Deploying Secure Deploying Secure Videoconferencing Over an Videoconferencing Over an

IP NetworkIP Network

Gordon DaughertyChief Marketing Officer

Topics to be CoveredTopics to be Covered

• Basics about IP Video

• Design Considerations in the LAN and WAN

• QoS

• Firewalls & NAT

• Management & Administration

• Common Oversights

Ultimate Objective ChecklistUltimate Objective Checklist

Security

Connectivity

Management & Administration

Transparency (Seamless Use)

The Basics about IP VideoThe Basics about IP Video

• How much bandwidth is consumed?– Don’t forget the overhead

• Separate audio and video streams

• Point-to-point versus multipoint versus multicast– Esp think about the aggregated bandwidth coming into

the MCU (WAN link)

• TCP for signaling/control and UDP for media

LAN ConsiderationsLAN Considerations

• The easiest part

• Switches are a must to reduce contention and retransmissions due to collisions

• Predict usage patterns before the deployment

– Average and peak # simultaneous conferences

– Average conference data rate

– Usage of pt-to-pt versus multipoint versus multicast

• 802.1p/q QoS should not be needed if LAN is properly provisioned

Considerations with RoutersConsiderations with Routers

• Can work for you or against you, depending on how the router is configured

• Likely the best place to implement QoS of some sort

– IP Precedence or DiffServ

• Check to see if any traffic shaping or filtering is already being done based on packet types or ports

– This could cause some unpredictable results if the policies overlap with the protocols or ports used for IP video

• Check to see if any tail drop or early detection policies are already implemented

– If so, try to use “class-based” (like WRED) to have QoS markings taken into consideration

Inbound Stream Outbound Stream

Router Priority Queues

Best Effort packets (email, internet browsing, etc) Prioritized packets (audio, video, etc)

• Configure routers for Priority Queuing or Class-Based Queuing

• VCON endpoints mark media packets (UDP) for IP Precedence by default. Can customize for different values or for DiffServ PHBs instead.

QoS Via Differentiated QoS Via Differentiated ServicesServices

A13

A12

A11

A10

V13

V12

V11

V10

A13

A12

A11

A10

V12

V11

V13

V10A10Duplicate

Out of Order

Jitter

No Lip Sync

Audio Stream

Video Stream

Dallas Raleigh

Chicago New York

The “Multi-Hop Router The “Multi-Hop Router Effect”Effect”

WAN ConsiderationsWAN Considerations

• Similar to the LAN – mostly a mathematical bandwidth consumption issue

• Be aware of the following things:

– Hop count

– Weakest link syndrome

– ARS (might send audio stream one way and video stream another)

– Unmanaged links, like the Internet

• If using a service provider, work required policies into the SLR

Management & Management & AdministrationAdministration

• H.323 gatekeeper is critical

– Bandwidth management (per zone & per user)

– Authentication and access control

– Address translation

– Alerts & alarms

• Remote device administration tool is extremely valuable

– CoS policies for resource usage (MCU, GW, etc)

– Call activity reports can assist with identifying needed network design modifications

– Remote endpoint configuration & troubleshooting

Overcoming NAT and Overcoming NAT and Firewall IssuesFirewall Issues

Firewalls and IP-Based Firewalls and IP-Based CommunicationsCommunications

• The role of a firewall is to apply RULES that provide some level of network security– Protocols allowed (inbound versus outbound)

– IP addresses (from-to)

– Port usage (“well known” versus application-specific)

• When a session is initiated from “inside” the firewall, usually returned data streams to the originating IP address and port are allowed– However, H.323 allows for a dynamically-selected and very wide

range of ports to be used for these return streams

NAT and IP-Based NAT and IP-Based CommunicationsCommunications

• Network Address Translation (NAT) allows many private (non-routable) IP addresses to share fewer (even a single) public IP address– Outbound connections allowed, but the IP address in the packet

header gets translated

– Unfortunately, there is also IP address information in the payload of voice/video over IP packets, which does not get translated

– No way to initiate connections from the outside because the IP addresses on the inside are “invisible”

• Network Address Port Translation (NAPT)– Conflicts with “well known” ports that are used for voice/video over IP

Messages InvolvedMessages Involved

• Gatekeeper registration

• Call setup messages

• Call signaling

• Keep-alive messages

• Audio and video media streams

• Neighbor gatekeeper messages

• Remote device administration

• Far-end camera control

UDP & TCP Streams

Static & Dynamic Ports

Each Location Provides a Each Location Provides a Different ChallengeDifferent Challenge

MCU

GK

HeadquarterBranch Office or Business Partner

Home Office

Road Warri

ors

Public IPNetwork

GW

PSTN

ISDN

Solution AlternativesSolution Alternatives

Client/Endpoint-Based Client/Endpoint-Based Deployment AlternativesDeployment Alternatives

• Place voice/video endpoints outside the firewall with public IP addresses– Might be OK for settop appliances, but not desktop systems

– Consumes a public IP address for each endpoint

• NAT IP address mask– Allows the endpoint to embed a routable, public IP address in the IP

packet payload

– Requires static mappings of IP addresses for voice/video endpoints

• Port range configuration– Directs the endpoint to use specific UDP and TCP ports instead of a

wide dynamic range

– Requires these ports to be opened in the firewall and not subjected to port translation

Client/Endpoint-Based Client/Endpoint-Based Deployment AlternativesDeployment Alternatives

• Port pinholing– Returned streams use the same ports as the original incoming

streams

– Requires calls to be initiated from inside the firewall

– Does not work when both endpoints are behind a firewall/NAT

• VPN– Commonly used for home office workers already, but more

complicated to use with branch offices

– Encryption and authentication built-in

– May give access to more network resources than desired

A combination of the above alternatives can be implemented. However, they typically only serve as a

partial workaround solution.

Server-Based Deployment Server-Based Deployment AlternativesAlternatives

• Protocol-aware firewall– Able to identify valid voice/video messages and dynamically act

accordingly

• Example: H.323 snooping allows ports to be opened for a validated session and then closed when done

– Does not necessarily solve the inbound NAT connection problem or the dual-firewall/NAT problem

• Application Level Gateway (ALG) or other proxy-based solution– Protocol aware: only processes messages that it understands

– Makes all resources appear local, while still requiring that traffic pass through the firewall for security

– Commonly combined with encryption option for added security

Architecture of a Proxy-Architecture of a Proxy-Based SolutionBased Solution

Public IPNetwork

Firewallor NAT

LAN-Side

Proxy

Pri

vate

Netw

ork

• Prevents direct connections between private and public network devices

• Firewall does not need to accommodate requests for dynamic or random ports

• All traffic still passes through the firewall

WAN-Side

Proxy

The VCON SecureConnect The VCON SecureConnect SolutionSolution

• Able to securely proxy:– Gatekeeper registration

– Call setup messages & signaling

– Media streams (audio & video)

– Neighbor gatekeeper messages

– VCON Interactive Multicast streams

– MXM admin console login andremote device administration

– Far-end camera control messages

• Overcomes firewall and NAT hurdles without jeopardizing security

• Encryption option (DES, 3DES, AES)

• Highly scalable

Other Considerations and Other Considerations and Common Oversights - Firewall Common Oversights - Firewall TraversalTraversal

• Don’t forget about conferencing requirements with locations/devices not under your control– Customer

– Business partners

• QoS provisioning: does the solution selected preserve it?

• Gatekeeper registration is still very much needed– Networked gatekeepers (neighbored or hierarchical) require special

considerations

• Online directories still must be “visible” by all endpoints

• A solution that works for PC-based devices may not necessarily work for appliance devices (settop, GW, MCU)

• Scalability is important – what happens if thevoice/video network grows dramatically?

Common Oversights - Common Oversights - GeneralGeneral

• Don’t think about dial plan for video devices after it’s too late– The gatekeeper will have a default dial plan, but it’s probably

not optimal

• Don’t forget about extended enterprise workers connected over the Internet

• Interoperability between endpoints, gatekeeper, MCU and gateway– Check with the vendors to see what software versions are

known to be interoperable

• Opportunities to incorporate multicasted video is often overlooked

Common Oversights - Common Oversights - continuedcontinued

• Broadband connections are commonly asymmetric

– The broadband connected user might get good quality, but the remote participant might not

– Many ADSL/cable providers have other options with better uplink bandwidth

Ultimate Objective ChecklistUltimate Objective Checklist

Security

Connectivity

Management & Administration

Transparency (Seamless Use)