11. Current security options in
H.323
H.235 not widely supported by endpoints.
What options are we left with?
Identification by IP and alias
IPSec
other tricks
12. Current authentication
techniques in H.323
point-to-point conferences (registration)
IPand alias authentication
web enhanced methods
multi-party conferences (calling)
generated target number
central calling
13. Security in H.323:
the Gatekeeper
H.235
Cisco MCM: user/password piggy-back
Radvision ECS: predefined endpoints
GNU GK: predefined endpoints, Q.931
signaling filters
14. Security in H.323:
Gatekeeper backends
Gatekeeper APIs (SNMP or proprietary)
Cisco GKAPI
Radvision ECS API (SNMP-based H.348?)
Radius
Cisco MCM
GNU GK
DBMS
Radvision ECS
GNU GK
LDAP
Radvision ECS
GNU GK
15. Security in H.323:
web integration of backends
web-based flexible custom interfaces
SSL enabled
allow user control of IP and aliases
allow scheduling and reservation of
resources (an added benefit)
16. Current problems in H.323
securing registration of multiple aliases
is difficult
ad-hoc authentication techniques do not
accommodate all endpoints
mobility is hindered
firewall/NAT traversal is difficult
media stream protection is lacking
17. Future developments in
H.323 security
H.350:
LDAP authentication
LDAP endpoint setup
H.235:
wider support in products
certificate support
media stream encryption
18. Links and References
Internet2 - 2003 fall MM: securing video
The TERENA IP Telephony Cookbook
The VIDE VideoConf CookBook
The VIDE Development Initiative
Internet2 - Video Middleware (VidMid)
Internet2 - VC SiteCoordinatorsTraining
Internet2 - VidMid H.350
Packetizer References