The Video over IP Company VCON The Video over IP Company Danny On – VP R&D and Technical Alliances
Solutions for Secure Firewall Traversal & Encrypted Communications VCON SecureConnect Solutions for Secure Firewall Traversal & Encrypted Communications
SecureConnect Family Overview Extends the benefits of IP-based communications safely beyond the edges of the managed data network Remote branch offices Home office workers Customers and business partners Solves the connectivity problems associated with firewalls and NAT servers without eliminating security Encryption component for added security of the actual media and signaling streams Highly scalable and centrally manageable
Firewalls and IP-Based Communications Most firewalls allow only very specific types of inbound traffic When a session is initiated from “inside” the firewall, usually returned data streams to the originating IP address and port are allowed However, H.323 allows for a dynamically-selected and very wide range of ports to be used for these return streams Many firewalls also perform Network Address Translation (NAT) or Network Address Port Translation (NAPT) NAT usage typically makes it impossible to initiate calls from outside the firewall NAPT usage greatly conflicts with “well known” ports that are used for H.323
The VCON ALG Proxy Server Application-level gateway (ALG) that can proxy: Gatekeeper registration Call setup messages & signaling Media streams (audio & video) Neighbor gatekeeper messages VCON interactive multicast streams MXM admin console login and remote device administration Far-end camera control messages Solves connectivity problems from firewalls and NAT Scalable up to 100 concurrent video calls per server Encryption option
ALG Proxy Server - continued Supports any standard H.323 device (endpoint, MCU, gateway) Firewall cooperation and synergy No firewall ports are opened in the “inward” direction Firewall does not need to accommodate requests to open random or dynamic ports External devices never connect directly to the inside network Internal devices never connect directly to the outside network Media streams pass directly between conference participants Configurable QoS (DiffServ or IP Precedence) for audio, video and data streams Single or dual-server configurations available
Single vs Dual-Server Config Single-Server Config Public Network Private Network Private Network Inside Proxy Outside Proxy Firewall or NAT Inside & Outside Proxy Shown on this slide are two different possible ways to configure the ALG proxy server. The decision on how to configure the proxy components can be made uniquely at each location, depending on the needs of that location. When the Advanced Encryption server is NOT also being used in conjunction with the ALG, the most secure approach is to select the 2-server configuration, which splits the inside versus outside proxy functions. In this setup, pinholes are needed in the firewall for only 3 specific ports. These pinholes are only opened in the outward direction. The firewall does not need to open any new ports in the inward direction. The decision to use a single ALG Proxy Server with both proxy functions running inside involves using the two NIC interfaces in this server, one connected to the public network and one to the private network. The most common reason to use this approach is cost savings. When the Advanced Encryption Server is being used, many network administrators will likely be more comfortable with the single server approach for the ALG. The reason is because all traffic coming from the public network into the ALG is encrypted (assuming it’s the public side of the network that is chosen to be encrypted). The firewall does not need to open any new ports in the inward direction and it does not need to accommodate requests to open random or dynamic ports. Furthermore, all traffic that comes into the outside proxy (from the public network) is passed exclusively to the inside proxy through the firewall. One key benefit of the ALG Proxy architecture is that external devices never connect directly to the private network and internal devices never connect directly to the public network. Inside & outside proxy elements of the ALG can be combined or split Both configurations prevent direct connections between private and public network entities With either configuration, the outside proxy can be encrypted for added security
Typical Headquarter / NOC Configuration PC-Based Endpoints ALG Proxy (Inside) ALG Proxy (Outside) Public Network MXM Firewall/NAT Most commonly, the MXM server (serving as the gatekeeper) will sit on the private network, protected by the firewall. In an typical enterprise deployment, there will also be numerous video devices such as endpoints, MCUs or gateways also on the private network. The ALG Proxy servers (in this diagram shown in the dual-server configuration) allow for safe traversal through the firewall/NAT. In both a typical enterprise deployment or a service provider network, there will be some number of video devices (mostly endpoints) in the public address space or at other locations accessed through the public network. Settop Appliance Video Directory MCU
Typical Branch Office or Small-Medium Business Configuration PC-Based Endpoints ALG Proxy (Inside) ALG Proxy (Outside) Public Network Firewall/NAT Settop Appliance Many times, there will not be a gatekeeper or MXM server physically located at branch offices. Instead, the video devices (endpoints, MCU) at the branch office will register to the MXM server at the headquarters. The ALG Proxy will facilitate both gatekeeper registration and secure forwarding of audio and video streams. The scenario is similar for a service provider or carrier that is providing managed video services to small/medium business. The MXM server will be located in the NOC and the devices will remotely register to this MXM. MCU Local devices point to the inside proxy for GK registration Calls between local devices does not result in media streams passing through the ALG Proxy
Endpoints in the Public Address Space ALG Proxy Firewall/NAT Endpoints in the public address space (with routable IP addresses) can easily register to the MXM server at a branch office, HQ or service provider NOC. They do this by “pointing” to the outside proxy component as the gatekeeper, which proxies the gatekeeper registration on behalf of the remote device. One of the major advantages of the ALG Proxy architecture is that not all streams must pass through the proxy. Gatekeeper registration and signaling streams for the remote endpoints will pass through the ALG at the HQ/NOC, but gatekeeper registration and signaling streams for the HQ/NOC endpoints do not need to pass through the ALG. Audio and video media streams between remote endpoints (during a videoconference) will pass directly between the endpoints involved. Same for the media streams between HQ/NOC endpoints. The only time media streams would pass through the ALG at the HQ/NOC is if the videoconference involves endpoints (or devices like MCUs) on both sides of the ALG. Remote devices point to the outside ALG Proxy for GK registration Calls between outside devices does not result in media streams passing through the ALG Proxy
Multi-Zone Gatekeeper Configuration Peer-to-Peer or Meshed Hierarchical MXM ALG Proxy Both peer-to-peer and hierarchical gatekeeper networks are supported by the ALG Proxy. Neighbor gatekeeper zone definitions utilize the public IP address of the outside ALG Proxy component
The VCON Advanced Encryption Server Supports DES, 3DES & AES encryption standards Establishes peer-to-peer encrypted tunnels between authenticated users Combine with ALG Proxy to encrypt all traffic that leaves the proxy Scalable up to 10,000 concurrently logged in clients and 1,000 concurrent calls per server Remote users only have access to pre-determined, application-specific resources Versus traditional VPN solutions, which give the user full access to the enterprise or service provider network
The VCON Encryption Client Supports PC-based devices Windows 98, NT, 2000, XP UserID and Password authentication to the Encryption Server Encrypts signaling and media streams immediately as they leave the PC-based device DES, 3DES, AES encryption standards No charge client Downloadable from the VCON website
All PC-Based Devices Configuration Encryption Client Advanced Encryption Server PC-Based Endpoints Public Network MXM Firewall/NAT This example depicts a network with all PC-based devices, including the MXM gatekeeper and VCON Conference Bridge (VCB). In this case, all PC-based devices are running the Encryption Client and logged into the Encryption Server for end-to-end encrypted communications. VCB (MCU) All PC-based devices running the Encryption Client are logged in to the Advanced Encryption Server Data streams flow directly between the devices without passing through the Encryption Server Unless both participants have private IP addresses
Leveraging the ALG Proxy for Encryption Advanced Encryption Server Encryption Client PC-Based Endpoints ALG Proxy (Inside) ALG Proxy (Outside) Public Network Firewall/NAT Non-PC Devices If there are appliance (non-PC) devices that need to participate in encrypted conferences, this can be accomplished by leveraging the ALG Proxy Server. The ALG Proxy has the ability to login to the Encryption Server, and thereby serve as a gateway between the encrypted and non-encrypted network segments. In the example shown, traffic across the private LAN would not be encrypted but all traffic across the public network would be encrypted – even traffic originating from the non-PC devices. MCU The outside proxy is enabled with encryption This proxy only counts as a single client login on the Encryption Server Allows encryption for non-PC devices, including MCUs All traffic across the public network is encrypted
Versatility of the SecureConnect Solution Branch Office or Small Business Headquarter / NOC Encryption Server ALG Proxy MXM Public Network ALG Proxy Home Office This diagram shows the versatility of the SecureConnect architecture. It can be especially useful for an enterprise that has multiple locations with different types and quantities of endpoints. Branch offices with a handful of endpoints or more can likely sit behind an ALG Proxy in order to traverse the local firewall. A home office worker can install the Encryption Client in order to traverse the personal firewall commonly integrated into DSL routers and cable modems. Road warriors can also use the Encryption Client to traverse whatever firewall or NAT might be between them and the headquarter proxy. One benefit of this approach is that an ALG Proxy is not always needed at every firewall/NAT border. An additional benefit comes from the fact that the Encryption Server will ensure that all communications across the public IP network is encrypted for security. VCB Non-Encrypted Segments Does not necessarily reflect the actual path of the media streams during a conference Road Warriers Encrypted Segments
High Availability Features Dual NIC cards RAID controller & mirrored hard drives Due to the critical use of the SecureConnect servers (both the ALG Proxy and the Encryption Server), VCON has configured the server with the high availability features shown on this slide. Dual memory modules Software watchdog for services
Other SecureConnect Features 1 year software subscription included with all SecureConnect servers Access to all SW enhancements for a period of 1 year Scalability upgrades accomplished via a license key No need to take the system out of service
Thank you!