computing center of max-planck-society and institute of plasmaphysics k. stoeckigt, u. schwenn –...
TRANSCRIPT
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 1
H.323 & Firewalls
Experiences with an OpenSource Experiences with an OpenSource solution for the H.323 Firewall issuessolution for the H.323 Firewall issues
Kewin Stoeckigt, Ulrich Schwenn
Computing Center Garching (RZG),Max-Planck-Gesellschaft (MPG) &
Max-Planck-Institut für Plasmaphysik (IPP)
[email protected], [email protected]
SURA/ViDe 6th Annual Digital Video WorkshopIndianapolis, Indiana, USA
March 22-25, 2004
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 2
Outline of talk• Introduction (MPG, IPP, RZG)• VC infrastructure overview• H.323 & Firewalls – The Problem• An OpenSource solution
– Why do we use it?– How it works– ViDe.Net– Authentication methods– Other features– Statistics/Experiences– QoS Activities
• Summary
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 3
Max-Planck-Society (MPG)
• Independent, non-profit research organization• Promotes and supports research at its own institutes• Institutes are organized in three sections with 80 institutes
• Budget for 2004: ~ US$ 1.66 billion
# Inst: Chemistry, Physics and Technology section: 29 Biological and medical section: 35 Arts and human science: 16
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 4
Institute of Plasmaphysics (IPP)
• Investigates physical principles underlying a nuclear fusion power plant, which – like the sun – will gain energy from the fusion of light atomic nuclei
• Member of the European Fusion Programme (EFDA)• Member of Helmholtz Association of
National Research Centers• Budget in 2002: US$ 150 million
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 5
Institute of Plasmaphysics (IPP)• Current Experiments
– ASDEX Upgrade tokamak (Axially Symmetric Divertor EXperiment) Garching
• Confinement with external fields and plasma current
• Investigates crucial problems in fusion research under reactor-like conditions
– Wendelstein 7-X Greifswald• Confinement with external
magnetic fields only• Theoretically optimized magnetic
fields to overcome difficulties due to genuine 3D topology
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 6
Computing Center (RZG)• Located in Garching near Munich• Since 1980 common computing center for IPP and MPG• Offers different services of MPG institutes
– General network access
– High Performance Computing power (Clusters, vector machines, etc.)
– Code optimization
– Videoconferencing (since 1995)
– …
• Fastest supercomputer in Germany – IBM Regatta (27 Nodes)
(4.2 TFlops/s) • # 31 of Top500 (11/2003)
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 7
VC infrastructure: IPP
T500T880 T500
Garching
Greifswald
T5003 T880
DFNVCDFNVC
T6000MS
T6000MS
10 VV
15 VV
DFNVCDFNVC T6000MS
T500
2 T1000
2 VS-EX
T7000
• Main Institute (700) in Garching;Branch Institute (300) in Greifswald
• 500 miles: Garching toGreifswald take longer than traveling from Garching to New York
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 8
VC infrastructure IPP:• 3 lecture halls
– 2 in Garching: Tandberg 6000 systems– 1 in Greifswald: Tandberg 6000 system
• 8 seminar rooms– 4 Tandberg 550, 7 Tandberg 880, 2 Tandberg 1000
• ~ 30 ViaVideo
• Multizone gatekeeper– Located in Garching– OpenSource (More about this later)
• Use of DFNVC service
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 9
VC infrastructure: IPP- EFDA
DE
GARAUG
2 T6000 / 3 T880T500 / 15 VV
GnuGK-Proxy
DFNVCDFNVC
VRVS
VRVS
VS128
VV VRVS
VV
VV
IL UK
DK
FR
CH
FI
HU IT
VV
VRVS
2 VV
NM
VV
NM
VV
NM
ES
Aethra
VS
PT
8 Mbps8 Mbps
VV
T880
HGWW7-X
T6000 3 T500 T880 10 VV
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 10
H.323 & Firewalls – The Problem
• Complexity of media streams– Use of several sub-protocols for many channels per session
• Dynamic allocation of several information– Bandwidth/Bandwidth change– # data channel changes– Port allocation
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 11
H.323 & Firewalls – The Problem
• Dynamic port allocation– H.323 uses a few “fixed” ports, e.g. 1503 (T.120), 1719, 1720 – Many dynamic allocated ports
• Port range: >210 & <216
• Session-Management of H.323 client allocates ports randomly during setup (Phase C)
• Approx. 4 to 6 ports per videoconference
– Dynamic negotiated ports can’t be handled by firewall• How do you open ports if you don’t know them?
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 12
H.323 & Firewalls – The Problem
• The communication or….what happens if…• Setup (often) can run thru firewall, data communication is
blocked by firewall (→ dynamic ports)
Firewall
internal H.323 terminal external H.323 terminal
Setup
Data stream
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 13
An OpenSource solution
• Former firewall solution– “OpenFirewalling”
• No videoconferencing client was secured by firewall
• Securityproblem: Desktops with ‘special’ data on it are not protected
• Desired solution– “Low-Cost” solution– Easy to configure/administer– No network changes, e.g. rerouting, etc.
• We use GnuGK or TPFNAO (“The Program Formally Known As OpenH323 Gatekeeper”)
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 14
An OpenSource solution
• Why do we use it?– Costs
• GnuGK is free (→ GPL)
• Runs on Linux…which is also free • Just the hardware is necessary
– Linux• Approx 80% of all computer at RZG are Linux/Unix based
• Linux/Unix seem more reliable than other operating systems
– OpenSource• We can change the code whenever we want to, e.g. include
afs support, etc.
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 15
An OpenSource solution
• GnuGK is gatekeeper/proxy combination• ALL videoconferencing traffic runs over GnuGK• The communication…or what happens if…
Firewall
internal H.323 terminal external H.323 terminal
Setup
Data stream
Gatekeeper/Proxy
Data stream
Setup
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 16
An OpenSource solution
• GnuGK works with ViDeNet– Neighbor principle
• If LRQ can not be answered by RZG-GK, LRQ I then send to German Country GK and so forth
[RoutedMode]…AcceptNeighborCalls=1…[RasSvr::Neighbor]CGK=194.95.240.35:1719;*;
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 17
An OpenSource solution
• Authentication methods– Security and videoconferencing are getting more important– GnuGK supports several different authentication methods
• IP authentication
• Prefix authentication
• mySQL authentication
• LDAP authentication/H.350 authentication
• Radius authentication (includes billing)
– It is possible to limit access of dedicated IPs, E.164 numbers, etc.
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 18
An OpenSource solution
• We use mySQL authentication on RRQ• If host has valid
DB entry, RCF issend, otherwiseRRJ
• DBTable also usedfor phonebook
internal H.323 terminal
Gatekeeper/ProxymySQL Database
RRQ|130.216.13.164:1720|00491401006:dialedDigits=NZ-RZG-KFSLh323_ID|terminal|9999_rzg.mpg.de;
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 19
An OpenSource solution
• Other features– Port range can be limited (H.245, T.120, RTP ports)– LoadBalancing– T.120 proxy– Support for NATed endpoints– Calls can be queued– …
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 20
An OpenSource solution
• GnuGK is used in RZG & IPP for ALL videoconferences(internal ↔ external, internal ↔ internal, external ↔ external)
• Solution works fine in point-to-point environments as well as multipoint ((cascaded) internal/external MCUs)
• No problems with different ‘speeds’ (minimum connections speed: 512kbit/s, maximum 3MBits/s)
• We were not able to ‘force proxy down’
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 21
An OpenSource solution• What is meant by “..is used for ALL videoconference…”?
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 22
An OpenSource solution• Some statistics (1)
– GK system (until 03/2004): P3, 1.6 GHz, running SuSE Linux 7.3– Used videoconferencing systems
• 3 Tandberg 6000, 7 Tandberg 550/880, 2 Tandberg 1000, 1 Tandberg 7000, 2 Viewstations EX, 30 ViaVideos
• We tested our GK with several Polycom systems, Sony PCS1, NetMeeting, GnomeMeeting, VCon, etc.
• Worked with exotic clients like VRVS-H.323 gateway, FVC Webconferencing server
– System has been up and running for 169 days– More than 6000 calls were handled, approx 1500 coming from
external institutions/organization
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 23
An OpenSource solution• Some statistics (2)
– Approx 1000 videoconference per month– Monthly data throughput: 120GB– Interrupts in 2003: 2 (System crashes)
GK call statistics
0
1000
2000
3000
4000
5000
1 2 3 4 5 6 7 8
# C
alls Calls (overall)
Calls (successful)
Calls (from outside)
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 24
An OpenSource solution• Some statistics (3)
– Current use:• Directorates meetings IPP• Meetings of RZG (Garching / Greifswald / Auckland)• RZGs Users group (3-7 sites all over Germany)• Monday Meetings ASDEX-Upgrade (Garching / several clients in
Europe, e.g. UK, France, etc.)• VC-Group meetings (almost every day)• Regular meeting of MPG Presidents • Project meetings• Meeting of Viktas group• …
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 25
Summary– Disadvantages
• Monitoring just via telnet (allowed IPs can be specified)
– Advantages• Its free • OpenSource
• Proxy can be deactivated (completely or just for dedicated IP/subnets)
• Limitation of Port range
• Bunch of authentication methods
• Runs on Linux/Windows/Apple
• Support for NATed endpoints
• E.164 rewrite (important for password protected conferences were password is separated with * (new VV software can’t handle *))
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 26
Summary
H.323 & Firewall issue can be solvedusing OpenSource software
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 27
Further Activities: QoS– H.323 Beacon– DFN Projects (Erlangen)– Own Tools
Greifswald – GarchingHGW
GAR
Computing Center of Max-Planck-Society andInstitute of Plasmaphysics
K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 28
Acknowledgement
• U. Schwenn, P. Pflueger, H. Soenke, Th. V. Weber, RZG • J. Hornung, DFNVC• F. Schulze et al., VCC Dresden• H. Pfeiffenberger, Sybilla Bunne AWI
Questions??Questions??