When I was reading the NY Times yesterday I’ve read this interesting article about a security officer of a company who has managed to connect to video conferencing equipment in boardrooms and was therefore able to control the camera and hear what is going on in these rooms (http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html).
In theory he could eavesdrop on conversations that where happening in these boardrooms. Companies who utilize video conferencing solutions around the globe suddenly start to realize that they might be at risk. I’ll try by best explaining the vulnerability and possible solutions.
The major problem with video conferencing is the lack of knowledge about its technology. For example, in the IT world it’s a common fact that if a system sitting behind a firewall needs to receive data without initiating an outbound connection first, it would fail as the firewall would block the incoming attempt. Video Conferencing (if properly configured) works differently. So what do most IT departments do if the company starts purchasing video equipment, is opening ports in the firewall or even putting the endpoints in a DMZ. Otherwise it wouldn’t be possible to receive calls, is what they think. So without even thinking about it, they put all their video endpoints on the public Internet.
This kind of setup is shown in the following illustration:
If an application would be performing ports scans on these IP addresses and notice that one of the communication ports (SIP, H.323 etc.) are open, they can call it. By muting your video and audio in your own client, you can dial such an endpoint. And if it’s set to “Auto Answer” (like Polycom does by default on its Video Endpoints), it will answer the call and the screen will still be black. Just imagine a company eavesdropping on its competitors’ financials- and future strategy meetings! All you need is the IP address range of a company (which can be relatively easy to find), and a port scanner. It’s like putting the phone numbers of your boardrooms in the White Pages!
Putting endpoints behind a firewall, but then opening the communication ports to these endpoints (by using Mapped IP’s you can give every internal host a public IP address), they would still be vulnerable. Basically the firewall is allowing everything to come inside to the endpoints.
In the article they where mentioning a Gatekeeper. What is it, and how does it work?
A gatekeeper is a device where video endpoints can “register” themselves. Calls are made to the gatekeeper, and the gatekeeper uses its configured policies to figure out if this call is allowed, and if so it will connect to the endpoint using its registered information. You can see a gatekeeper as the security guard in the lobby of a company. Visitors who are not authorized to get into the building, will be refused.
How can I make sure that people can only call to the gatekeeper and not to the endpoints?
You put the endpoints behind a closed firewall. This means that connections to the endpoints are not allowed. Only outbound connections should be allowed.
Now you might be thinking, how on earth does the call reach the endpoint? A gateway can be configured to become a “Border Controller“. It is the only device of your video network that sits outside the firewall. By using a technology called “Firewall Traversal” it can easily get calls inside the firewall. As an IT admin, you might be thinking “OMG this is magic!”. Well, actually it’s not.
Firewall Traversal works like this:
- A call is placed to the gatekeeper
- The gatekeeper checks its policies if the call is allowed
- The gatekeeper checks if the endpoint is registered.
- The call is put on hold.
- The endpoint continuously connects to the gatekeeper and asks “do I have a call?”. This is an outbound connection.
- If there’s a call on hold for that endpoint, it will then send this call to the endpoint using the “Return-Path” of the outbound connection.
At first it might sound as if a call will be on hold for some time, but that’s actually just a matter of seconds. Maybe even milliseconds. This process is shown in the following illustration:
In this example we are going back to the security guard in the company’s lobby. Most companies only allow visitors to get inside the building if somebody on the inside invites them. If you would be invited at a company, you’d have to check in to the security guard. The guard will then notify the person who invited you about your arrival. Then you would have to wait until that person picks you up.
Firewall Traversal works a bit differently. Instead of the guard calling the person inside the company, the person will be constantly calling the guard, asking if new guests have arrived. While it real life that might cause a scene of a horror movie in an alley one night, this is how Firewall Traversal works.
A proper way of configuring your network is shown in the following illustration:
Connections directly to the endpoints will be blocked. The border controller receives calls, and the endpoints will constantly make an outbound connection to the border controller, asking for pending calls. If needed, you can even block calls from endpoints that are not registered on the border controller and only have it accept registrations from manually specified endpoints. If a call to an external party is needed, dial out to the external party.
Another alternative would be the use of a conference server, and allowing calls to only that server. People who dial into the server would then need to enter a conference code. Conferences can also be locked to prevent new calls to that conference. And yes, this server is also used as an endpoint so put them behind the firewall. If people outside the company need to manage conferences on that server they could be given VPN access to the network if needed.
There could also be a situation in a large multinational enterprise where video conferences are only made between different locations in the company. No need to have external calls. In that case you can create a private WAN link between locations, and connect them to a gatekeeper. The video connections are encrypted, so you only need to make sure that the WAN is only accessible from within the company, without any unprotected connection to the Internet. This is shown in the following illustration:
Hopefully I made it clear that video conferencing is not just a matter of connecting these devices to a network and you’re done. You protect your physical access and provide access control by hiring security guards. Then why not doing so with your digital assets? Make sure that you purchase a complete infrastructure and have your IT staff (the people who need to set it up and manage it) get the right training. Most vendors who create video endpoints like Cisco and Polycom provide training for the implementation of their products.
If all of this would be too difficult for your organization to implement or just too expensive (the hardware and licensing costs can be enormous), it might also be a great idea to have this infrastructure hosted at a Cloud company that specializes in VaaS (Video as a Service). This solution would be much cheaper and there’s no need for special training. Just make sure that these companies are certified partners of the vendors they sell their products from.