• Advisory services
  • Consultations
  • Network and technology policies
  • Network and technology service docs
  • Using Jisc community
  • Network and technology service docs
  • Domain name registration
  • How to sign up
  • Janet Support Manual
  • Janet CSIRT
  • Back-up services
  • eduroam
  • Backup Web Hosting
  • Certificate Service
  • Connection timeline
  • Eligibility
  • Janet 3G Buyer's Guide
  • Janet 3G eduroam interoperablity authentication methods
  • Janet Mail Services
  • Janet Network Charges
  • Janet Reach
  • Janet Videoconferencing Feedback results
  • Primary connections
  • Supporting Business Continuity
  • Business and Community Engagement (BCE) using Janet
  • Cost
  • Interconnect connections
  • Connecting student accommodation
  • Customer-owned routing equipment
  • Obtaining a Janet IP Address Range
  • Terms for the Provision of the Janet Service
  • Upgrading your existing bandwidth and Janet router
  • Fault reporting
  • IP address assignment
  • Janet Aurora
  • Janet Netsight
  • Janet txt
  • Routers
  • Network set-up
  • Guest access
  • Network time service
  • Training
  • Contact
  • Primary Nameserver Service
  • Secondary Nameserver Service
  • Vscene
  • Vscene
  • Vscene updates and revisions
  • Login Options
  • Jisc and Ajenta partnership FAQ
  • Learn more about Vscene
  • Vscene Help and user guides
  • Videoconferencing service policies
  • ISDN
  • Content providers
  • Technical documentation
  • Technical details
  • Technical documentation
  • Archive
  • NAT, Firewalls and videoconferencing - H.323 Border Traversals
  • Security guide for H.323
  • Guide to reliable campus H.323 networks
  • Configuring a Gatekeeper to use with Janet VideoConferencing
  • Videoconferencing standards
  • Video Displays, Signals and Formats
  • Videoconferencing Quality
  • Janet Videoconferencing Service check
  • ISDN Dialup
  • IP Videoconferencing
  • Datasharing on Janet VideoConferencing Service
  • Global Dialing Scheme explained
  • Registering a Gatekeeper with the Global Dialing Service
  • Joining a Vscene session to a 3rd party MCU
  • Security guide for H.323
  • H.323 security in perspective
  • From ISDN to IP
  • Overview of H.323 security issues
  • H.323 site deployment
  • H.323 device security
  • Call snooping, recording and unwanted guests
  • Encryption, IP security (IPsec) and VPNs
  • Firewalls and proxies
  • Summary of site setup recommendations
  • Conclusion
  • References
  • Appendix A - Deployment Security Checklist

Summary of site setup recommendations

Download as PDFDownload as PDF

Contents

Network and technology service docs

In this section we list security-related issues to consider when deploying an H.323 service, in particular when joining the JANET H.323 service, using a studio system on the local campus.

Using the JVCS-IP

In the context of the JVCS-IP, that service will be responsible for:

  • MCU set-up at the JANET C-PoPs;
  • gatekeeper set-up at the JANET C-PoPs;
  • monitoring and security checks of the publicly accessible C-PoP H.323 devices;
  • informing users of the booking system of the importance of the privacy of any booking information the users see (having logged into the booking system);
  • resilience to DoS attacks on the C-PoP-hosted H.323 components.

Responsibilities for sites connecting to the service include:

  • set-up, configuration and security checks of any site gatekeeper used;
  • set-up, configuration and security checks of any site proxy and/or firewall;
  • security of the site H.323 videoconferencing studio;
  • deployment of switched Ethernet paths to the studio and for network management;
  • physical security of the H.323 terminal;
  • lockdown of configuration options for the H.323 terminal;
  • ensuring any site gatekeeper is manually configured, not using multicast discovery;
  • liaising with the Regional Networks for QoS provision where required.

Further site-specific issues are described in Appendix A.

The JANET Videoconferencing Management Centre is responsible for performing site (studio) tests for quality assurance [JVCS-IP].

Risk assessment

The following table shows some recommendations and suggested risk assessment considerations. This is not an exhaustive list; sites should perform their own assessment exercises.

Figure 7: H.323 risk assessment threats
Threat Likelihood Impact Countermeasures
Theft of system Low High Physical security, alarms, CCTV.

Unauthorised monitoring

of an H.323 session

 Low

Variable, depending

on nature of conference

Use of encryption methids: e.g. H.235,

VPNs, IPSec.

Use of switched Ethernet.

Do not publish future sessions.

Unauthorised joining in an

H.323 session

 Low

Variable, depending

on nature of conference

Controls at the gatekeeper / MCU.

Do not publish future sessions.

Network adaptor / cable

problems causing poor

performance

 High High

Test physical cabling.

Check duplex / speed settings.

Gatekeeper ceases to

function through hardware

or failure

 Low High

Offer redundant gatekeeper devices to avoid single

point of failure

User at client terminal

is an imposter

 Very low Variable

Unlikely to be required as the person should be

recognisable visually, so the threat is very low
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo