H.323 Videoconferencing and Firewalls

MOREnet is receiving an increasing number of calls from members attempting to hold videoconferences using equipment located behind firewalls. The H.323 videoconferencing protocol requires a number of UDP and TCP dynamic ports to successfully complete a connection. (See Note.) Due to this protocol requirement, creating a successful video connection from behind a firewall requires extensive configuration and testing time. In some cases, a video connection simply cannot be configured to work correctly from behind a firewall.

MOREnet believes that it is "safe" to place the video codec outside the firewall, provided the steps described in this document are taken. This document is meant as a simple guide to video codec security issues and the pros and cons of placing a codec outside the firewall.

Guidelines for securing a video codec outside of a firewall

Password protect the unit.
Turn off FTP, Telnet, Web and SNMP.
Use only video software versions listed on the Supported Video Software Versions page.

As part of MOREnet's software evaluation process, MOREnet Security tests for potential problems.

What would happen if hackers broke into a video codec (Polycom)?

What could they do?

Access approximately eight megabytes (MB) of storage space
- Used for storing MP3 files
- Used for storing a root kit
Corrupt the operating system
Change settings and screen images
Interrupt a videoconference

Note: Only one H.323 security advisory has been posted by CERT ® Advisory:

Original release date: January 13, 2004
Last revised: April 5, 2004
Source: CERT/CC, NISCC
CERT ® Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
http://www.cert.org/advisories/CA-2004-01.html

How would you correct any of these problems, if caused by a hacker?

Power cycle the unit.
Perform a reset of the affected unit.
A reset will, in most cases, wipe out any changes to the unit, including any changes to the configuration. When the unit restarts, it will have returned to the same configuration it had when it was first taken out of the box.
Reinstall the latest MOREnet-supported software version.

Pros and Cons

Video codec outside the firewall

Pros

Less latency and better quality
Minimal configuration complexities
Fewer gatekeeper and/or MCU registration and connection issues
Level 3 support

Cons

Redundant wiring across campus
Susceptible to attacks

Video codec inside the firewall with or without NAT

Pros

The video codec is more secure from outside attacks.

Cons

Audio, video and UDP streams not protected on the wire*
Configuration complexities
Irresolvable gatekeeper and/or MCU registration and connection issues

Non-public IP addresses attempting to register
Problems receiving video and/or audio streams
Undue stress on the MOREnet gatekeeper, potentially crashing the system as a result of answering repeated registration requests from the same video codec every five to ten seconds.

High latency and lower quality
Time required for troubleshooting
Level 2 support if firewall is H.323 compliant
Level 1 support if firewall is non-H.323 compliant

* Audio, video and UDP streams are not protected at any time unless a site incorporates an IP encryption device.

Note: For more information about the UDP and TCP dynamic ports needed to successfully complete a video connection, consult the knowledge base on the Polycom website.

Copyright © 2004-2006 MOREnet. All rights reserved. Reviewed March 20, 2006.
Contact video@more.net. DMCA and other copyright information.
Site Information: Copyright, accessibility, privacy and other information about this site.
PageMinder: Receive an e-mail notice when this page updates.