posted 27 August 2001 11:05 AM               

quote:

---

I have been involved with providing conferencing solutions at my company since 1989 starting with the CLI Gallery systems. I've witnessed the conferencing network technology change from dedicated lines, switched 56 dial, ISDN, and now IP. I started standardizing on Polycom Viewstations several years ago and have migrated most of the room systems to the Polycom product line. Initially using ISDN and now slowly migrating to internal IP networking as the corporate LAN infrastructure allows. I have given significant attention to desktop solutions such as NetMeeting and ViaVideo. Progress is being made in areas such as enabling a QoS policy and funding increases in the LAN/WAN bandwidth between remote sites. H.323 IP conferencing is limited to intra-company communications due to Firewall restrictions.

A significant long term hurdle over shadowing the breakout of IP conferencing is corporate firewalls. From what I've read, there doesn't seem to be a clear solution that meets all requirements. There doesn't seem to be a "end-of-the-day" solution path meeting Information Security requirements, seamless Outbound dialing and Inbound dialing, scalable, and cost effective. A commercial demand for the public internet to support quality IP conferencing doesn't exist, partially because IP conferencing from corporations to the public internet, is almost non-existent due to firewall issues.

Consider running a series of articles in your bulletin to quantify this looming issue from various industry leaders such as Cisco, Polycom, Microsoft's perspectives. H.323 IP conferencing growth will be restricted until this technical issue is solved with a practical, cost effective, and scalable solution. Technical evolution in this industry is spear headed by corporate purchases of conferencing products. To some degree corporations are not purchasing as much IP based conferencing products, as they otherwise would, because a secure solution to use them for external communications to the public internet has not been clear.

Mike Stevens
Senior Network Engineer
Inovant (a Visa Solutions Company)

---

posted 27 August 2001 11:14 AM               

Each Windows XP PC has UPnP-capable router/NAT internet connection sharing; I know Linksys has committed to put UPnP into their routers by October.

Is UPnP the answer ?? ...

posted 16 July 2002 06:10 AM               

In my position here in the UK, I am involved in an IP VC network spread over 3 WAN's, 7 Institutions, 10 LANs and I think we are up to our 5th different firewall.

Getting past the firewall is a big issue for any serious IP VC network.
The traditional answer of "overlay another IP network" is just not viable or sensible for most organisations.

Getting past the firewall is a must. We have explored three main options:
1) Put the VC hardware in the DMZ and put the VC on it with a publically addressable IP address.
2) H.323 Proxy. Both Cisco and the open h.323 solutions work.
3) Tunnel out, the "Ridgeway" way.

All three options work, but to an IT professional the first is suicide. Especially with todays PC based systems. Do you really want another Microsoft box out there getting attacked left right and centre?

Option two helps, but especially if you are looking at the Cisco route, it's not cheap. And the OpenH.323 route... it works, but you had better have some in house knowledge.

Ridgeay's solutio tunnels it out through two ports on your firewall. It's a commercial quality product so feels somehow "safer".

One of the big issues we face is, how to reach sites that are not registered to our solution?
I don't want to make external parties re-configure their systems just to call us.

Ideally what I imagine is an IP-IP gateway product that has some form of IVR. So that we can publish a single ip address/URL which acts as an automated switchboard onto our private VC network.
I understand that the new Accord software may enable this... I wait with anticipation.

Id be interested to hear others opinions on getting past the firewall.

posted 17 July 2002 06:13 AM               

'Firewalls' are a very misunderstood bit of kit , even the term 'Firewall' is not well defined most people equate firewalls with packet filters. Others include proxy servers and NATs along with the definition.

The word 'firewall' is derived from construction, where "firewalls" isolate areas of a building in order to stop a fire from spreading.

A firewall acts as a "choke point". Corporations install firewalls between their internal (private) IP networks and the (public) IP Internet. All traffic between the corporation and the Internet flows through the ‘Firewall’. It acts as a "gate out of the network" with virtual guards that examines the traffic, and decided whether to allow it or block it.

The Major Misunderstanding is most people believe that a firewall can make your network immune to hacker penetration. Firewalls have no ability to decide for themselves whether traffic is hostile or benign. Instead, the administrator must program the firewall with rules as to what type of traffic to allow or deny. This is similar to a guard checking badges at a gate: the guard can only detect if the badge is allowed/denied, but cannot detect impersonations or somebody climbing the fence in the back. Remember that when you are tunneling..........

All Firewalls are based on the principle of blocking everything by default and only allowing those things that are absolutely necessary. A Firewall administrator is always at odds with their management. Executives are frequently frustrated by things that don't work in the network. They don't understand how difficult it is to secure each new application, or the increased risks involved.

The common question posed to me is "What Firewall should I use for Videoconferecing ?". People who are asking this question really mean "what stops hackers the best?". This is based upon the same misunderstanding highlighted above: firewalls isolate you from the Internet in the hopes of reducing exposure to hackers. The best firewall that will protect you best from hackers is therefore to completely isolate yourself from the Internet (i.e. don't use IP videoconferecing at all :-( ). If you do want to use IP Videoconferencing, then you will have some risk due to hackers that firewalls cannot prevent.

For example, if you tell the firewall to accept incoming e-mail, then you are suddenly at risk to hacks against e-mail (either viruses, or attempts to force spam through your server). Therefore, and most amussingly the most secure firewall tends to be the cheapest, such as the basic packet filters built into most routers and operating systems. The more expensive firewalls allow you to secure more applications through the firewall, but the more features that you use, the more applications you expose, and ultimately the more risk you undertake.

Take home message: It's a balancing act between security and connectivity when implementing IP videoconferencing, the trick is not to fall on either side.

posted 05 August 2002 05:33 AM               

The firewall/security issue is an important one.

My feeling is that all VC endpoints should be on internal networks and not publically addressable.

Why?

Considering my situation I have PictureTel 970 units. They are all MS Win2k boxes, and as such are sucetable to a whole range of threats.
They however are not treated like a standard PC, so IT departments are hesitant to downright not going to touch them with a barge pole. So I can't ensure that the latest patches, etc are implemented.

So I prefer to have them tucked in relative safety behind ehat ever security the various institutions I work for deem suitable.

Doing this means that you have to consider firewalls, proxy servers, router configurations.
It's a situation that we are all going to face more and more often. IT managers are not going to sit quietly by as we put IP endpoints on "their" networks.

So finding elegant and effective solutions to implementing VC on networks with Firewalls is essential to the continueing propogation of IP based video conferencing.

The industry can't "stick it's head in the sand" and pretend that it does not have to deal with firewalls and network security in general.
The idea of putting in a separate IP connection for VC will solve the problem for a small group of users, but a majority I am sure will not be happy with that.

posted 05 August 2002 09:10 AM            

How to let the lawyer meet the prisoner ?
No, don´t give your keyring ...
No, don´t let the lawyer transport big cases in and out without control ...
Yes, the lawyer has to announce in advance, which prisoner to be contacted.
Yes, someone has to inform the prisoner about the visit.

In this scenario the usual solution is to implement a meeting room at the frontier and let go anyone in and out one door, but not across. Consequently my way is to let the corporate MCU cross the wall by having some branches out- and some branches inside.
There are 2 bigger problems to be solved:
1. How to control no one can go across ?
2. How to announce a visit the easy way.

No1 is most easy by using an ISDN-only MCU with gateway(s). The transcoding-inside MCU vendors may have hard times to deliver the proof...

No2 is open for suggestions. Bringing MCU administration tasks to the end user is a way. Signaling an incoming call is the challenge.

Any feedback welcome
Mer

PS: In all those implementations the outside IP gateway is nearly not used. They used ISDN. Are you surprised ?

posted 19 August 2002 04:41 AM            

I do not know if it is the answer, but I think that certainly it is convenient method when we consider difficult issues such as firewalls and NAT. And we need this kind of thing to unleash burden on users when they configure networks for video calls.

As far as Japanese market, routers especially designed for consumer home LAN market are gradually(or maybe fast) equipping UPnP, that they sell in the marketplace.

I am currently using NEC's home LAN router connected to ADSL at home/office, I recently did software upgrade on the router allowing UPnP. But recent routers come with UPnP by default.

Now I do not have to worry about complicated configurations when setting up a video connection from and to an video endpoint (XP Messenger installed on my PC) with private IP address.

From a user perspective, I am hoping that all these IP video capable endpoints will have this UPnP or similar method to unleash burdens on users.

But issues like NAT and UPnP will be transitional since we know that development for IPv6 is underway.

posted 29 August 2002 12:15 PM               

UPnP-Enabled Routers: Ready for Prime Time?

Worth reading - but bottom line is as perhaps expected - UPnP is not ready for prime time and has its serious security hacks. Why am I not surprised? Sigh.

AndyN