Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Video over IP Company

Published byPhillip Wood Modified over 6 years ago

Similar presentations

Presentation on theme: "The Video over IP Company"— Presentation transcript:

1 The Video over IP Company
VCON The Video over IP Company Danny On – VP R&D and Technical Alliances

2 Solutions for Secure Firewall Traversal & Encrypted Communications
VCON SecureConnect Solutions for Secure Firewall Traversal & Encrypted Communications

3 SecureConnect Family Overview
Extends the benefits of IP-based communications safely beyond the edges of the managed data network Remote branch offices Home office workers Customers and business partners Solves the connectivity problems associated with firewalls and NAT servers without eliminating security Encryption component for added security of the actual media and signaling streams Highly scalable and centrally manageable

4 Firewalls and IP-Based Communications
Most firewalls allow only very specific types of inbound traffic When a session is initiated from “inside” the firewall, usually returned data streams to the originating IP address and port are allowed However, H.323 allows for a dynamically-selected and very wide range of ports to be used for these return streams Many firewalls also perform Network Address Translation (NAT) or Network Address Port Translation (NAPT) NAT usage typically makes it impossible to initiate calls from outside the firewall NAPT usage greatly conflicts with “well known” ports that are used for H.323

5 The VCON ALG Proxy Server
Application-level gateway (ALG) that can proxy: Gatekeeper registration Call setup messages & signaling Media streams (audio & video) Neighbor gatekeeper messages VCON interactive multicast streams MXM admin console login and remote device administration Far-end camera control messages Solves connectivity problems from firewalls and NAT Scalable up to 100 concurrent video calls per server Encryption option

6 ALG Proxy Server - continued
Supports any standard H.323 device (endpoint, MCU, gateway) Firewall cooperation and synergy No firewall ports are opened in the “inward” direction Firewall does not need to accommodate requests to open random or dynamic ports External devices never connect directly to the inside network Internal devices never connect directly to the outside network Media streams pass directly between conference participants Configurable QoS (DiffServ or IP Precedence) for audio, video and data streams Single or dual-server configurations available

7 Single vs Dual-Server Config
Single-Server Config Public Network Private Network Private Network Inside Proxy Outside Proxy Firewall or NAT Inside & Outside Proxy Shown on this slide are two different possible ways to configure the ALG proxy server. The decision on how to configure the proxy components can be made uniquely at each location, depending on the needs of that location. When the Advanced Encryption server is NOT also being used in conjunction with the ALG, the most secure approach is to select the 2-server configuration, which splits the inside versus outside proxy functions. In this setup, pinholes are needed in the firewall for only 3 specific ports. These pinholes are only opened in the outward direction. The firewall does not need to open any new ports in the inward direction. The decision to use a single ALG Proxy Server with both proxy functions running inside involves using the two NIC interfaces in this server, one connected to the public network and one to the private network. The most common reason to use this approach is cost savings. When the Advanced Encryption Server is being used, many network administrators will likely be more comfortable with the single server approach for the ALG. The reason is because all traffic coming from the public network into the ALG is encrypted (assuming it’s the public side of the network that is chosen to be encrypted). The firewall does not need to open any new ports in the inward direction and it does not need to accommodate requests to open random or dynamic ports. Furthermore, all traffic that comes into the outside proxy (from the public network) is passed exclusively to the inside proxy through the firewall. One key benefit of the ALG Proxy architecture is that external devices never connect directly to the private network and internal devices never connect directly to the public network. Inside & outside proxy elements of the ALG can be combined or split Both configurations prevent direct connections between private and public network entities With either configuration, the outside proxy can be encrypted for added security

8 Typical Headquarter / NOC Configuration
PC-Based Endpoints ALG Proxy (Inside) ALG Proxy (Outside) Public Network MXM Firewall/NAT Most commonly, the MXM server (serving as the gatekeeper) will sit on the private network, protected by the firewall. In an typical enterprise deployment, there will also be numerous video devices such as endpoints, MCUs or gateways also on the private network. The ALG Proxy servers (in this diagram shown in the dual-server configuration) allow for safe traversal through the firewall/NAT. In both a typical enterprise deployment or a service provider network, there will be some number of video devices (mostly endpoints) in the public address space or at other locations accessed through the public network. Settop Appliance Video Directory MCU

9 Typical Branch Office or Small-Medium Business Configuration
PC-Based Endpoints ALG Proxy (Inside) ALG Proxy (Outside) Public Network Firewall/NAT Settop Appliance Many times, there will not be a gatekeeper or MXM server physically located at branch offices. Instead, the video devices (endpoints, MCU) at the branch office will register to the MXM server at the headquarters. The ALG Proxy will facilitate both gatekeeper registration and secure forwarding of audio and video streams. The scenario is similar for a service provider or carrier that is providing managed video services to small/medium business. The MXM server will be located in the NOC and the devices will remotely register to this MXM. MCU Local devices point to the inside proxy for GK registration Calls between local devices does not result in media streams passing through the ALG Proxy

10 Endpoints in the Public Address Space
ALG Proxy Firewall/NAT Endpoints in the public address space (with routable IP addresses) can easily register to the MXM server at a branch office, HQ or service provider NOC. They do this by “pointing” to the outside proxy component as the gatekeeper, which proxies the gatekeeper registration on behalf of the remote device. One of the major advantages of the ALG Proxy architecture is that not all streams must pass through the proxy. Gatekeeper registration and signaling streams for the remote endpoints will pass through the ALG at the HQ/NOC, but gatekeeper registration and signaling streams for the HQ/NOC endpoints do not need to pass through the ALG. Audio and video media streams between remote endpoints (during a videoconference) will pass directly between the endpoints involved. Same for the media streams between HQ/NOC endpoints. The only time media streams would pass through the ALG at the HQ/NOC is if the videoconference involves endpoints (or devices like MCUs) on both sides of the ALG. Remote devices point to the outside ALG Proxy for GK registration Calls between outside devices does not result in media streams passing through the ALG Proxy

11 Multi-Zone Gatekeeper Configuration
Peer-to-Peer or Meshed Hierarchical MXM ALG Proxy Both peer-to-peer and hierarchical gatekeeper networks are supported by the ALG Proxy. Neighbor gatekeeper zone definitions utilize the public IP address of the outside ALG Proxy component

12 The VCON Advanced Encryption Server
Supports DES, 3DES & AES encryption standards Establishes peer-to-peer encrypted tunnels between authenticated users Combine with ALG Proxy to encrypt all traffic that leaves the proxy Scalable up to 10,000 concurrently logged in clients and 1,000 concurrent calls per server Remote users only have access to pre-determined, application-specific resources Versus traditional VPN solutions, which give the user full access to the enterprise or service provider network

13 The VCON Encryption Client
Supports PC-based devices Windows 98, NT, 2000, XP UserID and Password authentication to the Encryption Server Encrypts signaling and media streams immediately as they leave the PC-based device DES, 3DES, AES encryption standards No charge client Downloadable from the VCON website

14 All PC-Based Devices Configuration
Encryption Client Advanced Encryption Server PC-Based Endpoints Public Network MXM Firewall/NAT This example depicts a network with all PC-based devices, including the MXM gatekeeper and VCON Conference Bridge (VCB). In this case, all PC-based devices are running the Encryption Client and logged into the Encryption Server for end-to-end encrypted communications. VCB (MCU) All PC-based devices running the Encryption Client are logged in to the Advanced Encryption Server Data streams flow directly between the devices without passing through the Encryption Server Unless both participants have private IP addresses

15 Leveraging the ALG Proxy for Encryption
Advanced Encryption Server Encryption Client PC-Based Endpoints ALG Proxy (Inside) ALG Proxy (Outside) Public Network Firewall/NAT Non-PC Devices If there are appliance (non-PC) devices that need to participate in encrypted conferences, this can be accomplished by leveraging the ALG Proxy Server. The ALG Proxy has the ability to login to the Encryption Server, and thereby serve as a gateway between the encrypted and non-encrypted network segments. In the example shown, traffic across the private LAN would not be encrypted but all traffic across the public network would be encrypted – even traffic originating from the non-PC devices. MCU The outside proxy is enabled with encryption This proxy only counts as a single client login on the Encryption Server Allows encryption for non-PC devices, including MCUs All traffic across the public network is encrypted

16 Versatility of the SecureConnect Solution
Branch Office or Small Business Headquarter / NOC Encryption Server ALG Proxy MXM Public Network ALG Proxy Home Office This diagram shows the versatility of the SecureConnect architecture. It can be especially useful for an enterprise that has multiple locations with different types and quantities of endpoints. Branch offices with a handful of endpoints or more can likely sit behind an ALG Proxy in order to traverse the local firewall. A home office worker can install the Encryption Client in order to traverse the personal firewall commonly integrated into DSL routers and cable modems. Road warriors can also use the Encryption Client to traverse whatever firewall or NAT might be between them and the headquarter proxy. One benefit of this approach is that an ALG Proxy is not always needed at every firewall/NAT border. An additional benefit comes from the fact that the Encryption Server will ensure that all communications across the public IP network is encrypted for security. VCB Non-Encrypted Segments Does not necessarily reflect the actual path of the media streams during a conference Road Warriers Encrypted Segments

17 High Availability Features
Dual NIC cards RAID controller & mirrored hard drives Due to the critical use of the SecureConnect servers (both the ALG Proxy and the Encryption Server), VCON has configured the server with the high availability features shown on this slide. Dual memory modules Software watchdog for services

18 Other SecureConnect Features
1 year software subscription included with all SecureConnect servers Access to all SW enhancements for a period of 1 year Scalability upgrades accomplished via a license key No need to take the system out of service

19 Thank you!

Download ppt "The Video over IP Company"

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
The Enterprise Guide to Video Conferencing Created using iThoughts [...] [...]

The Enterprise Guide to Video Conferencing Created using iThoughts [...] [...]
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
TANDBERG Video Communication Server March 2008. TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.

Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.
The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.

The NAT/Firewall Problem! And the benefits of our cure… Prepared for:Summer VON Europe 2003 SIP Forum By: Karl Erik Ståhl President Intertex Data AB Chairman.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
VCON Falcon Settop Videoconferencing. 2 IP data rates up to 768Kbps T.120 for Data Sharing over ISDN Dual-mode models: 1-BRI & 3-BRI Call Transfer and.

VCON Falcon Settop Videoconferencing. 2 IP data rates up to 768Kbps T.120 for Data Sharing over ISDN Dual-mode models: 1-BRI & 3-BRI Call Transfer and.
Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer.

Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer.
Wi-Fi Structures.

Wi-Fi Structures.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Remote Networking Architectures

Remote Networking Architectures
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.
Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.

Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.
Windows XP Home Networking Scott Manchester Technical Evangelist Home Networking.

Windows XP Home Networking Scott Manchester Technical Evangelist Home Networking.
IPNexus Briefing Instant Messaging and Collaboration.

IPNexus Briefing Instant Messaging and Collaboration.
VPN for Sales Nokia FireWall-1 Products Complete Integrated Solution including: –CheckPoint FireWall-1 enterprise security suite –Interfaces installed.

VPN for Sales Nokia FireWall-1 Products Complete Integrated Solution including: –CheckPoint FireWall-1 enterprise security suite –Interfaces installed.

Similar presentations

Ads by Google