250 likes | 409 Views
Deploying Secure Videoconferencing Over an IP Network. Gordon Daugherty Chief Marketing Officer. Topics to be Covered. Basics about IP Video Design Considerations in the LAN and WAN QoS Firewalls & NAT Management & Administration Common Oversights. Ultimate Objective Checklist.
E N D
Deploying Secure Videoconferencing Over an IP Network Gordon Daugherty Chief Marketing Officer
Topics to be Covered • Basics about IP Video • Design Considerations in the LAN and WAN • QoS • Firewalls & NAT • Management & Administration • Common Oversights
Ultimate Objective Checklist • Security • Connectivity • Management & Administration • Transparency (Seamless Use)
The Basics about IP Video • How much bandwidth is consumed? • Don’t forget the overhead • Separate audio and video streams • Point-to-point versus multipoint versus multicast • Esp think about the aggregated bandwidth coming into the MCU (WAN link) • TCP for signaling/control and UDP for media
LAN Considerations • The easiest part • Switches are a must to reduce contention and retransmissions due to collisions • Predict usage patterns before the deployment • Average and peak # simultaneous conferences • Average conference data rate • Usage of pt-to-pt versus multipoint versus multicast • 802.1p/q QoS should not be needed if LAN is properly provisioned
Considerations with Routers • Can work for you or against you, depending on how the router is configured • Likely the best place to implement QoS of some sort • IP Precedence or DiffServ • Check to see if any traffic shaping or filtering is already being done based on packet types or ports • This could cause some unpredictable results if the policies overlap with the protocols or ports used for IP video • Check to see if any tail drop or early detection policies are already implemented • If so, try to use “class-based” (like WRED) to have QoS markings taken into consideration
QoS Via Differentiated Services Router Priority Queues Inbound Stream Outbound Stream • Configure routers for Priority Queuing or Class-Based Queuing • VCON endpoints mark media packets (UDP) for IP Precedence by default. Can customize for different values or for DiffServ PHBs instead. Best Effort packets (email, internet browsing, etc) Prioritized packets (audio, video, etc)
The “Multi-Hop Router Effect” Chicago New York Audio Stream Video Stream A13 A13 V13 V12 A12 Jitter V11 A12 V12 A11 A11 V11 V13 Out of Order A10 V10 V10 A10 Duplicate A10 Dallas Raleigh No Lip Sync
WAN Considerations • Similar to the LAN – mostly a mathematical bandwidth consumption issue • Be aware of the following things: • Hop count • Weakest link syndrome • ARS (might send audio stream one way and video stream another) • Unmanaged links, like the Internet • If using a service provider, work required policies into the SLR
Management & Administration • H.323 gatekeeper is critical • Bandwidth management (per zone & per user) • Authentication and access control • Address translation • Alerts & alarms • Remote device administration tool is extremely valuable • CoS policies for resource usage (MCU, GW, etc) • Call activity reports can assist with identifying needed network design modifications • Remote endpoint configuration & troubleshooting
Firewalls and IP-Based Communications • The role of a firewall is to apply RULES that provide some level of network security • Protocols allowed (inbound versus outbound) • IP addresses (from-to) • Port usage (“well known” versus application-specific) • When a session is initiated from “inside” the firewall, usually returned data streams to the originating IP address and port are allowed • However, H.323 allows for a dynamically-selected and very wide range of ports to be used for these return streams
NAT and IP-Based Communications • Network Address Translation (NAT) allows many private (non-routable) IP addresses to share fewer (even a single) public IP address • Outbound connections allowed, but the IP address in the packet header gets translated • Unfortunately, there is also IP address information in the payload of voice/video over IP packets, which does not get translated • No way to initiate connections from the outside because the IP addresses on the inside are “invisible” • Network Address Port Translation (NAPT) • Conflicts with “well known” ports that are used for voice/video over IP
Messages Involved UDP & TCP Streams Static & Dynamic Ports • Gatekeeper registration • Call setup messages • Call signaling • Keep-alive messages • Audio and video media streams • Neighbor gatekeeper messages • Remote device administration • Far-end camera control
Each Location Provides a Different Challenge Home Office Road Warriors Branch Office or Business Partner Headquarter Public IP Network GK MCU GW ISDN PSTN
Client/Endpoint-Based Deployment Alternatives • Place voice/video endpoints outside the firewall with public IP addresses • Might be OK for settop appliances, but not desktop systems • Consumes a public IP address for each endpoint • NAT IP address mask • Allows the endpoint to embed a routable, public IP address in the IP packet payload • Requires static mappings of IP addresses for voice/video endpoints • Port range configuration • Directs the endpoint to use specific UDP and TCP ports instead of a wide dynamic range • Requires these ports to be opened in the firewall and not subjected to port translation
Client/Endpoint-Based Deployment Alternatives • Port pinholing • Returned streams use the same ports as the original incoming streams • Requires calls to be initiated from inside the firewall • Does not work when both endpoints are behind a firewall/NAT • VPN • Commonly used for home office workers already, but more complicated to use with branch offices • Encryption and authentication built-in • May give access to more network resources than desired A combination of the above alternatives can be implemented. However, they typically only serve as a partial workaround solution.
Server-Based Deployment Alternatives • Protocol-aware firewall • Able to identify valid voice/video messages and dynamically act accordingly • Example: H.323 snooping allows ports to be opened for a validated session and then closed when done • Does not necessarily solve the inbound NAT connection problem or the dual-firewall/NAT problem • Application Level Gateway (ALG) or other proxy-based solution • Protocol aware: only processes messages that it understands • Makes all resources appear local, while still requiring that traffic pass through the firewall for security • Commonly combined with encryption option for added security
Architecture of a Proxy-Based Solution • Prevents direct connections between private and public network devices • Firewall does not need to accommodate requests for dynamic or random ports • All traffic still passes through the firewall Public IP Network Private Network LAN-Side Proxy WAN-Side Proxy Firewall or NAT
The VCON SecureConnect Solution • Able to securely proxy: • Gatekeeper registration • Call setup messages & signaling • Media streams (audio & video) • Neighbor gatekeeper messages • VCON Interactive Multicast streams • MXM admin console login andremote device administration • Far-end camera control messages • Overcomes firewall and NAT hurdles without jeopardizing security • Encryption option (DES, 3DES, AES) • Highly scalable
Other Considerations and Common Oversights - Firewall Traversal • Don’t forget about conferencing requirements with locations/devices not under your control • Customer • Business partners • QoS provisioning: does the solution selected preserve it? • Gatekeeper registration is still very much needed • Networked gatekeepers (neighbored or hierarchical) require special considerations • Online directories still must be “visible” by all endpoints • A solution that works for PC-based devices may not necessarily work for appliance devices (settop, GW, MCU) • Scalability is important – what happens if thevoice/video network grows dramatically?
Common Oversights - General • Don’t think about dial plan for video devices after it’s too late • The gatekeeper will have a default dial plan, but it’s probably not optimal • Don’t forget about extended enterprise workers connected over the Internet • Interoperability between endpoints, gatekeeper, MCU and gateway • Check with the vendors to see what software versions are known to be interoperable • Opportunities to incorporate multicasted video is often overlooked
Common Oversights - continued • Broadband connections are commonly asymmetric • The broadband connected user might get good quality, but the remote participant might not • Many ADSL/cable providers have other options with better uplink bandwidth
Ultimate Objective Checklist • Security • Connectivity • Management & Administration • Transparency (Seamless Use)