Set up secure anywhere video conferencing

Video conferencing has become a powerful and diverse method of communication. Even though it was once thought of as an expensive method of communication for organizations with large budgets, that's no longer the case.

Video conferencing can be implemented at home, in the workplace, and even at school. Friends and family can communicate visually, business people can collaborate visually. And students can visit places (and learn from professionals) across the world.

In the past, video conferencing was done over special communication lines (such as ISDN) and was usually located in a designated room or location. With the recent move to IP-based video conferencing these limits have been removed. With the significant increase in Internet bandwidth content has also been enhanced.

Now that video conferencing is portable, and now exists on your computer network, a number of concerns arise--one of which is security. How can you set up secure anywhere IP video conferencing?

For the bulk of this article we are going to assume that we are working with a Polycom ViewStation EX (http://www.polycom.com) video conferencing unit. Polycom makes a variety of portable and PC-based video conferencing devices. However, the information applies to Tandberg, and other video conferencing software/hardware vendors.

Initial setup
The initial setup process is a rather simple one. The PolycomViewStation EX requires power, a network connection, and a display (either a TV or a projector). The configuration can be completed by using the supplied remote control. Once an IP address, subnet mask, and default gateway is assigned, the rest of the configuration can be done by using the web interface. It would be ideal to set a unique DNS name for the device so that it can easily be recognized. If there is NAT/PAT in use for Internet access, the ViewStation will automatically detect what its external IP address is (if for some reason it doesn't, it can be set manually).

NOTE: Instead of assigning a static IP address, it would be best to configure a DHCP reservation for each LAN/VLAN to make the unit more easily portable.

There are other advanced settings that can be adjusted. However, at this point the device setup is complete. If there is another video conferencing device on your private network, you can connect the two. The next step is to set up the connection to the outside world.

Internet (external) connectivity
Setting up the network to allow the video conferencing unit access to the outside world is quite a bit more difficult than the initial setup. Keeping the connectivity and access secure can be complex as well. The below information assumes that a Cisco PIX firewall is used to secure the internal network from the outside wall. However, the concepts apply to other scenarios as well.

It's necessary to configure the Cisco PIX with a NAT entry to link the video conferencing unit's internal IP to its assigned external IP. The commands are as follow:

static (inside,outside) 50.50.52.52 10.90.7.254 netmask 255.255.255.255 0 0

Depending on the version of code on the PIX this command may be needed as well:

alias (inside) 10.90.7.254 50.50.52.52 255.255.255.255

Additionally, the Cisco PIX (by default on all code versions) attempts to control H.323 traffic (video and audio for conferencing) in a way that conflict with most, if not all, video conferencing systems other than Microsoft NetMeeting. To fix that, enter the follow command:

nofixup protocol h323 1720

• The above commands assume a private IP address of 10.90.7.254 and a public IP address of 50.50.52.52
• All of the above commands must be entered in Global Configuration Mode
• There must be one NAT entry per unique IP used internally

The next step is to open the required ports on the Cisco PIX. Primarily the video conferencing unit uses the H.323 protocol. However, there are a number of ports that must be opened:

Port Number	Port Name	Description
80 (TCP)	HTTP	Optional for external administration
389 (TCP)	LDAP	ILS registration
1503 (TCP)	T.120
1720 (TCP)	H.323	H.323 call setup
1731 (TCP)	H.323	H.323 audio call control
1024-65535 (UDP)	H.245, RTP, RTCP	Various audio/video controls

As the above list shows, opening the required ports can leave a number of large "holes" in the firewall. Polycom and Tandberg video conference units do give you the option to set a predetermined range instead of opening up the entire range of 1024-65535 (UDP). However, there is one caveat with this: Whatever port range is chosen, it must be set to exactly the same range on both units that are connecting. This can be a challenge especially when both devices are not managed by the same department or organization. Additionally, some devices will not work with the manual configuration of ports (especially if they are from different manufacturers). That being said, the recommended configuration is to open up the full port range (1-65535) for TCP and UDP:

access-list 101 permit tcp any host 50.50.52.52 range 1 65535 access-list 101 permit udp any host 50.50.52.52 range 1 65535

• The above commands assume that the external IP address is 50.50.52.52
• The above commands assume an access list 101 exists and is configured inbound on the external interface of the Cisco PIX firewall

Although this may seem excessive and risky; it's necessary for consistent functionality with similar and dissimilar device connectivity. Since the Polycom ViewStation EX (or Tandberg unit) is a solid state device there are not the same security risks as with a workstation or server operating system.

Here are some additional steps you can take to secure the device:

1. Disable HTTP access from the Polycom unit
2. Disable FTP access from the Polycom unit
3. Disable TELNET access from the Polycom unit

Therefore, even if left unattended, the only level of access to the unit would be for someone to video conference in to it. Since video conference units are only used for short periods of time, the security risk (if any) is minimal to null.

Conclusion
Video conferencing has found a place in many environments; not only in the corporate conference room. Anywhere video conferencing is only a matter of locating a CAT5 connection. Setting up video conferencing securely is merely a matter of balancing security and usability following the steps found in this article.