Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IP Videoconferencing

From: Tina Bird <tbird65 () STANFORD EDU>
Date: Wed, 5 Nov 2003 11:01:56 -0800
On Wed, 5 Nov 2003, Walsh, Brian R. (Information Services) wrote:


We have a request from our Instructional Technology group to allow
access through our firewall for a new IP videoconferencing unit.
Allowing this through the firewall seems to be relatively

low risk and

I think our firewalls may even be "H.323 aware" which would

make this

a little easier to do and perhaps more secure. I am

assuming that the

videoconferencing hardware and software take care of other security
like authentication, encryption, etc.

Is there anything specific I should be worried about with

this setup?

I don't know much about the protocols or products involved so any
advice would be appreciated. Thanks.


I wouldn't assume that the devices are properly taking care of
authentication, encryption, and other security requirements.  Several
popular videoconferencing devices ship with default passwords, only
support cleartext protocols for management, and may not
enable encryption
by default.


There's a >>great<< discussion of the risks associated with multimedia protocols (H.323 and T.120 in
particular) in Zwicky, Cooper & Chapman, "Building Internet Firewalls."  Chapter 19 in the second edition is
on conferencing services, and the discussion of protocols begins on page 528.

hope that helps -- tbird

--
Dr. Tina Bird
Information Security Services, Stanford University
1 (650) 724-9316

Security Alerts http://securecomputing.stanford.edu/alert.html
Log Analysis http://www.loganalysis.org
Virtual Private Networks http://vpn.shmoo.com

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: