Columbia, MO Armory

H.323 Videoconferencing and Firewalls

MOREnet is receiving an increasing number of calls from members attempting to hold videoconferences using equipment located behind firewalls. The H.323 videoconferencing protocol requires a number of UDP and TCP dynamic ports to successfully complete a connection. (See Note.) Due to this protocol requirement, creating a successful video connection from behind a firewall requires extensive configuration and testing time. In some cases, a video connection simply cannot be configured to work correctly from behind a firewall.

MOREnet believes that it is "safe" to place the video codec outside the firewall, provided the steps described in this document are taken. This document is meant as a simple guide to video codec security issues and the pros and cons of placing a codec outside the firewall.

Guidelines for securing a video codec outside of a firewall

  1. Password protect the unit.
  2. Turn off FTP, Telnet, Web and SNMP.
  3. Use only video software versions listed on the Supported Video Software Versions page.

As part of MOREnet's software evaluation process, MOREnet Security tests for potential problems.

What would happen if hackers broke into a video codec (Polycom)?

What could they do?

  • Access approximately eight megabytes (MB) of storage space
    • Used for storing MP3 files
    • Used for storing a root kit
  • Corrupt the operating system
  • Change settings and screen images
  • Interrupt a videoconference

Note: Only one H.323 security advisory has been posted by CERT ® Advisory:

Original release date: January 13, 2004
Last revised: April 5, 2004
Source: CERT/CC, NISCC
CERT ® Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
http://www.cert.org/advisories/CA-2004-01.html

How would you correct any of these problems, if caused by a hacker?

  • Power cycle the unit.
  • Perform a reset of the affected unit.
    A reset will, in most cases, wipe out any changes to the unit, including any changes to the configuration. When the unit restarts, it will have returned to the same configuration it had when it was first taken out of the box.
  • Reinstall the latest MOREnet-supported software version.

Pros and Cons

Video codec outside the firewall

Pros
  • Less latency and better quality
  • Minimal configuration complexities
  • Fewer gatekeeper and/or MCU registration and connection issues
  • Level 3 support
Cons
  • Redundant wiring across campus
  • Susceptible to attacks

Video codec inside the firewall with or without NAT

Pros

The video codec is more secure from outside attacks.

Cons
  • Audio, video and UDP streams not protected on the wire*
  • Configuration complexities
  • Irresolvable gatekeeper and/or MCU registration and connection issues
    • Non-public IP addresses attempting to register
    • Problems receiving video and/or audio streams
    • Undue stress on the MOREnet gatekeeper, potentially crashing the system as a result of answering repeated registration requests from the same video codec every five to ten seconds.
  • High latency and lower quality
  • Time required for troubleshooting
  • Level 2 support if firewall is H.323 compliant
  • Level 1 support if firewall is non-H.323 compliant

* Audio, video and UDP streams are not protected at any time unless a site incorporates an IP encryption device.

Note: For more information about the UDP and TCP dynamic ports needed to successfully complete a video connection, consult the knowledge base on the Polycom website.