jpg)
Topics to be CoveredTopics to be Covered
• Basics about IP Video
• Design Considerations in the LAN and WAN
• QoS
• Firewalls & NAT
• Management & Administration
• Common Oversights
![Page 3: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/3.jpg)
Ultimate Objective ChecklistUltimate Objective Checklist
Security
Connectivity
Management & Administration
Transparency (Seamless Use)
![Page 4: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/4.jpg)
The Basics about IP VideoThe Basics about IP Video
• How much bandwidth is consumed?– Don’t forget the overhead
• Separate audio and video streams
• Point-to-point versus multipoint versus multicast– Esp think about the aggregated bandwidth coming into
the MCU (WAN link)
• TCP for signaling/control and UDP for media
![Page 5: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/5.jpg)
LAN ConsiderationsLAN Considerations
• The easiest part
• Switches are a must to reduce contention and retransmissions due to collisions
• Predict usage patterns before the deployment
– Average and peak # simultaneous conferences
– Average conference data rate
– Usage of pt-to-pt versus multipoint versus multicast
• 802.1p/q QoS should not be needed if LAN is properly provisioned
![Page 6: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/6.jpg)
Considerations with RoutersConsiderations with Routers
• Can work for you or against you, depending on how the router is configured
• Likely the best place to implement QoS of some sort
– IP Precedence or DiffServ
• Check to see if any traffic shaping or filtering is already being done based on packet types or ports
– This could cause some unpredictable results if the policies overlap with the protocols or ports used for IP video
• Check to see if any tail drop or early detection policies are already implemented
– If so, try to use “class-based” (like WRED) to have QoS markings taken into consideration
![Page 7: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/7.jpg)
Inbound Stream Outbound Stream
Router Priority Queues
Best Effort packets (email, internet browsing, etc) Prioritized packets (audio, video, etc)
• Configure routers for Priority Queuing or Class-Based Queuing
• VCON endpoints mark media packets (UDP) for IP Precedence by default. Can customize for different values or for DiffServ PHBs instead.
QoS Via Differentiated QoS Via Differentiated ServicesServices
![Page 8: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/8.jpg)
A13
A12
A11
A10
V13
V12
V11
V10
A13
A12
A11
A10
V12
V11
V13
V10A10Duplicate
Out of Order
Jitter
No Lip Sync
Audio Stream
Video Stream
Dallas Raleigh
Chicago New York
The “Multi-Hop Router The “Multi-Hop Router Effect”Effect”
![Page 9: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/9.jpg)
WAN ConsiderationsWAN Considerations
• Similar to the LAN – mostly a mathematical bandwidth consumption issue
• Be aware of the following things:
– Hop count
– Weakest link syndrome
– ARS (might send audio stream one way and video stream another)
– Unmanaged links, like the Internet
• If using a service provider, work required policies into the SLR
![Page 10: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/10.jpg)
Management & Management & AdministrationAdministration
• H.323 gatekeeper is critical
– Bandwidth management (per zone & per user)
– Authentication and access control
– Address translation
– Alerts & alarms
• Remote device administration tool is extremely valuable
– CoS policies for resource usage (MCU, GW, etc)
– Call activity reports can assist with identifying needed network design modifications
– Remote endpoint configuration & troubleshooting
![Page 11: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/11.jpg)
Overcoming NAT and Overcoming NAT and Firewall IssuesFirewall Issues
![Page 12: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/12.jpg)
Firewalls and IP-Based Firewalls and IP-Based CommunicationsCommunications
• The role of a firewall is to apply RULES that provide some level of network security– Protocols allowed (inbound versus outbound)
– IP addresses (from-to)
– Port usage (“well known” versus application-specific)
• When a session is initiated from “inside” the firewall, usually returned data streams to the originating IP address and port are allowed– However, H.323 allows for a dynamically-selected and very wide
range of ports to be used for these return streams
![Page 13: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/13.jpg)
NAT and IP-Based NAT and IP-Based CommunicationsCommunications
• Network Address Translation (NAT) allows many private (non-routable) IP addresses to share fewer (even a single) public IP address– Outbound connections allowed, but the IP address in the packet
header gets translated
– Unfortunately, there is also IP address information in the payload of voice/video over IP packets, which does not get translated
– No way to initiate connections from the outside because the IP addresses on the inside are “invisible”
• Network Address Port Translation (NAPT)– Conflicts with “well known” ports that are used for voice/video over IP
![Page 14: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/14.jpg)
Messages InvolvedMessages Involved
• Gatekeeper registration
• Call setup messages
• Call signaling
• Keep-alive messages
• Audio and video media streams
• Neighbor gatekeeper messages
• Remote device administration
• Far-end camera control
UDP & TCP Streams
Static & Dynamic Ports
![Page 15: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/15.jpg)
Each Location Provides a Each Location Provides a Different ChallengeDifferent Challenge
MCU
GK
HeadquarterBranch Office or Business Partner
Home Office
Road Warri
ors
Public IPNetwork
GW
PSTN
ISDN
![Page 16: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/16.jpg)
Solution AlternativesSolution Alternatives
![Page 17: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/17.jpg)
Client/Endpoint-Based Client/Endpoint-Based Deployment AlternativesDeployment Alternatives
• Place voice/video endpoints outside the firewall with public IP addresses– Might be OK for settop appliances, but not desktop systems
– Consumes a public IP address for each endpoint
• NAT IP address mask– Allows the endpoint to embed a routable, public IP address in the IP
packet payload
– Requires static mappings of IP addresses for voice/video endpoints
• Port range configuration– Directs the endpoint to use specific UDP and TCP ports instead of a
wide dynamic range
– Requires these ports to be opened in the firewall and not subjected to port translation
![Page 18: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/18.jpg)
Client/Endpoint-Based Client/Endpoint-Based Deployment AlternativesDeployment Alternatives
• Port pinholing– Returned streams use the same ports as the original incoming
streams
– Requires calls to be initiated from inside the firewall
– Does not work when both endpoints are behind a firewall/NAT
• VPN– Commonly used for home office workers already, but more
complicated to use with branch offices
– Encryption and authentication built-in
– May give access to more network resources than desired
A combination of the above alternatives can be implemented. However, they typically only serve as a
partial workaround solution.
![Page 19: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/19.jpg)
Server-Based Deployment Server-Based Deployment AlternativesAlternatives
• Protocol-aware firewall– Able to identify valid voice/video messages and dynamically act
accordingly
• Example: H.323 snooping allows ports to be opened for a validated session and then closed when done
– Does not necessarily solve the inbound NAT connection problem or the dual-firewall/NAT problem
• Application Level Gateway (ALG) or other proxy-based solution– Protocol aware: only processes messages that it understands
– Makes all resources appear local, while still requiring that traffic pass through the firewall for security
– Commonly combined with encryption option for added security
![Page 20: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/20.jpg)
Architecture of a Proxy-Architecture of a Proxy-Based SolutionBased Solution
Public IPNetwork
Firewallor NAT
LAN-Side
Proxy
Pri
vate
Netw
ork
• Prevents direct connections between private and public network devices
• Firewall does not need to accommodate requests for dynamic or random ports
• All traffic still passes through the firewall
WAN-Side
Proxy
![Page 21: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/21.jpg)
The VCON SecureConnect The VCON SecureConnect SolutionSolution
• Able to securely proxy:– Gatekeeper registration
– Call setup messages & signaling
– Media streams (audio & video)
– Neighbor gatekeeper messages
– VCON Interactive Multicast streams
– MXM admin console login andremote device administration
– Far-end camera control messages
• Overcomes firewall and NAT hurdles without jeopardizing security
• Encryption option (DES, 3DES, AES)
• Highly scalable
![Page 22: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/22.jpg)
Other Considerations and Other Considerations and Common Oversights - Firewall Common Oversights - Firewall TraversalTraversal
• Don’t forget about conferencing requirements with locations/devices not under your control– Customer
– Business partners
• QoS provisioning: does the solution selected preserve it?
• Gatekeeper registration is still very much needed– Networked gatekeepers (neighbored or hierarchical) require special
considerations
• Online directories still must be “visible” by all endpoints
• A solution that works for PC-based devices may not necessarily work for appliance devices (settop, GW, MCU)
• Scalability is important – what happens if thevoice/video network grows dramatically?
![Page 23: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/23.jpg)
Common Oversights - Common Oversights - GeneralGeneral
• Don’t think about dial plan for video devices after it’s too late– The gatekeeper will have a default dial plan, but it’s probably
not optimal
• Don’t forget about extended enterprise workers connected over the Internet
• Interoperability between endpoints, gatekeeper, MCU and gateway– Check with the vendors to see what software versions are
known to be interoperable
• Opportunities to incorporate multicasted video is often overlooked
![Page 24: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/24.jpg)
Common Oversights - Common Oversights - continuedcontinued
• Broadband connections are commonly asymmetric
– The broadband connected user might get good quality, but the remote participant might not
– Many ADSL/cable providers have other options with better uplink bandwidth
![Page 25: Deploying Secure Videoconferencing Over an IP Network](https://reader036.vdocuments.us/reader036/viewer/2022070411/568146c2550346895db3fc3b/html5/thumbnails/25.jpg)
Ultimate Objective ChecklistUltimate Objective Checklist
Security
Connectivity
Management & Administration
Transparency (Seamless Use)