SlideShare a Scribd company logo

Video Conferencing and Security

V
Videoguy
1 of 9
Download to read offline
Video Conferencing and Security Using the Open Internet and Encryption for Secure Video Communications & Guidelines for Selecting the Right Level of Security for Your Organization 1
Table of Contents 1. OVERVIEW 2. WHO SHOULD READ THIS DOCUMENT 3. VIDEO CONFERENCING & THE OPEN INTERNET 4. VIDEO CONFERENCING SECURITY TIERS a. Mainstream applications b. Dedicated networks c. Government level, classified security 5. ENCRYPTION a. ENCRYPTION WITHOUT SACRIFICING PERFORMANCE & QUALITY b. ENCRYPTION BACKGROUND c. METHODS CURRENTLY USED IN VIDEO CONFERENCING i. AES ii. DES iii. Triple-DES (DES3) iv. Government & Military Classified– Non-commercial 6. FIREWALLS AND NAT TRAVERSAL a. FIREWALL AND NAT TRAVERSAL BACKGROUND i. Packet Filtering ii. Application Gateway iii. Circuit Level Gateway iv. Proxy Servers v. NAT vi. DMZ b. OPTIONS FOR FIREWALL AND NAT TRAVERSAL 7. ISDN NETWORKS 8. U.S. GOVERNMENT COMPLIANCE – FIPS AND JITC a. FIPS b. JITC IPv6 compliance 9. SUMMARY 2
Video Conferencing and Security 1. OVERVIEW This document is created to provide security information and considerations for video conferencing. By ensuring that security is set up properly, mainstream users of video conferencing will have the confidence to use video for a wide variety of applications. At LifeSize, we have a unique perspective on security and due to our advanced, high performance architecture we are able to ensure strong security while maintaining high quality video and feature performance. We also believe that security plays into the total cost of ownership (TCO) for a video conferencing network from two perspectives: 1) we believe that using the open Internet for video communications combined with encryption is a very secure communication method for most applications and reduces the need for more expensive, private network wide area networks (WANs); 2) that there should be no tradeoffs in quality of video or multipoint conferencing when using security features such as encryption – it should be transparent to the user, leading to greater usage and return on investment (ROI). In this paper, we will cover the levels of security to consider, firewall and NAT traversal considerations, our point of view on security, and implementation recommendations. 2. WHO SHOULD READ THIS DOCUMENT This document is generally written in layman’s terms but will be “ AtInternet for video communications open LifeSize, we believe that using the particularly useful to network and IT administrators as well as combined with encryption is a very secure managers who have primary responsibility for implementing communication method for most video conferencing solutions and communications applications and reduces the need for “ expensive, private network WANs. technologies on IP networks. 3. VIDEO CONFERENCING & THE OPEN INTERNET Video over IP (H.323 and SIP unified communications platforms) has transformed the way we experience video communications. Over the past several years, many technology advancements have aligned to take video conferencing into the mainstream. The three most important changes have been: 1) widespread, inexpensive bandwidth availability; 2) increased processing performance that has improved quality of experience, particularly with HD; and 3) the ability for users to connect with each other easily over the open Internet. High definition video quality over the open Internet is game changing. The adoption and acceptance of video conferencing is at an all time high, and the market is projected to grow at a 16.3% CAGR, from $1.7B to $4.2B in 2014. You could say that video conferencing is crossing the chasm into the mainstream market1. *”Crossing the Chasm: Marketing and Selling High Tech Products to Mainstream Customers”, Geoffrey A. Moore 3
Video Conferencing and Security High definition quality over the open Internet is game changing. Wait, we just said “high definition video conferencing over the open Internet”. Yes, that’s right. It’s happening every day, with profound benefits to users and organizations. This does beg the question, what about security. While it is much more challenging to hack a videoconference call than a transac- tion, it is clear that using video communications must be a secure endeavor. The use of the open Internet is significant because of the reduced cost and elimination of the need for running video over a secure, MPLS enabled WAN. There are a large number of organizations moving away from expensive private WANs because the open Internet is so reliable and highly effective. This may not be true for all applications, but considering the cost can be 40% less, it makes the case for dramatically reducing the total cost of ownership (TCO) of video communications, especially when it can be delivered securely using advanced encryption methods. Read on to learn about various applications and our stance on security. The goal is to keep the net- work as open as possible so that people reap the benefits of high quality, cost effective video commu- nications and do so in a secure manner. 4. VIDEO CONFERENCING SECURITY TIERS a. MAINSTREAM APPLICATIONS For most video conferencing applications, we believe that video over the open Internet with AES (128-bit, SSL) en- cryption enabled is very secure. This is the same encryption used by financial institutions that offer online banking, ecommerce and customer relationship management systems (CRM). CRM systems host an organization’s complete customer and prospect database with access via the open Internet using 128-bit AES encryption. The world’s larg- est financial institutions and retailers trust encryption for online transactions over the Internet. A good example is Salesforce.com, the leading CRM system. Salesforce.com uses AES encryption and serves customers such as Dell, Amazon and many others who certainly take their data very seriously. Read Salesforce.com’s security document: http://www.salesforce.com/assets/pdf/datasheets/security.pdf b. DEDICATED NETWORKS There are some institutions for which the open internet is not a viable option for their applications and desired security levels. This requirement often has more to do with guaranteeing a certain level of quality of service (QoS) more so than security needs. In cases where a certain level of security must be achieved, we recommend combin- ing a secure, dedicated LAN or WAN network with encryption. In some cases, the user will choose to use an MPLS 4
Video Conferencing and Security (multiprotocol label switching) network to prioritize traffic and offer service levels. In this environment, out of network calls for The world’s largest financial some organizations are “off limits” or encryption may be used institutions and ecommerce re- in combination with a properly configured firewall and NAT tailers rely on 128-bit AES encryp- traversal solution. tion for billions of transactions. The use of encryption combined with a c. GOVERNMENT & MILITARY (CLASSIFIED) properly configured firewall will ensure The highest level of security is a custom security application of- a secure video network. Moreover, it will ten employed by government agencies and the military. In this allow the organization to leverage the case, the security is not commercially available and the open immense benefits of the open Internet Internet is not a viable option. Specially designed algorithms without requiring a dedicated network or and hardware are utilized to provide certified, government- secure WAN. This makes connectivity far grade encryption. easier and less expensive. These are key parts of a well-used video network result- 5. ENCRYPTION ing in stronger return on investment. a. ENCRYPTION WITHOUT SACRIFICING QUALITY At LifeSize, we strongly recommend using AES encryption for video conferencing calls. One of the objections to using AES is that it could degrade video quality or features by using some of the processing resources to perform the encryption algo- rithm. While this may be the case with some vendor systems and legacy architectures, only LifeSize can operate with encryp- tion while maintaining the industry’s highest quality video and audio and key features that make the experience natural and effective. The purpose-built Full HD architecture of LifeSize Room 200 supports AES enabled point to point calls and multi- party calls with up to 4 sites in continuous presence in full HD 720p60 and 1080p30 quality.. This is true whether customers choose to use the H.323 protocol or the SIP protocol for their video communications. Fundamentally, we believe that you should not have to choose between security and the highest quality, most immersive communica- tion experience for users. Because of the performance advantages of the purpose-built, LifeSize HD architecture, users will not experience reduced quality to operate with encryption. This is very significant for video conferencing security and should be a key consideration when investing in systems. While other vendors are beginning to develop more cost-effective, HD capable systems that emulate LifeSize, their systems often require difficult tradeoffs and limit performance. The result is that users may experience degradation in quality to perform encryption, or may not be able to operate all features. All LifeSize encryption is standards-based and can interoperate with other platforms. 5
Video Conferencing and Security Operating on-demand video communications over the open Internet is secure and highly cost-effective for over 90% of the industry’s applications. b. ENCRYPTION BACKGROUND Encryption is the process of transforming information to make it unreadable to anyone except those possessing the key. Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now commonly used in protecting information within many types of civilian systems. Encryption is also used to protect data in transit, for example data being transferred via networks. Encrypting data in transit helps to secure it since it can be difficult to physically secure all access to networks or electronic communications. c. METHODS CURRENTLY USED IN VIDEO CONFERENCING i. AES - Advanced Encryption Standard became a standard by the National Institute of Standards and Technology (NIST) in 2002. AES is a standard that was adopted by the U.S. government with approval for the use of AES to protect classified information in 2003. The standard comprises three block ciphers, that can be implemented with a 128, 192 or 256-bit key. ii. DES - Data Encryption Standard (DES) is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976. It is based on a symmetric-key algorithm that uses a 56-bit key. The cipher has been superseded by the Advanced Encryption Standard (AES). iii. Triple-DES (DES3) - This is an approach that applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Triple-DES with three independent keys has a key length of 168 bits, but it provides the effective security of a 112 bit key. iv. GOVERNMENT SECURITY - The government uses their own proprietary algorithms and hardware that are not commercially available to provide high levels of security for classified communications. Examples include: KIV7 and KG194. 6. FIREWALLS Firewalls have become an essential part of securing a corporate LAN and are widely used. Video conferencing calls must be able to interoperate with firewalls to maintain corporate security and provide secure video conferencing calls inside and outside of the organization. This enables secure communications with customers, partners, suppli- ers and colleagues around the globe who are not within the corporate LAN or WAN. The challenge is that conduct- ing video calls requires the opening and closing of communication ports, potentially leaving networks vulnerable to attacks and security issues. Firewall and NAT traversal need to be standards based and easy to use and manage. a. FIREWALL/NAT TRAVERSAL BACKGROUND A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt or proxy all 6
Video Conferencing and Security computer traffic between different security domains based upon a set of rules and other criteria. Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized video conferencing users from accessing private networks, such as intranets, connected to the video conferencing. All data entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Firewalls can present a challenge for H.323/SIP video conferencing. A solution is needed to ensure strong security while traversing a firewall for high quality video and audio communication in keeping with the corporate or institu- tion’s security policies. There are a few types of firewalls and NAT implementations. Some firewalls have multiple attributes: i. Packet Filtering: This method looks at each packet entering or leaving the network and accepts or re- jects it based on user-defined rules. Packet filtering is fairly common, effective and transparent to users. ii. Application gateway: This method applies security mechanisms to specific applications, such as Telnet and FTP servers. This is very effective, but can degrade performance in some implementations. iii. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. iv. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effec- tively hides the true network addresses. v. NAT (network address translation): NAT is a general term for techniques that establish and main- tain TCP/IP network connections traversing network address translation (NAT) gateways. NAT is often used in conjunction with firewalls. NAT enables the use of a range of IP addresses internally, while sharing a smaller range of public IP addresses. Internal users will be able to see the public video conferencing, but the public video conferencing users can’t see individual devices on the internal side of the NAT. vi. DMZ: A DMZ or demilitarized zone is another segment of a LAN and is a subnetwork that contains and exposes an organization’s external services to a larger, untrusted network. A DMZ adds an ad- ditional layer of security to a LAN so that an external hacker only has access to equipment in the DMZ, rather than the whole of the network. Video conferencing endpoints can be deployed in the LAN on the WAN (not recommended because they can be attacked) or in a DMZ. 7
Video Conferencing and Security b. ADDRESSING FIREWALL AND NAT TRAVERSAL One typical way to address firewall and NAT traversal is an enterprise-class firewall and NAT traversal solution that supports tunneling. As an example, LifeSize offers a product called LifeSize Transit™. It enables end points to communicate with each other through firewalls without the need for intermediate nodes or unsafe opening of communications ports. When looking for a firewall or NAT traversal option, it is important to select a standards-based solution. In the case of LifeSize Transit, it supports both H.323/H.460 and SIP/STUN-TURN-ICE. Video endpoints should be preconfigured and ready for use with the firewall and NAT traversal solution. All LifeSize endpoints are enabled with standards based H.460 and STUN-TURN-ICE software, out of the box at no additional cost. Where you deploy the firewall is another key consideration. Often the IT organization will deploy firewalls in the demilitarized zone (DMZ). The DMZ should be setup to only allow traffic in/out on ports 1720 (H323 signaling), 5060 (SIP signaling) and user configurable ports. This will ensure the SSH, SNMP and HTTP/HTTPS ports are not open to attack. If the customer prefers a LAN deployment and chooses to not use Static NAT, then LifeSize Transit can be used for firewall/NAT traversal. 7. ISDN Networks While most networks are moving to an IP H.323 network, there are still some networks in migration. Some networks are mixed IP and ISDN. ISDN has traditionally been a secure environment, and it is very difficult to intercept an ISDN video call. In order to do so, one would need to access at least one of the ISDN switches during a call. There are also multiple B-channels and in some cases multiple switches to contend with and bonding would need to occur to tap into the call. In addition, ISDN calls can be encrypted. 8. GOVERNMENT COMPLIANCE: FIPS, JITC & IPv6 Video communications solutions for use in government and military applications require special certifications and security credentials. Depending on the requirements, the following standards or credentials apply: a. Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal Government for use by all non-military government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.) The LifeSize Cryptographic Security Kernel has been placed on the In Process Listing for the Federal Information Processing Standards Publications (FIPS) 140-2 Validation: Security Requirements for Cryptographic Modules. Ad- ditional information is available upon request. 8
Video Conferencing and Security b. Joint Interoperability Test Command (JITC) provides interoperability testing provides a full-range of testing, evaluations and certification services to support rapid acquisition and fielding of global net-centric war-fighting capabilities. LifeSize has been placed on the Department of Defense’s (DoD) Unified Capabilities (UC) for Video Conferencing equipment testing schedule to obtain an interoperability and information assurance certification from the Joint Interoperability Test Command (JITC). 9. SUMMARY This is an exciting time for people and organizations who need to take advantage of the many benefits of video communications. With strong encryption, video conferencing over the open Internet is secure. Mainstream users can meet face-to-face cost-effectively, without needing private WANs. And with the LifeSize’s purpose-built Full HD architecture, users can do so without experiencing performance tradeoffs. No longer is video only for top executives using a private corporate network. Secure video over the open Internet makes video communications so cost- effective that it can be widely deployed for inter-organization communication in offices, conference rooms, homes, educational institutions and many other environments. Now you can have video conferences with virtually anyone you need to at any time - securely. Strong encryption technology combined with properly set, enterprise-class firewall and NAT traversal provides a secure method of communication. LifeSize is committed to providing industry leading, standards-based solutions – delivering the highest quality and best customer experience without compro- mising security. Corporate Headquarters: Phone: +1 512 347 9300 EMEA: APAC: 901 S. Mopac Expressway Fax: +1 512 347 9301 LifeSize Communications, Ltd. LifeSize Hong Kong Ltd. Building 3, Suite 300 Email: info@lifesize.com United Kingdom Hong Kong Austin, Texas 78746 USA www.lifesize.com Phone: 008000 999 09 799 Phone: +852 8239 3695 Copyright 2009. All rights reserved. 9

Recommended

Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Editor IJMTER
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network SecurityDjadja Sardjana
 
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityShane Glenn
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]Sharpe Smith
 
V01 i010410
V01 i010410V01 i010410
V01 i010410IJARBEST JOURNAL
 
Sahara petrochemicals cisco
Sahara petrochemicals ciscoSahara petrochemicals cisco
Sahara petrochemicals ciscoCisco Case Studies
 
Inter op nyc_mahbubul alam_october 2012
Inter op nyc_mahbubul alam_october 2012Inter op nyc_mahbubul alam_october 2012
Inter op nyc_mahbubul alam_october 2012Mahbubul Alam
 
Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Paul Stevens
 

Recommended

Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...
Enhanced Dynamic Leakage Detection and Piracy Prevention in Content Delivery ...Editor IJMTER
 
Bapinger Network Security
Bapinger Network SecurityBapinger Network Security
Bapinger Network SecurityDjadja Sardjana
 
VTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityVTI Learning Series Beyond the Convergence of Physical & Cyber Security
VTI Learning Series Beyond the Convergence of Physical & Cyber SecurityShane Glenn
 
Security 2 Q 07[1]
Security 2 Q 07[1]Security 2 Q 07[1]
Security 2 Q 07[1]Sharpe Smith
 
V01 i010410
V01 i010410V01 i010410
V01 i010410IJARBEST JOURNAL
 
Sahara petrochemicals cisco
Sahara petrochemicals ciscoSahara petrochemicals cisco
Sahara petrochemicals ciscoCisco Case Studies
 
Inter op nyc_mahbubul alam_october 2012
Inter op nyc_mahbubul alam_october 2012Inter op nyc_mahbubul alam_october 2012
Inter op nyc_mahbubul alam_october 2012Mahbubul Alam
 
Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Virtual security gateways at network edge are key to protecting ultra broadba...
Virtual security gateways at network edge are key to protecting ultra broadba...Paul Stevens
 
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...IRJET Journal
 
White Paper: Secure and Trusted Femtocells
White Paper: Secure and Trusted FemtocellsWhite Paper: Secure and Trusted Femtocells
White Paper: Secure and Trusted FemtocellsMindspeed Technologies
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1Irsandi Hasan
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutionshemantchaskar
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011Paul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Tony Pearson
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product familyxKinAnx
 
Complete Security
Complete SecurityComplete Security
Complete SecuritySophos
 
Exposing the Money Behind Malware
Exposing the Money Behind MalwareExposing the Money Behind Malware
Exposing the Money Behind MalwareSophos
 
The Requirement for ECMS
The Requirement for ECMSThe Requirement for ECMS
The Requirement for ECMSInfogrid Pacific Pte. Ltd
 
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCisco Service Provider
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
Seizing the BYOD Opportunity
Seizing the BYOD OpportunitySeizing the BYOD Opportunity
Seizing the BYOD OpportunityJuniper Networks
 
Conférence ARBOR ACSS 2018
Conférence ARBOR ACSS 2018Conférence ARBOR ACSS 2018
Conférence ARBOR ACSS 2018African Cyber Security Summit
 
Nvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalNvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalA. Phillip Smith
 
Smau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSmau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSMAU
 
Raisul Haq Rajib (063435056)
Raisul Haq Rajib (063435056)Raisul Haq Rajib (063435056)
Raisul Haq Rajib (063435056)mashiur
 
ManagedISDNandIPEncryption
ManagedISDNandIPEncryptionManagedISDNandIPEncryption
ManagedISDNandIPEncryptionAl Ewers
 

More Related Content

What's hot

IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...IRJET Journal
 
White Paper: Secure and Trusted Femtocells
White Paper: Secure and Trusted FemtocellsWhite Paper: Secure and Trusted Femtocells
White Paper: Secure and Trusted FemtocellsMindspeed Technologies
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1Irsandi Hasan
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutionshemantchaskar
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Tony Pearson
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product familyxKinAnx
 
Complete Security
Complete SecurityComplete Security
Complete SecuritySophos
 
Exposing the Money Behind Malware
Exposing the Money Behind MalwareExposing the Money Behind Malware
Exposing the Money Behind MalwareSophos
 
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCisco Service Provider
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Novosco
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_CMR WORLD TECH
 
Seizing the BYOD Opportunity
Seizing the BYOD OpportunitySeizing the BYOD Opportunity
Seizing the BYOD OpportunityJuniper Networks
 
Nvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalNvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalA. Phillip Smith
 
Smau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSmau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSMAU
 

What's hot (20)

IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
IRJET- Improved Identity-based Anonymous Broadcast Encryption with Chosen Cip...
 
White Paper: Secure and Trusted Femtocells
White Paper: Secure and Trusted FemtocellsWhite Paper: Secure and Trusted Femtocells
White Paper: Secure and Trusted Femtocells
 
CCNA Security - Chapter 1
CCNA Security - Chapter 1CCNA Security - Chapter 1
CCNA Security - Chapter 1
 
Understanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and SolutionsUnderstanding WiFi Security Vulnerabilities and Solutions
Understanding WiFi Security Vulnerabilities and Solutions
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011
 
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
Strengthen your security posture! Getting started with IBM Z Pervasive Encryp...
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
Presentation cisco iron port product family
Presentation cisco iron port product familyPresentation cisco iron port product family
Presentation cisco iron port product family
 
Complete Security
Complete SecurityComplete Security
Complete Security
 
Exposing the Money Behind Malware
Exposing the Money Behind MalwareExposing the Money Behind Malware
Exposing the Money Behind Malware
 
The Requirement for ECMS
The Requirement for ECMSThe Requirement for ECMS
The Requirement for ECMS
 
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data CenterCloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
Cloud Connect 2011 - Cisco and the Cloud: Within and Beyond the Data Center
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof Sood
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017Network Security - Fortinet, Dublin June 2017
Network Security - Fortinet, Dublin June 2017
 
Network cloaking sansv2_
Network cloaking sansv2_Network cloaking sansv2_
Network cloaking sansv2_
 
Seizing the BYOD Opportunity
Seizing the BYOD OpportunitySeizing the BYOD Opportunity
Seizing the BYOD Opportunity
 
Conférence ARBOR ACSS 2018
Conférence ARBOR ACSS 2018Conférence ARBOR ACSS 2018
Conférence ARBOR ACSS 2018
 
Nvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - finalNvis, inc. 03 18-2020 - final
Nvis, inc. 03 18-2020 - final
 
Smau Bari 2012 Marco Soldi
Smau Bari 2012 Marco SoldiSmau Bari 2012 Marco Soldi
Smau Bari 2012 Marco Soldi
 

Similar to Video Conferencing and Security

Raisul Haq Rajib (063435056)
Raisul Haq Rajib (063435056)Raisul Haq Rajib (063435056)
Raisul Haq Rajib (063435056)mashiur
 
ManagedISDNandIPEncryption
ManagedISDNandIPEncryptionManagedISDNandIPEncryption
ManagedISDNandIPEncryptionAl Ewers
 
A New Approach to Video Conferencing
A New Approach to Video ConferencingA New Approach to Video Conferencing
A New Approach to Video ConferencingVideoguy
 
A New Approach to Video Conferencing
A New Approach to Video ConferencingA New Approach to Video Conferencing
A New Approach to Video ConferencingVideoguy
 
Sini online assignment
Sini online assignmentSini online assignment
Sini online assignmentsiniajay
 
NTSC ISDN to IP Video Conferencing Transition Recommendations
NTSC ISDN to IP Video Conferencing Transition RecommendationsNTSC ISDN to IP Video Conferencing Transition Recommendations
NTSC ISDN to IP Video Conferencing Transition RecommendationsVideoguy
 
10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504Dan Drumm
 
H.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World BankH.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World BankVideoguy
 
H.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World BankH.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World BankVideoguy
 
Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056mashiur
 
InAVate_March13_IPTVEssentials
InAVate_March13_IPTVEssentialsInAVate_March13_IPTVEssentials
InAVate_March13_IPTVEssentialsgenycaloisi
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingVideoguy
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingVideoguy
 
Video conferencing services
Video conferencing servicesVideo conferencing services
Video conferencing servicesSmriti Tikoo
 

Similar to Video Conferencing and Security (20)

Raisul Haq Rajib (063435056)
Raisul Haq Rajib (063435056)Raisul Haq Rajib (063435056)
Raisul Haq Rajib (063435056)
 
ManagedISDNandIPEncryption
ManagedISDNandIPEncryptionManagedISDNandIPEncryption
ManagedISDNandIPEncryption
 
A New Approach to Video Conferencing
A New Approach to Video ConferencingA New Approach to Video Conferencing
A New Approach to Video Conferencing
 
A New Approach to Video Conferencing
A New Approach to Video ConferencingA New Approach to Video Conferencing
A New Approach to Video Conferencing
 
It 241 Week 1 Cp Essay
It 241 Week 1 Cp EssayIt 241 Week 1 Cp Essay
It 241 Week 1 Cp Essay
 
Sini online assignment
Sini online assignmentSini online assignment
Sini online assignment
 
NTSC ISDN to IP Video Conferencing Transition Recommendations
NTSC ISDN to IP Video Conferencing Transition RecommendationsNTSC ISDN to IP Video Conferencing Transition Recommendations
NTSC ISDN to IP Video Conferencing Transition Recommendations
 
10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504
 
H.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World BankH.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World Bank
 
H.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World BankH.320 Videoconferencing over Frame Relay for The World Bank
H.320 Videoconferencing over Frame Relay for The World Bank
 
Video Security Goes to the cloud
Video Security Goes to the cloudVideo Security Goes to the cloud
Video Security Goes to the cloud
 
VPN
VPN VPN
VPN
 
Vp npresentation (1)
Vp npresentation (1)Vp npresentation (1)
Vp npresentation (1)
 
Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056Abdullah Al Mamun 062507056
Abdullah Al Mamun 062507056
 
CDE Marketplace: SQR Systems
CDE Marketplace: SQR SystemsCDE Marketplace: SQR Systems
CDE Marketplace: SQR Systems
 
InAVate_March13_IPTVEssentials
InAVate_March13_IPTVEssentialsInAVate_March13_IPTVEssentials
InAVate_March13_IPTVEssentials
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for Videoconferencing
 
The "Universal" IP Network for Videoconferencing
The "Universal" IP Network for VideoconferencingThe "Universal" IP Network for Videoconferencing
The "Universal" IP Network for Videoconferencing
 
Video conferencing services
Video conferencing servicesVideo conferencing services
Video conferencing services
 
R43019698
R43019698R43019698
R43019698
 

More from Videoguy

Energy-Aware Wireless Video Streaming
Energy-Aware Wireless Video StreamingEnergy-Aware Wireless Video Streaming
Energy-Aware Wireless Video StreamingVideoguy
 
Microsoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresMicrosoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresVideoguy
 
Proxy Cache Management for Fine-Grained Scalable Video Streaming
Proxy Cache Management for Fine-Grained Scalable Video StreamingProxy Cache Management for Fine-Grained Scalable Video Streaming
Proxy Cache Management for Fine-Grained Scalable Video StreamingVideoguy
 
Free-riding Resilient Video Streaming in Peer-to-Peer Networks
Free-riding Resilient Video Streaming in Peer-to-Peer NetworksFree-riding Resilient Video Streaming in Peer-to-Peer Networks
Free-riding Resilient Video Streaming in Peer-to-Peer NetworksVideoguy
 
Instant video streaming
Instant video streamingInstant video streaming
Instant video streamingVideoguy
 
Video Streaming over Bluetooth: A Survey
Video Streaming over Bluetooth: A SurveyVideo Streaming over Bluetooth: A Survey
Video Streaming over Bluetooth: A SurveyVideoguy
 
Video Streaming
Video StreamingVideo Streaming
Video StreamingVideoguy
 
Reaching a Broader Audience
Reaching a Broader AudienceReaching a Broader Audience
Reaching a Broader AudienceVideoguy
 
Considerations for Creating Streamed Video Content over 3G ...
Considerations for Creating Streamed Video Content over 3G ...Considerations for Creating Streamed Video Content over 3G ...
Considerations for Creating Streamed Video Content over 3G ...Videoguy
 
ADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMING
ADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMINGADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMING
ADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMINGVideoguy
 
Impact of FEC Overhead on Scalable Video Streaming
Impact of FEC Overhead on Scalable Video StreamingImpact of FEC Overhead on Scalable Video Streaming
Impact of FEC Overhead on Scalable Video StreamingVideoguy
 
Application Brief
Application BriefApplication Brief
Application BriefVideoguy
 
Video Streaming Services – Stage 1
Video Streaming Services – Stage 1Video Streaming Services – Stage 1
Video Streaming Services – Stage 1Videoguy
 
Streaming Video into Second Life
Streaming Video into Second LifeStreaming Video into Second Life
Streaming Video into Second LifeVideoguy
 
Flash Live Video Streaming Software
Flash Live Video Streaming SoftwareFlash Live Video Streaming Software
Flash Live Video Streaming SoftwareVideoguy
 
Videoconference Streaming Solutions Cookbook
Videoconference Streaming Solutions CookbookVideoconference Streaming Solutions Cookbook
Videoconference Streaming Solutions CookbookVideoguy
 
Streaming Video Formaten
Streaming Video FormatenStreaming Video Formaten
Streaming Video FormatenVideoguy
 
iPhone Live Video Streaming Software
iPhone Live Video Streaming SoftwareiPhone Live Video Streaming Software
iPhone Live Video Streaming SoftwareVideoguy
 
Glow: Video streaming training guide - Firefox
Glow: Video streaming training guide - FirefoxGlow: Video streaming training guide - Firefox
Glow: Video streaming training guide - FirefoxVideoguy
 

More from Videoguy (20)

Energy-Aware Wireless Video Streaming
Energy-Aware Wireless Video StreamingEnergy-Aware Wireless Video Streaming
Energy-Aware Wireless Video Streaming
 
Microsoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_PresMicrosoft PowerPoint - WirelessCluster_Pres
Microsoft PowerPoint - WirelessCluster_Pres
 
Proxy Cache Management for Fine-Grained Scalable Video Streaming
Proxy Cache Management for Fine-Grained Scalable Video StreamingProxy Cache Management for Fine-Grained Scalable Video Streaming
Proxy Cache Management for Fine-Grained Scalable Video Streaming
 
Adobe
AdobeAdobe
Adobe
 
Free-riding Resilient Video Streaming in Peer-to-Peer Networks
Free-riding Resilient Video Streaming in Peer-to-Peer NetworksFree-riding Resilient Video Streaming in Peer-to-Peer Networks
Free-riding Resilient Video Streaming in Peer-to-Peer Networks
 
Instant video streaming
Instant video streamingInstant video streaming
Instant video streaming
 
Video Streaming over Bluetooth: A Survey
Video Streaming over Bluetooth: A SurveyVideo Streaming over Bluetooth: A Survey
Video Streaming over Bluetooth: A Survey
 
Video Streaming
Video StreamingVideo Streaming
Video Streaming
 
Reaching a Broader Audience
Reaching a Broader AudienceReaching a Broader Audience
Reaching a Broader Audience
 
Considerations for Creating Streamed Video Content over 3G ...
Considerations for Creating Streamed Video Content over 3G ...Considerations for Creating Streamed Video Content over 3G ...
Considerations for Creating Streamed Video Content over 3G ...
 
ADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMING
ADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMINGADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMING
ADVANCES IN CHANNEL-ADAPTIVE VIDEO STREAMING
 
Impact of FEC Overhead on Scalable Video Streaming
Impact of FEC Overhead on Scalable Video StreamingImpact of FEC Overhead on Scalable Video Streaming
Impact of FEC Overhead on Scalable Video Streaming
 
Application Brief
Application BriefApplication Brief
Application Brief
 
Video Streaming Services – Stage 1
Video Streaming Services – Stage 1Video Streaming Services – Stage 1
Video Streaming Services – Stage 1
 
Streaming Video into Second Life
Streaming Video into Second LifeStreaming Video into Second Life
Streaming Video into Second Life
 
Flash Live Video Streaming Software
Flash Live Video Streaming SoftwareFlash Live Video Streaming Software
Flash Live Video Streaming Software
 
Videoconference Streaming Solutions Cookbook
Videoconference Streaming Solutions CookbookVideoconference Streaming Solutions Cookbook
Videoconference Streaming Solutions Cookbook
 
Streaming Video Formaten
Streaming Video FormatenStreaming Video Formaten
Streaming Video Formaten
 
iPhone Live Video Streaming Software
iPhone Live Video Streaming SoftwareiPhone Live Video Streaming Software
iPhone Live Video Streaming Software
 
Glow: Video streaming training guide - Firefox
Glow: Video streaming training guide - FirefoxGlow: Video streaming training guide - Firefox
Glow: Video streaming training guide - Firefox
 

Video Conferencing and Security

  • 1. Video Conferencing and Security Using the Open Internet and Encryption for Secure Video Communications & Guidelines for Selecting the Right Level of Security for Your Organization 1
  • 2. Table of Contents 1. OVERVIEW 2. WHO SHOULD READ THIS DOCUMENT 3. VIDEO CONFERENCING & THE OPEN INTERNET 4. VIDEO CONFERENCING SECURITY TIERS a. Mainstream applications b. Dedicated networks c. Government level, classified security 5. ENCRYPTION a. ENCRYPTION WITHOUT SACRIFICING PERFORMANCE & QUALITY b. ENCRYPTION BACKGROUND c. METHODS CURRENTLY USED IN VIDEO CONFERENCING i. AES ii. DES iii. Triple-DES (DES3) iv. Government & Military Classified– Non-commercial 6. FIREWALLS AND NAT TRAVERSAL a. FIREWALL AND NAT TRAVERSAL BACKGROUND i. Packet Filtering ii. Application Gateway iii. Circuit Level Gateway iv. Proxy Servers v. NAT vi. DMZ b. OPTIONS FOR FIREWALL AND NAT TRAVERSAL 7. ISDN NETWORKS 8. U.S. GOVERNMENT COMPLIANCE – FIPS AND JITC a. FIPS b. JITC IPv6 compliance 9. SUMMARY 2
  • 3. Video Conferencing and Security 1. OVERVIEW This document is created to provide security information and considerations for video conferencing. By ensuring that security is set up properly, mainstream users of video conferencing will have the confidence to use video for a wide variety of applications. At LifeSize, we have a unique perspective on security and due to our advanced, high performance architecture we are able to ensure strong security while maintaining high quality video and feature performance. We also believe that security plays into the total cost of ownership (TCO) for a video conferencing network from two perspectives: 1) we believe that using the open Internet for video communications combined with encryption is a very secure communication method for most applications and reduces the need for more expensive, private network wide area networks (WANs); 2) that there should be no tradeoffs in quality of video or multipoint conferencing when using security features such as encryption – it should be transparent to the user, leading to greater usage and return on investment (ROI). In this paper, we will cover the levels of security to consider, firewall and NAT traversal considerations, our point of view on security, and implementation recommendations. 2. WHO SHOULD READ THIS DOCUMENT This document is generally written in layman’s terms but will be “ AtInternet for video communications open LifeSize, we believe that using the particularly useful to network and IT administrators as well as combined with encryption is a very secure managers who have primary responsibility for implementing communication method for most video conferencing solutions and communications applications and reduces the need for “ expensive, private network WANs. technologies on IP networks. 3. VIDEO CONFERENCING & THE OPEN INTERNET Video over IP (H.323 and SIP unified communications platforms) has transformed the way we experience video communications. Over the past several years, many technology advancements have aligned to take video conferencing into the mainstream. The three most important changes have been: 1) widespread, inexpensive bandwidth availability; 2) increased processing performance that has improved quality of experience, particularly with HD; and 3) the ability for users to connect with each other easily over the open Internet. High definition video quality over the open Internet is game changing. The adoption and acceptance of video conferencing is at an all time high, and the market is projected to grow at a 16.3% CAGR, from $1.7B to $4.2B in 2014. You could say that video conferencing is crossing the chasm into the mainstream market1. *”Crossing the Chasm: Marketing and Selling High Tech Products to Mainstream Customers”, Geoffrey A. Moore 3
  • 4. Video Conferencing and Security High definition quality over the open Internet is game changing. Wait, we just said “high definition video conferencing over the open Internet”. Yes, that’s right. It’s happening every day, with profound benefits to users and organizations. This does beg the question, what about security. While it is much more challenging to hack a videoconference call than a transac- tion, it is clear that using video communications must be a secure endeavor. The use of the open Internet is significant because of the reduced cost and elimination of the need for running video over a secure, MPLS enabled WAN. There are a large number of organizations moving away from expensive private WANs because the open Internet is so reliable and highly effective. This may not be true for all applications, but considering the cost can be 40% less, it makes the case for dramatically reducing the total cost of ownership (TCO) of video communications, especially when it can be delivered securely using advanced encryption methods. Read on to learn about various applications and our stance on security. The goal is to keep the net- work as open as possible so that people reap the benefits of high quality, cost effective video commu- nications and do so in a secure manner. 4. VIDEO CONFERENCING SECURITY TIERS a. MAINSTREAM APPLICATIONS For most video conferencing applications, we believe that video over the open Internet with AES (128-bit, SSL) en- cryption enabled is very secure. This is the same encryption used by financial institutions that offer online banking, ecommerce and customer relationship management systems (CRM). CRM systems host an organization’s complete customer and prospect database with access via the open Internet using 128-bit AES encryption. The world’s larg- est financial institutions and retailers trust encryption for online transactions over the Internet. A good example is Salesforce.com, the leading CRM system. Salesforce.com uses AES encryption and serves customers such as Dell, Amazon and many others who certainly take their data very seriously. Read Salesforce.com’s security document: http://www.salesforce.com/assets/pdf/datasheets/security.pdf b. DEDICATED NETWORKS There are some institutions for which the open internet is not a viable option for their applications and desired security levels. This requirement often has more to do with guaranteeing a certain level of quality of service (QoS) more so than security needs. In cases where a certain level of security must be achieved, we recommend combin- ing a secure, dedicated LAN or WAN network with encryption. In some cases, the user will choose to use an MPLS 4
  • 5. Video Conferencing and Security (multiprotocol label switching) network to prioritize traffic and offer service levels. In this environment, out of network calls for The world’s largest financial some organizations are “off limits” or encryption may be used institutions and ecommerce re- in combination with a properly configured firewall and NAT tailers rely on 128-bit AES encryp- traversal solution. tion for billions of transactions. The use of encryption combined with a c. GOVERNMENT & MILITARY (CLASSIFIED) properly configured firewall will ensure The highest level of security is a custom security application of- a secure video network. Moreover, it will ten employed by government agencies and the military. In this allow the organization to leverage the case, the security is not commercially available and the open immense benefits of the open Internet Internet is not a viable option. Specially designed algorithms without requiring a dedicated network or and hardware are utilized to provide certified, government- secure WAN. This makes connectivity far grade encryption. easier and less expensive. These are key parts of a well-used video network result- 5. ENCRYPTION ing in stronger return on investment. a. ENCRYPTION WITHOUT SACRIFICING QUALITY At LifeSize, we strongly recommend using AES encryption for video conferencing calls. One of the objections to using AES is that it could degrade video quality or features by using some of the processing resources to perform the encryption algo- rithm. While this may be the case with some vendor systems and legacy architectures, only LifeSize can operate with encryp- tion while maintaining the industry’s highest quality video and audio and key features that make the experience natural and effective. The purpose-built Full HD architecture of LifeSize Room 200 supports AES enabled point to point calls and multi- party calls with up to 4 sites in continuous presence in full HD 720p60 and 1080p30 quality.. This is true whether customers choose to use the H.323 protocol or the SIP protocol for their video communications. Fundamentally, we believe that you should not have to choose between security and the highest quality, most immersive communica- tion experience for users. Because of the performance advantages of the purpose-built, LifeSize HD architecture, users will not experience reduced quality to operate with encryption. This is very significant for video conferencing security and should be a key consideration when investing in systems. While other vendors are beginning to develop more cost-effective, HD capable systems that emulate LifeSize, their systems often require difficult tradeoffs and limit performance. The result is that users may experience degradation in quality to perform encryption, or may not be able to operate all features. All LifeSize encryption is standards-based and can interoperate with other platforms. 5
  • 6. Video Conferencing and Security Operating on-demand video communications over the open Internet is secure and highly cost-effective for over 90% of the industry’s applications. b. ENCRYPTION BACKGROUND Encryption is the process of transforming information to make it unreadable to anyone except those possessing the key. Encryption has long been used by militaries and governments to facilitate secret communication. Encryption is now commonly used in protecting information within many types of civilian systems. Encryption is also used to protect data in transit, for example data being transferred via networks. Encrypting data in transit helps to secure it since it can be difficult to physically secure all access to networks or electronic communications. c. METHODS CURRENTLY USED IN VIDEO CONFERENCING i. AES - Advanced Encryption Standard became a standard by the National Institute of Standards and Technology (NIST) in 2002. AES is a standard that was adopted by the U.S. government with approval for the use of AES to protect classified information in 2003. The standard comprises three block ciphers, that can be implemented with a 128, 192 or 256-bit key. ii. DES - Data Encryption Standard (DES) is a block cipher that was selected by the National Bureau of Standards as an official Federal Information Processing Standard for the United States in 1976. It is based on a symmetric-key algorithm that uses a 56-bit key. The cipher has been superseded by the Advanced Encryption Standard (AES). iii. Triple-DES (DES3) - This is an approach that applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. Triple-DES with three independent keys has a key length of 168 bits, but it provides the effective security of a 112 bit key. iv. GOVERNMENT SECURITY - The government uses their own proprietary algorithms and hardware that are not commercially available to provide high levels of security for classified communications. Examples include: KIV7 and KG194. 6. FIREWALLS Firewalls have become an essential part of securing a corporate LAN and are widely used. Video conferencing calls must be able to interoperate with firewalls to maintain corporate security and provide secure video conferencing calls inside and outside of the organization. This enables secure communications with customers, partners, suppli- ers and colleagues around the globe who are not within the corporate LAN or WAN. The challenge is that conduct- ing video calls requires the opening and closing of communication ports, potentially leaving networks vulnerable to attacks and security issues. Firewall and NAT traversal need to be standards based and easy to use and manage. a. FIREWALL/NAT TRAVERSAL BACKGROUND A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt or proxy all 6
  • 7. Video Conferencing and Security computer traffic between different security domains based upon a set of rules and other criteria. Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized video conferencing users from accessing private networks, such as intranets, connected to the video conferencing. All data entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Firewalls can present a challenge for H.323/SIP video conferencing. A solution is needed to ensure strong security while traversing a firewall for high quality video and audio communication in keeping with the corporate or institu- tion’s security policies. There are a few types of firewalls and NAT implementations. Some firewalls have multiple attributes: i. Packet Filtering: This method looks at each packet entering or leaving the network and accepts or re- jects it based on user-defined rules. Packet filtering is fairly common, effective and transparent to users. ii. Application gateway: This method applies security mechanisms to specific applications, such as Telnet and FTP servers. This is very effective, but can degrade performance in some implementations. iii. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. iv. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effec- tively hides the true network addresses. v. NAT (network address translation): NAT is a general term for techniques that establish and main- tain TCP/IP network connections traversing network address translation (NAT) gateways. NAT is often used in conjunction with firewalls. NAT enables the use of a range of IP addresses internally, while sharing a smaller range of public IP addresses. Internal users will be able to see the public video conferencing, but the public video conferencing users can’t see individual devices on the internal side of the NAT. vi. DMZ: A DMZ or demilitarized zone is another segment of a LAN and is a subnetwork that contains and exposes an organization’s external services to a larger, untrusted network. A DMZ adds an ad- ditional layer of security to a LAN so that an external hacker only has access to equipment in the DMZ, rather than the whole of the network. Video conferencing endpoints can be deployed in the LAN on the WAN (not recommended because they can be attacked) or in a DMZ. 7
  • 8. Video Conferencing and Security b. ADDRESSING FIREWALL AND NAT TRAVERSAL One typical way to address firewall and NAT traversal is an enterprise-class firewall and NAT traversal solution that supports tunneling. As an example, LifeSize offers a product called LifeSize Transit™. It enables end points to communicate with each other through firewalls without the need for intermediate nodes or unsafe opening of communications ports. When looking for a firewall or NAT traversal option, it is important to select a standards-based solution. In the case of LifeSize Transit, it supports both H.323/H.460 and SIP/STUN-TURN-ICE. Video endpoints should be preconfigured and ready for use with the firewall and NAT traversal solution. All LifeSize endpoints are enabled with standards based H.460 and STUN-TURN-ICE software, out of the box at no additional cost. Where you deploy the firewall is another key consideration. Often the IT organization will deploy firewalls in the demilitarized zone (DMZ). The DMZ should be setup to only allow traffic in/out on ports 1720 (H323 signaling), 5060 (SIP signaling) and user configurable ports. This will ensure the SSH, SNMP and HTTP/HTTPS ports are not open to attack. If the customer prefers a LAN deployment and chooses to not use Static NAT, then LifeSize Transit can be used for firewall/NAT traversal. 7. ISDN Networks While most networks are moving to an IP H.323 network, there are still some networks in migration. Some networks are mixed IP and ISDN. ISDN has traditionally been a secure environment, and it is very difficult to intercept an ISDN video call. In order to do so, one would need to access at least one of the ISDN switches during a call. There are also multiple B-channels and in some cases multiple switches to contend with and bonding would need to occur to tap into the call. In addition, ISDN calls can be encrypted. 8. GOVERNMENT COMPLIANCE: FIPS, JITC & IPv6 Video communications solutions for use in government and military applications require special certifications and security credentials. Depending on the requirements, the following standards or credentials apply: a. Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal Government for use by all non-military government agencies and by government contractors. Many FIPS standards are modified versions of standards used in the wider community (ANSI, IEEE, ISO, etc.) The LifeSize Cryptographic Security Kernel has been placed on the In Process Listing for the Federal Information Processing Standards Publications (FIPS) 140-2 Validation: Security Requirements for Cryptographic Modules. Ad- ditional information is available upon request. 8
  • 9. Video Conferencing and Security b. Joint Interoperability Test Command (JITC) provides interoperability testing provides a full-range of testing, evaluations and certification services to support rapid acquisition and fielding of global net-centric war-fighting capabilities. LifeSize has been placed on the Department of Defense’s (DoD) Unified Capabilities (UC) for Video Conferencing equipment testing schedule to obtain an interoperability and information assurance certification from the Joint Interoperability Test Command (JITC). 9. SUMMARY This is an exciting time for people and organizations who need to take advantage of the many benefits of video communications. With strong encryption, video conferencing over the open Internet is secure. Mainstream users can meet face-to-face cost-effectively, without needing private WANs. And with the LifeSize’s purpose-built Full HD architecture, users can do so without experiencing performance tradeoffs. No longer is video only for top executives using a private corporate network. Secure video over the open Internet makes video communications so cost- effective that it can be widely deployed for inter-organization communication in offices, conference rooms, homes, educational institutions and many other environments. Now you can have video conferences with virtually anyone you need to at any time - securely. Strong encryption technology combined with properly set, enterprise-class firewall and NAT traversal provides a secure method of communication. LifeSize is committed to providing industry leading, standards-based solutions – delivering the highest quality and best customer experience without compro- mising security. Corporate Headquarters: Phone: +1 512 347 9300 EMEA: APAC: 901 S. Mopac Expressway Fax: +1 512 347 9301 LifeSize Communications, Ltd. LifeSize Hong Kong Ltd. Building 3, Suite 300 Email: info@lifesize.com United Kingdom Hong Kong Austin, Texas 78746 USA www.lifesize.com Phone: 008000 999 09 799 Phone: +852 8239 3695 Copyright 2009. All rights reserved. 9