Systems and Network Analysis Center Information Assurance ...
- 1. Systems and Network Analysis Center Information Assurance Directorate Video Teleconferencing What is Video Teleconferencing? and data streams and interfaces to the users. The Multipoint Conference Unit and the Gateways will be Video Teleconferencing (VTC) is a communication discussed in later sections. technology that permits users at two or more different locations to interact by creating a face-to-face meeting environment. VTC systems transmit bi-directional VTC Network Protocols and Architectures audio, video and data streams during the session. Usage of VTC has expanded beyond corporation Standard voice and video protocols used on VTC boardroom meetings. The demands for collaboration systems today are the Session Initiation Protocol tools and converged infrastructure have boosted VTC (SIP), H.320, and H.323. usage in recent years. VTC has been gaining Hardware or software components that execute the popularity in all government sectors including tactical compression of signals are called Coder/Decoders or and non-tactical environments. CODECs. A CODEC is also used to convert between analog and digital formats. Point-to-Point is the most basic architecture Type of VTC Systems configuration for a VTC network. This configuration The two basic types of VTC systems are the does not require a Call Server and does not allow dedicated systems and the desktop systems. The conferencing of more than two endpoints, but it does desktop systems are add-ons to existing PCs. They allow for direct video and audio calls between generally consist of a microphone, speakers, and endpoints within a cluster. Figure 1 below depicts a camera, but may also include a PC add-in card. point-to-point network. Dedicated systems have all the necessary components to process the VTC sessions within a single console. This document will focus on these dedicated systems. The categories of dedicated VTC systems cover different operational environments. A large group system supports large meeting rooms or auditoriums, is fixed to the room, and is non-portable. The second category is the small group system. A small group VTC is designed to support small meeting rooms, is fixed to the room, is non- portable, and is normally more economical to deploy. The third category of dedicated VTC system is the individual system. These individual systems are designed to be portable single Figure 1: Point-to-Point Conferencing Network user solutions with integrated camera, speakers, and microphone in a compact unit. In a Multi-party VTC network architecture, a Common components in a standard VTC network are Multipoint Conferencing Unit is required. The MCU Call Server, Video Endpoint, Multipoint Conference makes conferencing possible by acting as a bridge Unit (MCU), Gateways, and an Ethernet switch. A that interconnects calls from three or more Video Call Server performs the registration and call control Endpoints. It can be a standalone hardware device, processing functions. Video Endpoints are devices but some dedicated VTCs have embedded MCU from which users make and receive video calls. The functions. Figure 2 illustrates how the MCU endpoint processes the bi-directional audio, video, facilitates video teleconferencing sessions by SNAC DoD, 9800 Savage Rd. Ft. Meade, MD 20755-6704 410-854-6632 DSN 244-6632 FAX: 410-854-6604 www.nsa.gov/snac
- 2. processing call control signals and the audio, voice, and data streams to connect the multiple endpoints. It also allows endpoints using different CODECs to participate in the same VTC session. Figure 2: Multi-party Conferencing Network A Gateway is required in order for VTC endpoints to communicate with the Public Switched Telephone Figure 3: Interoperability with Legacy Network Network (PSTN) or a legacy network. A Gateway is a standalone hardware device that provides access to other larger IP networks and/or circuit switched What Can Be Done? telephone networks like the PSTN. Figure 3 shows an IP based VTC network communicating with To mitigate those vulnerabilities, the following endpoints on a legacy network. Type 1 external actions can be taken: encryption devices like the KIV might be • Change all default passwords implemented for network link encryption are also shown in Figure 3. • Apply best password security practices • Enable encryption for the VTC sessions • Disable broadcast streaming What are the Vulnerabilities? • Disable the far-end camera control feature • Disable insecure IP services (e.g., Telnet, HTTP) Due to the valuable benefits and user-friendly set up • Perform initial VTC settings locally using the procedures of VTC systems, many locations have craft port or the menu on the system implemented VTCs without applying security best • Regularly update firmware and apply patches practices. When default settings remain unaltered, unauthorized users can exploit the VTC through the • Practice good physical security (i.e., restrict Web interface or other IP management services such access, turn off the device, and cover the camera as Telnet and File Transfer Protocol (FTP). lens when not in use) Unauthorized users can exploit the following security • Disable any auto answering feature vulnerabilities: participate in VTC sessions, upload • Disable wireless capabilities malicious code to initiate Denial of Service (DoS) • Separate VTCs logically from the rest of the IP attacks, take control of the far-end camera, record network using Virtual Local Area Networks audio and video streams, take snapshots of • When remote access is absolutely required, participants during the session, establish a new institute strict access controls (e.g., router access session for eavesdropping, use the system as a control lists, firewalls rules) to limit privileged jumping off point and a hiding place to exploit other access to administrators only systems, and edit configurations to enable additional features (e.g., Microphone, Remote Streaming). SNAC DoD, 9800 Savage Rd. Ft. Meade, MD 20755-6704 410-854-6632 DSN 244-6632 FAX: 410-854-6604 www.nsa.gov/snac i038393