The members of 18F are young, brilliant and changing government from the inside out.
When a video conferencing system is entirely hidden behind firewalls and a private network, security isn’t a concern. But as soon as an organization wants to establish conferencing sessions over the Internet with other organizations or let users connect from their homes, it must consider vulnerabilities and risks.
What follows are some tips for shoring up security of video conferencing and telepresence systems to ensure the only participants are invited guests.
Use a virtual LAN and firewall to separate video conferencing traffic from the rest of the network. Remember that video conferencing units are often Windows PCs, and likely poorly updated ones at that. Assume that they can be easily compromised. The same is true for multipoint bridge units or other conferencing management systems, which are often embedded devices that could be far behind in their patch and revision levels.
Whether they’re based on Session Initiation Protocol (SIP) or H.323, video conferencing systems use a complicated set of protocols. Most manufacturers layer on proprietary additions to improve management of connections, making things even more arcane. The amount of misinformation about how video conferencing works is astonishing, and in some cases manufacturers cite contradictory information about ports and protocols. All this makes understanding what’s happening, and why, very difficult. Take the time, dig out a protocol analyzer and discover which holes need to be open — and which do not.
The application layer gateways inside of today’s firewalls all claim to fully support H.323 and SIP video conferencing. The reality is somewhat different, and an upgrade to firewall firmware, or even disabling the ALG entirely, might be needed.
The goal here is to eliminate the possibility that someone can take control of a video conferencing unit and use it to make outbound calls through a Voice over Internet Protocol network, running up an organization’s long-distance bill while, say, chatting with Somali pirates. If you have integrated VoIP and video conferencing, make sure the video conferencing unit can’t be a gateway into the VoIP network.
If a video conferencing system is linked to the Internet and someone attacks it, abruptly close the path between public and private networks. Make sure you know how to do this and how to inform anyone using the system that it’s temporarily unavailable. This plan doesn’t have to be complicated, but be prepared for the inevitable and reduce panic when possible.
Brute-force attacks on video conferencing systems are common, and most of these systems do not have break-in evasion. Don’t go overboard with the password policy, but try for something that cannot be easily guessed. When setting up “standing” audio and video conferences that are password-protected but long-lived, make sure that passwords are long enough and have a lifetime of only a few months. When setting up new video conferencing users, require users to periodically change their passwords.