Professional Documents
Culture Documents
Introduction 2
1
The Polycom MGC Technology Document • Security and Firewalls
Section 1
INTRODUCTION EXPANDING THE NETWORK
INFRASTRUCTURE
In the past, corporate adoption of interactive voice and video One of the most formidable barriers facing the enterprise IT
technologies over IP has fallen short of analyst expectations. manager has been the design of an IP infrastructure suitable for
The adoption of this technology has suffered from: interactive voice and video.The multi-stage network upgrade
process includes:
The complexities of implementing the H.323 standard
Lack of appropriate network infrastructure for time Replacing shared Ethernet hubs with switched Ethernet
sensitive data types components
Obstacles introduced by Network Address Translation Provisioning ample bandwidth in those segments of an
Conflict between current security practices and H.323 call enterprise network where video traffic is anticipated
requirements Introducing Quality of Service protocols in routers to give
Limited management platforms for Voice and Video priority to video traffic
technologies Introducing specialized computing and network management
resources for rich media applications (multipoint control
This paper summarizes the network infrastructure units and gateways)
requirements for voice and video, focusing on issues found Devising an appropriate address resolution scheme or
most frequently where the public Internet and private IP directory so users can find one another (a directory
networks meet. It explores numerous solutions, pointing out application with or without a gatekeeper)
their shortcomings and the need for a set of building blocks Insuring the security of the enterprise network while at the
that address these issues without requiring network same time permitting H.323 traffic to be exchanged with
reconfiguration or exposing corporate assets to non-secure ‘off net’ entities.
network conditions.
As the initial stages of this process near completion in some
enterprise networks, more attention will be focused at the
intersection of public and private networks.
2
The Polycom MGC Technology Document • Security and Firewalls
Due to design limitations of the public Internet protocols and In addition to Network Address Translation, one public IP
the success of the Internet as a destination, experts estimate address can be used by many Internal IP addresses by assigning
that approximately half the total available IP addresses have a different external IP port for each internal IP transport
been assigned. Each of these has a price and, for large Address needed.To make this possible, many networks have
enterprises, the cost of provisioning public IP addresses to Port Address Translation (PAT) and Network or Port Address
hundreds of thousands of computers is prohibitive.To alleviate Translation (NPAT) technologies embedded in a router or
the problem, the Internet Engineering Task Force developed a server where the NAT and firewall applications are running.
128-bit addressing scheme for the next version of the Internet
Protocol (IPv6), but a number of issues stand in the way of this Basic NAT and PAT devices filter the incoming and outgoing IP
protocol’s complete implementation throughout the Internet. packets and modify the header information. As the case for
Until such a time when IPv6 is widely deployed, anyone firewalls, discussed below, these products will interfere with
assigned and using an IPv6 address (a protocol that was applications that open dynamic ports during the connection (as
approved by the IETF in July 2000) is virtually unreachable from is the case for H.323).
the current Internet.
In order for someone who is ‘off net’ (outside the enterprise
network address scheme) to place a call using H.323 with a
person seated at a device behind a NAT or PAT device, the
network manager must introduce new software or hardware.
We will examine the attributes of such a product, but first we
will describe the standard components of secure networks.
3
The Polycom MGC Technology Document • Security and Firewalls
Security - The Purpose Of A Firewall information contained within the Internet and transport layer
headers and the direction that the packet is headed (internal to
Regardless of the network’s size or a company’s business, a external network or vice-versa).
complete enterprise security solution must:
If a matching rule is found, and if the rule permits the
Grant selective network access to authorized remote and packet, then the firewall allows the packet through, from
corporate users one network to another. If a matching rule denies the packet,
Authenticate network users with strong authentication then the packet is dropped. If there is no matching rule,
techniques before granting access to sensitive corporate data then the packet is dropped.
Ensure the privacy and integrity of communications over
untrusted, public networks like the Internet Another type of firewall, a ‘proxy,’ is a program with the
Provide content security at the gateway to screen malicious authority to act (send and receive signals) on behalf of
content, such as viruses and malevolent Java/ActiveX applets registered users on a network.The proxy has both a client
Detect network attacks and misuse in real time and and server component.
respond automatically to defeat an attack Protect internal
network addressing schemes and conserve IP addresses U RI T O LI CY OX Y
EC PR
P
S
Y
Be available at all times to ensure users high availability to
network resources and applications
Offer local and remote management interfaces to
authorized administrators Data
Deliver detailed logging and accounting information on all Voice
Video
communication attempts
Data
Voice
devices in enterprise Video Video
4
The Polycom MGC Technology Document • Security and Firewalls
5
The Polycom MGC Technology Document • Security and Firewalls
6
The Polycom MGC Technology Document • Security and Firewalls
Section 2
THE COMPLEXITIES If two end points are configured as peers, the Master/Slave
OF H.323 determination procedure is then started.The H.245
Master/Slave determination procedure is used to resolve
In enterprise networks, interactive video using H.323 protocols conflicts between two endpoints that can both be the MC for a
is often under the control of an H.323-defined entity called the conference, or between two endpoints that are
‘gatekeeper.’ The gatekeeper performs address resolution, attempting to open bi-directional channels at the same time. In
bandwidth management and injects policies into the network as this procedure, two endpoints exchange random numbers in
needed.The first two of these three functions are heavily the H.245 masterSlaveDetermination message to determine the
implicated during a gatekeeper routed call set up. master and slave endpoints. H.323 endpoints are capable of
operating in both master and slave modes.
When a user wants to place a call, the initiating endpoint starts
by requesting admission from the gatekeeper using an Following master/slave determination procedures, both
Admission Request (ARQ) message.The gatekeeper can accept terminals proceed to open logical channels using Universal
(ACF) or deny the request (ARJ). If the call request is accepted Datagram Protocol (UDP). Both video and audio channels are
and the user has the remote device’s IP address (or the uni-directional while data is bi-directional.Terminals may open
gatekeeper has this address in its database), the endpoint sends as many channels as they want, but each logical channel uses a
a Q.931 Setup message to the remote destination.The separate, randomly assigned port within a specific port range.
recipient of the Setup message in turn requests admission from Other H.245 control messages may be exchanged between the
its gatekeeper by sending an ARQ.When the call is accepted, endpoints to change media format, request video key frames
the Q.931 call signaling sequence is completed followed by the and change the bit rate during a call.
H.245 message negotiation.The Admission Request (ARQ)
message carries the initial bandwidth the endpoint requires for When vendors add authentication and encryption to their
the duration of the conference. H.323 compliant systems, these additional complexities will
require that firewall and NAT application proxies be updated to
With or without the gatekeeper, certain call set up procedures understand the authentication and encryption signaling. Since
are necessary for a H.323 session to be complete. Upon security and authentication are very important at the interface
receiving a Setup message from the remote party, endpoint B between public and private networks, supporting these
responds by sending a Q.931* Alerting message followed by a protocols will be necessary but will also add compute
Connect message if the call is accepted. At this point, the call complexity to the NATs and firewalls.
establishment signaling is complete, and the H.245 negotiation
phase is initiated. Both terminals will send their terminal When these steps are performed on behalf of people on the
capabilities in the terminal Capability Set message.The terminal same multimedia-ready IP network, the users are rewarded
capabilities include media types, codec choices, and multiplex with a complete rich media experience. In order for those end
information. Each terminal will respond with a points registered inside a secure network to reach people at
terminalCapabilitySetAck message.The terminals’ capabilities end points outside the enterprise network, a caller must avoid
may be resent at any time during the call provided TCP/IP ports Network Address Translation systems or have a consistent and
are available. reliable system to negotiate calls through both the NAT and
firewall or proxy server.We will now examine some of the
*H.225.0 - H.323 standard is a subset design of the Q.931 standards options currently open to network engineers and managers.
7
The Polycom MGC Technology Document • Security and Firewalls
RPR
Data PC TE I
EN
SE
IP Network
Traditional Firewall
Data PC
Isolate systems outside the firewall This type of configuration requires the following:
Install separate voice & video parallel to data networks
Open multiple ports on a NAT firewall Separate network connections from each device to the ISP
Deploy H.323 enabled firewalls & proxies Public IP addresses for every endpoint.
Develop IP tunnels The endpoint’s IP address must be static.
8
The Polycom MGC Technology Document • Security and Firewalls
EN
EN
SE
SE
management overhead above and beyond those associated Voice
with a data network. Data and
Video
Requires multiple LAN connections for a single system to
have voice, video and data requirements inside the enterprise.
Fails to secure networks from one another when a device
has multiple connections to data, voice and video networks.
Wide area communications would be unable to leverage
existing data network capacity.
Data Voice
Video
9
The Polycom MGC Technology Document • Security and Firewalls
Static IP
Address
Data
Voice
Video
R P RI
TE
EN
SE
Internet
D
a
t
TCP a
Por t
s V Multiple TCP out DSL
i
d SOHO
Each connection requires e Multiple TCP in Data
multiple TCP Ports UDP o Voice
Por t Video
s &
V
Each connection requires o Multiple UDP out Static IP
multiple dynamic UDP Ports i Address
c Data
e Multiple UDP in Voice
Video
10
The Polycom MGC Technology Document • Security and Firewalls
RPR DSL
TE I Firewall IP Address
EN
H.323 Enabled NAT Firewalls & Proxies Unfortunately, these solutions require that the firewall and
security plan be modified to support voice and video. In
There are H.323-compliant firewalls such as the Cisco PIX addition, they may not scale to accommodate numerous
Firewall product or Check Point Software’s Check Point simultaneous calls due to limitations of existing proxy server
FireWall-1.The latest versions of these products are capable of and network gateway servers’ bandwidth and computational
detecting H.323 protocols and passing limited address resources, as well as lack of management software designed
information between the secure and the public network.They specifically for H.323 sessions.
perform intelligent filtering based on the application layer.
When a requested session complies with policies, the firewalls
permit calls leaving the enterprise network to be placed and
for the media from the ‘unknown’ endpoint to return to the
caller on the LAN.
11
The Polycom MGC Technology Document • Security and Firewalls
H.323
Video NAT
TCP Call setup request
H.323
SE
RI Video
TERP
Internet
EN
TCP
F
Issues i
Dynamic IP address - Endpoint r
Firewall will not allow call through Call fails due to Firewall
from remote location. e not passing TCP request
w
a
UDP l
l
Even when an H.323-savvy NAT device or firewall is in place, Finally, an H.323 enabled NAT Firewall is limited to one-way
typical solutions on the market today will terminate the media connection capability that allows connections to be established
streams when the TCP H.225 channel is closed. In addition, the from inside a secure corporate network, but will not allow
H.323-compliant NAT/PAT devices currently available do not direct inbound dialing from ‘off net’.
support multicast because the network behind them appears as
a single address preventing the router from detecting the
identity of multicast requests received from inside the network.
12
The Polycom MGC Technology Document • Security and Firewalls
IP Tunneling
13
The Polycom MGC Technology Document • Security and Firewalls
Section 3
REQUIREMENTS FOR
ENABLING REAL WORLD VOICE
& VIDEO OVER IP
14
The Polycom MGC Technology Document • Security and Firewalls
Section 4
SOLVING THE CHALLENGES
Best Performance
OF H.323 VOICE & VIDEO
Highest Computational Requirements (MIPs)
OVER IP NETWORKS
Security
Best Security
Polycom MGC Circuit Dynamic Applications
Firewall Level Packet Layer
Solution Firewall Filter Firewall
Firewall
15
The Polycom MGC Technology Document • Security and Firewalls
Algorithms Supported:
16
The Polycom MGC Technology Document • Security and Firewalls
MULTIMEDIA BUS
IP IP
NET NET
1 2
Web
Commander
17
The Polycom MGC Technology Document • Security and Firewalls
Polycom Inc., 1565 Barber Lane, Milpitas CA 95035 (T) 1.800.POLYCOM (North America) +1.408.526.9000 (F) +1.408.526.9100
Polycom Network Systems, 9040 Roswell Road, Suite 450, Atlanta, GA 30350 (T) +1.770.641.4400 (F) +1.770.641.4499
Polycom EMEA, 270 Bath Road, Slough, Berkshire, England SL1 4DX (T) +44 (0)1753 723000 (F) +44 (0)1753 723010
www.polycom.com Polycom Hong Kong Ltd, Rm 1101 MassMutual Tower, 38 Gloucester Road,Wanchai, Hong Kong (T) +852-2861-3113 (F) +852-2866-8028
© 2002 Polycom,Inc. All rights reserved. Polycom and the Polycom logo are registered trademarks of Polycom,Inc. in the U.S.and various countries.
All other trademarks are the property of their respective owners. Specifications subject to change without notice.
Inventory Number/Date