As services begin to converge to use the Internet, and its associated IP, there will be an increasing need for awareness by sites of security issues for IP-based voice, video and data exchanges.

In an IP world, the point-to-point security and relative privacy of an H.320 ISDN videoconferencing system is no longer present. Where ISDN video and audio calls would be circuit switched across a private provider network, IP-based H.323 calls transit an open network – the Internet – and the devices used for the conferencing, i.e. the end systems and H.323 components such as gatekeepers or MCUs, may all be reachable from the public Internet. If they are present on the Internet, there are associated risks.

In the context of IP-based communications within JANET, communications would flow only over the regional MANs and the JANET backbone, which to an outsider is in effect a ‘private’ network. Thus H.323 sessions where only JANET sites participate would generally be seen as relatively private. The introduction of a non-JANET site to a multi-party conference would raise the question as to which networks the traffic transits, but such concerns would be equally applicable to e-mail as they are to H.323.

This guide is not directly applicable to ISDN conferencing users, but such users should bear in mind that if they join a conference that has a gateway to one or more H.323 conference participants, while their point-to-point dial-in connection to the gateway device is relatively private, data relayed into the H.323 domain may not be as secure.

In the context of high-quality videoconferencing deployments, the end systems are studiobased ones. Until recently most desktop systems were not capable of delivering the quality of videoconferencing experience that (more expensive) studio systems can deliver. However, the quality of desktop systems is improving rapidly. The notes in this guide are largely aimed at assisting the deployment of dedicated studio-based systems, but desktop H.323 users should also be aware of the security issues.

While the security principles apply to all H.323 systems, references to considerations for studio-based systems are made throughout the document.

The H.323 standards support both voice and videoconferencing. In this document we refer to videoconferencing.