Best practices: prevent your videoconferencing deployment from being compromised.
With increasing use of video conferencing comes increased risk of systems coming under attack from outsiders. Companies risk industrial and corporate espionage and information theft. The focus of this white paper is to discuss best practices that can help secure your videoconferencing deployment, and how Cirrcom will fit in with your existing network security architecture and help address your security concerns.
1. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Best practices:Best practices:Best practices:Best practices: prevent your
videoconferencing deployment
from being compromised
Whitepaper
As videoconferencing and online collaboration have increased in use and popularity over the past few
decades, new technologies, reduced costs, and increased capabilities open up for many more to engage in
virtual meetings.
With increasing use comes increased risk of systems coming under attack from outsiders. Companies risk
industrial and corporate espionage and information theft. Several recent scandals expose that companies
and individuals are not always completely secure.
The technology used in Cirrcom’s visual collaboration solution addresses these security
challenges. Numerous security measures are in place to prevent unwanted audiences from listening in and
stealing communications. The platform has been designed to comply with the strictest US Federal
requirements and has the JITC Certification.
The focus of this white paper is to discuss best practices that can help secure your videoconferencing
deployment, and how Cirrcom will fit in with your existing network security architecture and help address
your security concerns.
2. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Types of network-based attacks on Video systems
There are many types of potential attacks on video systems, including:
1. attacks on the Operating System of video systems
2. attacks on the management user interface or APIs of video servers
3. DOS/DDOS Attacks on video servers
4. eavesdropping
5. rogue calls: signaling
6. rogue calls: media
Thankfully there are also a wide variety of security measures that are commonly used to repel and mitigate
the effects of such attacks. Some attacks and protective measures are discussed below.
1. Attacks on the Operating System of video systems
Virtually all video systems – including many popular video conferencing servers, dedicated
videoconferencing room systems and all desktop soft clients - run on some sort of general-purpose
operating system (OS) such as Windows, OSX or Linux, or mobile operating systems such as iOS or Android.
Cirrcom is no exception.
Because of this, these video systems may be vulnerable to security issues arising from misconfiguration of
the OS or software vulnerabilities in the OS – just like any other comparable computer system.
3. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Mitigation
• Ensure use of strong administrator credentials.
• Use a firewall to prevent unauthorized network traffic from reaching your devices.
• Use your firewall to block unauthorized access to services and network ports that are not required to
be exposed for video communications to work correctly. (For example, the management UI HTTPS,
SNMP and SSH services of your video systems do not usually need to be accessible to anyone other
than your network administrator.)
• Keep the operating system updated with the latest versions of all relevant service packs and security
updates.
• For software-based video solutions, always run the latest suitable release provided by your vendor.
• For embedded video solutions and mobile devices, keep the firmware updated to the latest revision.
• Disable unneeded operating system services where possible.
• For end-user systems, consider installing a personal firewall.
Cirrcom:
Cirrcom uses a customized, cut-down version of Linux which has been designed to avoid exposing
unnecessary network services and thus naturally limits the “attack surface” available to an attacker.
Cirrcom regularly releases new software versions which incorporate the very latest operating system
security patches.
4. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
2. Attacks on the management user interface or APIs of video
systems
For ease of management, many video servers expose management and monitoring APIs and user
interfaces. These interfaces provide useful capabilities for managing your video deployment– but are also a
potential target for attackers to use when launching an attack.
Mitigation
• Keep video server applications updated with the latest version of any software.
• Disable unneeded services.
• Use a firewall to block unauthorized access to services and network ports that are not required to be
exposed for video communications – only your network administrator should have access to the
HTTP(S), SSH and SNMP services of your video systems.
• Ensure use of strong administrator credentials.
Cirrcom:
Cirrcom APIs and management interfaces are password or PIN protected.
Cirrcom can benefit from standard firewall-based protection of services, just like any other enterprise
application.
3. DOS/DDOS Attacks on video servers
Many network services, including video-based services, can be vulnerable to a class of attack called a Denial
of Service (DOS) attack (or a Distributed Denial of Service (DDOS) attack in which the DOS attack originates
from multiple locations). In these attacks, access to the service is disrupted by a malicious attacker sending
large volumes of unsolicited traffic to the server, causing CPU and/or network bandwidth to become
overloaded to the point where legitimate genuine video calls can no longer be placed or maintained.
5. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Mitigation
• Use a firewall to block unauthorized access to services and network ports that are not required to be
exposed for video communications.
• Disable unneeded services altogether.
• Use the features of your firewall, your firewall traversal solution and/or Session Border Controller
(SBC) and other call control systems to ensure only legitimate video calls are permitted to traverse
your firewall.
Cirrcom:
Cirrcom can be protected by your firewall just like all your other enterprise applications.
Cirrcom is fully compatible with popular firewall traversal solutions and SBCs – which can
themselves provide a further layer of protection.
4. Eavesdropping
Recent security scandals have revealed widespread spying on personal and corporate communications
which were previously thought to have been private.
Mitigation
• Always deploy a firewall and use this to protect all of your devices.
• In sensitive deployments, consider use of a multi-layered and potentially multi-vendor solution. In a
single vendor, single layer solution the same bugs and vulnerabilities may exist across multiple
components which share common code; a multi-layered multi-vendor approach makes it harder for
an attacker to penetrate the network.
• Disable auto-answer on all your room systems.
6. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
• Avoid using public services for sensitive video communications. Use your own trusted video servers
or trusted service providers.
• Follow industry-standard best practices when deploying your video services.
• Where possible, ensure that internal communication between clients in the same corporate network
stays within a trusted network (such as your corporate or a trusted service provider network).
• Enable the strongest level of authentication and encryption on all of your audio and video clients.
• Use proper (paid for) TLS/SSL certificates from a respectable source on all your video conferencing
servers.
• Ensure your call control systems are configured to reject unauthorized calls.
• Enable PIN protection on your Virtual Meeting Rooms– and use a long, unique, randomly-generated
PIN for each Virtual Meeting Room.
• Regularly change the PIN on each Virtual Meeting Room.
Cirrcom:
Cirrcom supports the latest industry standards for encryption for communication with end-user
devices, ensuring that end-to-end security is as strong as possible.
The Cirrcom distributed solution employs IPsec security to provide strong protection of all inter-
cluster communications.
Cirrcom can connect legacy devices in the corporate network (which may not themselves support
encryption) and encrypt on behalf of those devices when connecting to external devices which do
support encryption.
Cirrcom works with all popular video call control systems in the market today.
7. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Cirrcom supports TLS and supports installation of your own TLS certificates – so clients and other
servers can verify that they have genuinely connected to the correctCirrcom server and not an
impostor (a “man-in-the-middle”).
Cirrcom conference features such as the on-screen Audio Avatar and +n indicator make it hard for
uninvited eavesdroppers to go undetected.
The Cirrcom applications for web, Android an iOS show a roster list of all meeting participants – also
making it harder for uninvited eavesdroppers to go undetected.
Cirrcom supports PIN protected Virtual Meeting Rooms for an additional layer of security.
5. Network Topology Information Leakage
Popular signaling protocols often embed the IP address of the end-user system in certain messages during
call establishment. This “leaks” information about the network topology - the IP addresses that the end-user
systems are using – which could then be of use in subsequent “blended” attacks during a concerted attack
against an organization.
Mitigation:
• Protect video systems by keeping them behind the corporate firewall wherever possible.
• Ensure calls pass through a topology-hiding server such as theCirrcom Distributed Gateway (in
addition to using any such facilities provided by your existing firewall traversal solution or SBC).
Cirrcom:
A Cirrcom Distributed Gateway solution, unlike a basic SIP proxy or non-call routed gatekeeper, will
ensure that any call that reaches an external client has been generated entirely by Cirrcom itself (not
by the internal client placing the initial call). This means that the IP address of the internal client is
not leaked.
8. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
6. Rogue calls: signalling
Popular voice and video clients use protocols such as SIP, H.323 and MS-SIP or proprietary protocols to
initiate and receive video calls.
A common attack encountered is when rogue calls - such as Spam Over Internet Telephony (SPIT) or toll
fraud call attempts – are targeted at an organization’s SIP (or, more rarely, H.323) infrastructure. In one
common attack, the attacker will place a large volume of calls to numeric aliases (usually using SIP UDP) to
try and gain access to a VoIP to PSTN gateway – and, if successful, use the gateway to commit toll fraud,
running up a large phone bill for the victim.
Additionally, specially crafted attacks involving deliberately malformed packets can be used to exploit bugs
in video clients and allow an attacker to cause a video call to disconnect, crash, or even to execute
unauthorized code (a so-called “remote code execution vulnerability”) - often with the same user account
privileges as the device's user.
Mitigation:
• Protect against toll fraud by ensuring that access to your VoIP gateway or your VoIP provider's SIP
trunk and other important resources is carefully restricted – especially for unauthenticated external
SIP/H.323 callers.
• Ensure your WebRTC solution is configured securely – and that this also does not permit
unrestricted/unauthorized access to valuable resources such as your PSTN gateway or your VoIP
provider's SIP trunk
• Lock down call routing to ensure that calls to invalid aliases are rejected at the earliest opportunity,
ideally at the perimeter of your network.
• Use all the relevant features available in your call control and SBC.
• Monitor the logs of your systems and use features of your firewall to block offenders.
9. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
• Consider disabling SIP UDP traffic support altogether in your solution as this is the most commonly
targeted signaling service. SIP TLS is a much better solution and, at the time of writing, is less
commonly the target of concerted attacks.
• Protect voice and video systems by keeping them behind the corporate firewall wherever possible.
• Keep your voice and video clients and servers updated with the latest version of any software
(including all the newest security patches for both relevant applications and the host operating
system).
• Enable authentication and call admission control features in your call control solution.
• Use a firewall traversal solution, SBC, and/or Edge Server in conjunction with a signaling gateway
solution such as a Cirrcom Virtual Meeting Room (for multi-party calls) or a Cirrcom Distributed
Gateway (for point to point calls) to allow mediated communication between internal and external
video clients and to ensure that any signaling that reaches the client has passed through and been
checked and re-encoded by one or more trusted servers.
Cirrcom:
Cirrcom services (Cirrus-Connects Virtual Meeting Rooms for multi-party calls, or Cirrcom Distributed
Gateway for point to point calls) can be used to mediate communications between internal and
external video clients.
With an appropriately deployed Cirrcom solution, any signaling that reaches internal clients will
have been generated by Cirrcom itself (not the external client) – thus internal clients will be isolated
safely from signaling based attacks originating from outside the network.
10. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
7. Rogue calls: media
Popular voice and video clients use audio and video codecs to encode the audio and video streams in video
calls. Specially crafted attacks involving deliberately malformed packets can sometimes exploit bugs in
video client software and allow an attacker to cause a call to disconnect, a client to crash or, in extreme cases,
even to cause the client to run unauthorized code on the endpoint device - a so-called “remote code
execution vulnerability”. The end-user device is often a standard laptop, tablet or desktop machine running
the video client – thus the potential information leakage in such situations is of considerable concern.
Mitigation
• Protect video clients by keeping them behind the corporate firewall where possible.
• Keep your video clients updated with the latest version of any software (including all the newest
security patches).
• Enable authentication, certificate verification and call admission control features on your call control
solution as appropriate to your needs.
• Use a media handling solution such as a Cirrcom Virtual Meeting Room (for multi-party calls) or a
Cirrcom Distributed Gateway (for point to point calls) to allow only mediated communication
between internal and untrusted external video clients and to ensure that any media that reaches the
internal video clients has passed through and been decoded safely checked by one or more trusted
servers (such as a Cirrcom server).
• In sensitive deployments consider use of a multi-layered, multi-vendor solution. In a single vendor
solution the same bugs and vulnerabilities may exist across multiple components which share
common code; a multi-layered multi-vendor approach makes it harder for an attacker to penetrate
the network.
Cirrcom:
Cirrcom decodes and validates the media in audio and video calls and therefore can provide some
protection against media-based attacks (unlike some switching MCUs and firewall traversal
11. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
solutions which blindly forward them unaltered, or only perform a shallow inspection of media
packets).
Because Cirrcom handles all media streams it can therefore be used to ensure only server-mediated
communication occurs between trusted internal and untrusted external audio and video clients. Any
media that reaches the internal audio and video clients through Cirrcom Gateway will have passed
through, been decoded and checked by the Cirrcom server – rendering many media based attacks
harmless.
The Cirrcom Platform
Cirrcom uses a customized, hardened Linux distribution with both best-of-breed open source and
proprietary components
Cirrcom includes a cryptographic module that has been independently certified to comply with the
FIPS (Federal Information Processing Standard) 140-2 standard.
Cirrcom is JITC (Joint Interoperability Test Command) Certified verifying compliance with the
relevant standards for interoperability and information assurance/security established by the US
Department of Defense.
Cirrcom management services are exposed only over HTTPS (with redirect from HTTP) and SSH –
both secure, encrypted management protocols.
To ensure security, Cirrcom password-protected management APIs are exposed over TLS only.
Cirrcom supports certificate verification, including, optionally, the use of Online Certificate Status
Protocol (OCSP) for certificate validity verification.
12. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Cirrcom uses IPsec to ensure the privacy and authenticity of all inter-cluster traffic.
In addition to storing logs internally, the Cirrcom solution supports remote logging via the industry-
standard syslog protocol to ensure that the audit trail can be stored externally.
We release new software frequently, incorporating the latest bug-fixes and security enhancements
into our Operating System and application software.
We follow industry best practices and ensure that we limit our attack surface as far as possible, to
ensure defense in depth.
Cirrcom’s technology partners ensure the application software runs as a low-privileged operating
system user to ensure that, should the unthinkable happen and an attacker “break in”, damage is
limited and compartmentalized as far as possible.
Cirrcom’s technology partners regularly run industry-standard protocol attack suites against the
software as it’s developed – to ensure that no vulnerabilities are inadvertently introduced.
The Incident Reporting mechanism allows customers to automatically report issues affecting the
correct operation of Cirrcom software – allowing the developers to pro-actively and promptly
identify and fix any such issues.
In addition to careful manual testing, Cirrcom’s technology partners regularly runs large suites of
automated tests and automated code quality checkers to try and identify potential issues before
they are ever released.
If and when bugs (including security issues) are discovered, our technology partners write
automated tests to verify that the fix for the issue works as intended. They run all such tests against
every subsequent build of the software to ensure that when we fix a bug it remains fixed in all future
versions - and protect against regressions.
13. UK Office:
CIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITEDCIRRCOM LIMITED
Venture House, Downshire Way, Arlington Square,
Bracknell, Berkshire, RG12 1WA
Registered number: 8813607
Sweden Office:
CIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDENCIRRCOM SWEDEN
(Hosted Visual Collaboration Connect AB)
Vretenvägen 13, 175 06 Solna 171 54, Sweden
Registration Number: 556958-4302
Conclusions
• Video clients and video servers represent an important resource in your network – and a potential
target for external attackers.
• We have seen that there are a wide variety of different types of attacks possible on audio and video
communication systems.
• We have also seen how a multi-layered, multifaceted approach to security is required to provide the
best protection for your network.
• Carefully following industry-standard best practices in the use of credentials, encryption,
authentication, certificates, firewalls, SBCs and firewall traversal can all play a part in maintaining
security in your voice and video network.
• Cirrus-Connects Virtual Meeting Rooms (for multi-point calls) and Cirrcom Gateway (for point to
point calls) can provide an additional layer of isolation in your video solution – and enhance network
security overall by providing protection against certain classes of attack.