Is your videoconferencing solution secure?

Monday 6 February 2012
By Rob van den Boomgaard, CTO, Talk & Vision.

Recent studies by security researcher HD Moore have indicated that on the public internet, there is a huge number of H.323 systems that have a security risk. So what exactly is the risk that has been discovered, and how should you act to mitigate it?

The studies describe systems connected to the public internet. By simply scanning a certain range of IP addresses on H.323 protocol response (an important protocol used to transport videoconferencing traffic), hundreds of thousands of open videoconferencing systems were discovered. Many of these systems were on auto answer which allows any user to then setup a call, and even control the camera, essentially exposing the meeting room to the world.

The security issue here is not a software bug, but neglect in the solution design and configuration hardening of the systems.

Network infrastructure
The first thing to understand is that the systems that have been identified as vulnerable are all placed on the public internet. If you must place your system on the internet, you have to decide on how it will be connected. A system that has direct internet connectivity, without any firewall in between, is best configured not to auto answer. A setup that has a firewall in place can be configured to allow access only from certain origins. Auto answer could still be an option there. Also, decisions need to be made on protocols; is the web interface of the video system blocked for example.
Talk & Vision strongly advises its customers to place their videoconferencing systems on a private network such as an MPLS VPN. The best way to manage your security is to deploy a Virtual Private Network. This prevents hackers to gain direct access to your systems, since they are on a separate, private network.

Videoconferencing infrastructure
Using the correct videoconferencing infrastructure, you can still deliver internet connectivity for your external videoconferencing requirements, but in a manageable and secure way. Talk & Vision can advise you of the appropriate technological architecture that suits your needs. Typically this is done by means of videoconferencing infrastructure on top of the VPN, that creates a central breakout to the public internet, while also enabling provisioning and management functionality. It will even add the option of domain name dialing (like an email address), protocol interworking and much more. Various call policies can be configured here to tune and tweak your security exactly as you want it to work. A solution like this also allows you to deploy home user systems and mobile clients in a scalable, manageable and secure way.

A word to the technology vendors
The other part of the security issue here is Auto Answer. Many systems have this option turned on because of its user friendliness. In complex meetings, end-users (especially senior management) expect the call to be setup for them. The CEO of your company will probably not accept that he has to dial a destination on the keypad, enter pincodes etc. right before he has to keep an important speech to the press for example. This requires the system to be on auto answer. Auto answer as it is implemented today is an all-or-nothing choice. A word of advice to the technology vendors is to deliver conditional auto answer functionality. If a solution can be configured in such a way that calls are only auto answered if certain conditions have been met, would be of huge benefit to the user community and its security. For example a system would only auto answer calls coming from the multipoint conferencing unit, or only if the call originates from trusted sources (ip or domain),  if it was pre-scheduled, etc.

Design the right solution
There are many other aspects to take into account when designing a well functioning and secure videoconferencing solution. Just think about encryption, converged networks, port allow lists, DoS attacks, ISDN connectivity, virtual meetingroom pincodes etc. But also security at the human level, such as the team of operators that run your solution, their screening, access rights, their environment, recording and streaming options, booking process etc. The study of HD Moore is a good wake up call, but only scratched the surface of videoconferencing security. Talk & Vision would be more than happy to assist you in setting up the best solution that fits your environment. Talk & Vision has a unique approach to their customers by first defining exact customer communication and collaboration needs using its 'InTouch' methodology. From there on a functional design is created (what should the solution do), which in turn fuels a detailed video design that will deliver that functionality, in the customer's specific environment, within security definitions and available budget.

Talk & Vision have proven track record with this approach, and successfully run managed services on these videoconferencing solutions for large financial organizations, legal institutions, healthcare and military defense organizations.

About Talk & Vision
Talk & Vision, 100% owned by Dutch carrier KPN, offers visual communication solutions to large and medium-sized companies in different markets worldwide. Centered around videoconferencing, the Talk & Vision service portfolio focuses on international service and support, consultancy, training and video meeting services. With MAVIS (Managed Video Services), customers can turn to Talk & Vision for the procurement, control and management of all video communication operations - from desktop solutions to telepresence. As an authorized partner of Cisco and Polycom, Talk & Vision guarantees independent advice. Talk & Vision has a workforce of 60 and its head office in Linschoten (Netherlands). Other offices are located in the UK and Belgium.