Library items tagged:

This document has presented a discussion of the security issues involved with deploying a site H.323 videoconferencing service. While many sites may see their H.323 videoconferencing facilities function perfectly well without giving much, if any, consideration to security, security is invariably only as good as the weakest link. Thus it is important that any site involved in a videoconferencing session applies best security practice, as described by the JANET CERT team [JCERT], just as it would do for all other IP-connected devices.

It has become increasingly popular over the last few years for Janet sites to deploy firewalls; many sites have realised that their users do not require full, open access to all workstations and servers on a campus. By controlling access, staff time can be saved in chasing up ‘hacking’ incidents, and the types of service used can be kept under control. Bandwidth usage is also rising dramatically, so firewalls now have to be able to operate at gigabit speeds.

It is theoretically possible that in an H.323 conference an ‘outsider’ could snoop the session, recording or relaying an apparently private conference (by inspecting data in transit) or that a snooper is able to silently join a conference (by connecting to an MCU). For an attacker, gathering data ‘on the wire’ is safer as it reduces the chance of detection and being later traced.

The acquisition, set up and deployment of an H.323 videoconferencing studio is outside of the scope of this guide; such information is available from the VTAS web site. However, there are security considerations to be made in the deployment. In the simplest case, the site will be deploying a single, fixed-location studio-based H.323 system, to be used by university or college members who wish to participate in videoconferences with people at other Janet connected sites. Topology considerations The main site considerations include: