Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 1 H.323 & Firewalls Experiences with an OpenSource solution for the H.323 Firewall issues Kewin Stoeckigt, Ulrich Schwenn Computing Center Garching (RZG), Max-Planck-Gesellschaft (MPG) & Max-Planck-Institut für Plasmaphysik (IPP) SURA/ViDe 6 th Annual Digital Video Workshop Indianapolis, Indiana, USA March 22-25, 2004

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 2 Outline of talk Introduction (MPG, IPP, RZG) VC infrastructure overview H.323 & Firewalls – The Problem An OpenSource solution –Why do we use it? –How it works –ViDe.Net –Authentication methods –Other features –Statistics/Experiences –QoS Activities Summary

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 3 Max-Planck-Society (MPG) Independent, non-profit research organization Promotes and supports research at its own institutes Institutes are organized in three sections with 80 institutes Budget for 2004: ~ US$ 1.66 billion # Inst: Chemistry, Physics and Technology section:29 Biological and medical section:35 Arts and human science:16

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 4 Institute of Plasmaphysics (IPP) Investigates physical principles underlying a nuclear fusion power plant, which – like the sun – will gain energy from the fusion of light atomic nuclei Member of the European Fusion Programme (EFDA) Member of Helmholtz Association of National Research Centers Budget in 2002: US$ 150 million

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 5 Institute of Plasmaphysics (IPP) Current Experiments –ASDEX Upgrade tokamak (Axially Symmetric Divertor EXperiment) Garching Confinement with external fields and plasma current Investigates crucial problems in fusion research under reactor- like conditions –Wendelstein 7-X Greifswald Confinement with external magnetic fields only Theoretically optimized magnetic fields to overcome difficulties due to genuine 3D topology

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 6 Computing Center (RZG) Located in Garching near Munich Since 1980 common computing center for IPP and MPG Offers different services of MPG institutes –General network access –High Performance Computing power (Clusters, vector machines, etc.) –Code optimization –Videoconferencing (since 1995) –… Fastest supercomputer in Germany – IBM Regatta (27 Nodes) (4.2 TFlops/s) # 31 of Top500 (11/2003)

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 7 VC infrastructure: IPP T500 T880T500 Garching Greifswald T500 3 T880 DFNVC T6000 MS T6000 MS 10 VV 15 VV DFNVC T6000 MS T500 2 T VS-EX T7000 Main Institute (700) in Garching; Branch Institute (300) in Greifswald 500 miles: Garching to Greifswald take longer than traveling from Garching to New York

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 8 VC infrastructure IPP: 3 lecture halls –2 in Garching: Tandberg 6000 systems –1 in Greifswald: Tandberg 6000 system 8 seminar rooms –4 Tandberg 550, 7 Tandberg 880, 2 Tandberg 1000 ~ 30 ViaVideo Multizone gatekeeper –Located in Garching –OpenSource (More about this later) Use of DFNVC service

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 9 VC infrastructure: IPP- EFDA DE GAR AUG 2 T6000 / 3 T880 T500 / 15 VV GnuGK-Proxy DFNVC VRVS VS128 VV VRVS VV IL UK DKFRCHFI HU IT VV VRVS 2 VV NM VV NM VV NM ES Aethra VS PT 8 Mbps VV T880 HGW W7-X T T500 T VV

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 10 H.323 & Firewalls – The Problem Complexity of media streams –Use of several sub-protocols for many channels per session Dynamic allocation of several information –Bandwidth/Bandwidth change –# data channel changes –Port allocation

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 11 H.323 & Firewalls – The Problem Dynamic port allocation –H.323 uses a few fixed ports, e.g (T.120), 1719, 1720 –Many dynamic allocated ports Port range: >2 10 & <2 16 Session-Management of H.323 client allocates ports randomly during setup (Phase C) Approx. 4 to 6 ports per videoconference –Dynamic negotiated ports cant be handled by firewall How do you open ports if you dont know them?

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 12 H.323 & Firewalls – The Problem The communication or….what happens if… Setup (often) can run thru firewall, data communication is blocked by firewall ( dynamic ports)

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 13 An OpenSource solution Former firewall solution –OpenFirewalling No videoconferencing client was secured by firewall Securityproblem: Desktops with special data on it are not protected Desired solution –Low-Cost solution –Easy to configure/administer –No network changes, e.g. rerouting, etc. We use GnuGK or TPFNAO (The Program Formally Known As OpenH323 Gatekeeper)

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 14 An OpenSource solution Why do we use it? –Costs GnuGK is free ( GPL) Runs on Linux…which is also free Just the hardware is necessary –Linux Approx 80% of all computer at RZG are Linux/Unix based Linux/Unix seem more reliable than other operating systems –OpenSource We can change the code whenever we want to, e.g. include afs support, etc.

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 15 An OpenSource solution GnuGK is gatekeeper/proxy combination ALL videoconferencing traffic runs over GnuGK The communication…or what happens if…

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 16 An OpenSource solution GnuGK works with ViDeNet –Neighbor principle If LRQ can not be answered by RZG-GK, LRQ I then send to German Country GK and so forth [RoutedMode] … AcceptNeighborCalls=1 … [RasSvr::Neighbor] CGK= :1719;*;

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 17 An OpenSource solution Authentication methods –Security and videoconferencing are getting more important –GnuGK supports several different authentication methods IP authentication Prefix authentication mySQL authentication LDAP authentication/H.350 authentication Radius authentication (includes billing) –It is possible to limit access of dedicated IPs, E.164 numbers, etc.

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 18 An OpenSource solution We use mySQL authentication on RRQ If host has valid DB entry, RCF is send, otherwise RRJ DBTable also used for phonebook

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 19 An OpenSource solution Other features –Port range can be limited (H.245, T.120, RTP ports) –LoadBalancing –T.120 proxy –Support for NATed endpoints –Calls can be queued –…

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 20 An OpenSource solution GnuGK is used in RZG & IPP for ALL videoconferences (internal external, internal internal, external external) Solution works fine in point-to-point environments as well as multipoint ((cascaded) internal/external MCUs) No problems with different speeds (minimum connections speed: 512kbit/s, maximum 3MBits/s) We were not able to force proxy down

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 21 An OpenSource solution What is meant by..is used for ALL videoconference…?

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 22 An OpenSource solution Some statistics (1) –GK system (until 03/2004): P3, 1.6 GHz, running SuSE Linux 7.3 –Used videoconferencing systems 3 Tandberg 6000, 7 Tandberg 550/880, 2 Tandberg 1000, 1 Tandberg 7000, 2 Viewstations EX, 30 ViaVideos We tested our GK with several Polycom systems, Sony PCS1, NetMeeting, GnomeMeeting, VCon, etc. Worked with exotic clients like VRVS-H.323 gateway, FVC Webconferencing server –System has been up and running for 169 days –More than 6000 calls were handled, approx 1500 coming from external institutions/organization

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 23 An OpenSource solution Some statistics (2) –Approx 1000 videoconference per month –Monthly data throughput: 120GB –Interrupts in 2003: 2 (System crashes)

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 24 An OpenSource solution Some statistics (3) –Current use: Directorates meetings IPP Meetings of RZG (Garching / Greifswald / Auckland) RZGs Users group (3-7 sites all over Germany) Monday Meetings ASDEX-Upgrade (Garching / several clients in Europe, e.g. UK, France, etc.) VC-Group meetings (almost every day) Regular meeting of MPG Presidents Project meetings Meeting of Viktas group …

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 25 Summary –Disadvantages Monitoring just via telnet (allowed IPs can be specified) –Advantages Its free OpenSource Proxy can be deactivated (completely or just for dedicated IP/subnets) Limitation of Port range Bunch of authentication methods Runs on Linux/Windows/Apple Support for NATed endpoints E.164 rewrite (important for password protected conferences were password is separated with * (new VV software cant handle *))

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 26 Summary H.323 & Firewall issue can be solved using OpenSource software

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 27 Further Activities: QoS –H.323 Beacon –DFN Projects (Erlangen) –Own Tools Greifswald – Garching HGW GAR

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 28 Acknowledgement U. Schwenn, P. Pflueger, H. Soenke, Th. V. Weber, RZG J. Hornung, DFNVC F. Schulze et al., VCC Dresden H. Pfeiffenberger, Sybilla Bunne AWI Questions??