Do you have a secure video conference solution?
A recent study by security researcher HD Moore has indicated that, on the public Internet, a large number of H.323 systems run a safety risk. What exactly is this discovered risk and how should you act in order to minimize this risk?
The studies describe systems which are connected to the public Internet. By simply scanning a certain range of IP addresses on the H.323 protocol response (an important standard that enables the establishment of multimedia communications including audio, video or other data communications), hundreds of thousands of these open videoconferencing systems were discovered. Many of these systems were set to 'auto answer' (answer automatically), enabling each user to establish a call and even to operate the camera, and therefore to expose the meeting room to the whole world.
The security issue is not a software bug, but a lack of fully designing and soundly configuring the solution.
Most important is to understand that the systems that are classified as vulnerable are all placed on the public Internet. If you put your system on the Internet, you must decide how it will be connected. A system that has a direct Internet connection, with no firewall in between, is best configured with "no automatic answering". A setup with a firewall in between can be configured in a way that it only allows access from specific sources. Therefore, automatic answering is still an option here. Decisions must also be made about protocols; for example, should the Web interface of the video system be blocked?
Talk & Vision advises its customers to place their videoconferencing systems on a private network such as MPLS VPN. The best way to manage your security is by setting up a Virtual Private Network. This prevents hackers from having direct access to your systems, since the systems are located on a separate private network.
Using the right videoconferencing infrastructure, you can still provide connectivity to the Internet for external communication, but in a safe and manageable way. Talk & Vision can advise you in the right technical infrastructure that suits your needs. Normally, this is realised through a central Internet access point on top of the VPN, which also makes provisioning and management functionality available. It even enables the option of domain name calling (like email address), protocol translation and so on. Several call policies (who can communicate with whom) can be configured here to exactly configure your security policy as you want. Besides, you can use a solution like this for home use systems and mobile clients in a scalable, manageable and secure manner.
A word to the technology providers
The other part of the security issue here is "automatic answering (auto answer)". Many systems have enabled this option because of its usability. In complex meetings, end users (particularly senior management) expect the call to be established for them. The CEO of your company will probably not accept that he must enter an address or PIN numbers himself just before he, for example, has to deliver an important speech to the press. This requires the system to be set to automatic answering. Automatic answering, as it is implemented today, is an all-or-nothing choice. An advice to technology providers is to provide a conditional automatic answering functionality. If a solution can be configured in such a way that calls are only answered automatically if certain conditions are met, this would be of great benefit to the users and its security.
For example, a system would only answer calls automatically if they originate from the multipoint conferencing unit, or only when the call is from reliable sources (IP or domain), as if it had been planned in advance, etc.
Design the right solution
There are many other aspects to take into account when designing an effective and secure videoconferencing solution. Think of encryption, converged networks, IP port matrix, DoS attacks, ISDN connections, virtual meeting room PINs etc. But also the security at the human level is important, like the team of operators that manage your solution, their screening, access rights, environment, recording and streaming options, booking process etc. The study of HD Moore is a good wake up call, but it only touches the surface of videoconferencing security. Talk & Vision would be more than happy to help you set up the best solution that fits your environment. Talk & Vision has a unique approach: the In Touch methodology. We first identify the exact communication of the customer as well as his need for cooperation. On the basis of this, a functional design is created, which serves as input for a detailed video design that will deliver the functionality in the specific environment of the customer, within the security definitions and the available budget.
Talk & Vision has a proven track record with this approach, and has managed to offer services in the field of videoconferencing solutions for large financial organizations, legal institutions, healthcare and defence.
Download the white paper "Video in the Cloud":