Firewalls and H.323 based VC-Systems

Transcription

1 Firewalls and H.323 based VC-Systems Utz Roedig Darmstadt University of Technology, KOM, Merckstr. 25, D Darmstadt. vc_firewall.fm 1

2 Overview Motivation Problem Domain Characteristics Optimization options Solutions H.323 firewall requirements Evaluation of existing approaches Summary vc_firewall.fm 2

3 Motivation Definitions: Firewall: MM-Applications: permit/deny specific data flows, NAT process audio/video, additional protocols Observation It is difficult/impossible to support mm-applications by existing firewalls Existing problems Service could not be used Service does not provide desired behavior Firewall does not provide its full security Objectives 1. Understanding the problem domain 2. Developing appropriate solutions Focus on H.323 as mm-protocol vc_firewall.fm 3

4 MM-Characteristics MM-Application characteristics leading to problems with firewalls: Protocols Complexity: states, coding Dynamic behavior Multiple flows for one logical session Applications Signalling and media routing Diversity of scenarios Imprecise use of (imprecise) protocol standards Flexible combination of protocols Performance requirements High data rate and required throughput Predictable performance vc_firewall.fm 4 These characteristics can also be found in H.323 scenarios

5 H.323-Characteristics H.323 Zone Signalling Flow Media Flow Intranet Gatekeeper Terminal Router Terminal Internet Signalling Flows RAS: registration, authentication, status H.225. / Q.931: call control H.245: media negotiation Media Flows RTP, RTCP: Media transport G.711, G.722,...: Media coding Terminal Firewall H.323 Zone MCU Intranet Gatekeeper Terminal Gateway Phone Phone PSTN Components Terminals, Gateways, Gatekeeper, MCU,... vc_firewall.fm 5 Gatekeeper functionality Optional brain of a H.323-zone

6 H.323-Characteristics Terminal A Q.931 (TCP) H.245 (TCP) RTP (UDP) RTCP (UDP) RTP (UDP) RTCP (UDP) Firewall Terminal C Protocol characteristics: H.323 calls consist of several parallel connections (UDP+TCP) All connections use dynamically negotiated ports ASN.1 coding is used Application characteristics Variations of signalling and media routing Mechanisms depend on utilized components/ implementations Performance requirements Terminal A RAS (UDP) Q.931 (TCP) H.245 (TCP) RTP (UDP) RTCP (UDP) Firewall Gatekeeper RAS (UDP) RTP (UDP) RTCP (UDP) Terminal C vc_firewall.fm 6

7 Optimization Options Two main problem originators Old firewall technologies are used for new application types Applications/protocols design lacks consideration of firewalls Two optimization options: 1. Design appropriate firewall technologies Capable to support the needs of mm-protocols/mm-applications Flexible, dynamic, adaptive 2. Design firewall capable mm-protocols/mm-applications Existence of firewalls has to be considered Firewall-friendly design Bounding conditions Both options depend on each other Over all security The real world vc_firewall.fm 7

8 H.323 Firewall Requirements The optimization leads to the following substantial requirements: Architecture Distributed firewall with specialized components flow specific routing (performance optimization) component interaction Call routing Integration in H.323 specific call routing Support of different call routing models Security Validation of PDU correctness Selective PDU routing Service restriction (e.g. T.12) No H.323 component related functions Configuration Adaption to different scenarios Call routing, Security vc_firewall.fm 8

9 H.323 Firewall Requirements - Call routing Master videnet DFN PUB World 12 Characteristics Hierarchical zones H.323 inter-zone communication SWITCH CH DFN DE DFN KOM DA 9xx 12 5 MCU Terminal Terminal SURFNET NL UNI DD H.323 Scenarios in this scale are not regarded by firewall devellopers vc_firewall.fm 9

10 H.323 Firewall - Products (I) Checkpoint Firewall-1: Missing IP address parser CODE: deffunc GET_H245_PORT(... no RAS handling, no configuration options no H.323 specific call routing supported Only for direct terminal communication (no Gatekeeper) Cisco PIX: Corrupt ASN-1 parser LOG: H225::Encoded PDU length 123 is less than no configuration options no H.323 specific call routing supported Only useful for outgoing connections Others: Intel-Proxy, Cisco MMCM, Phonepatch, Openh323proxy,... vc_firewall.fm 1

11 H.323 Firewall - Products (II) - KOMproxyd Integration in the DFN Scenario vc_firewall.fm 11 DFN PUB 12 DFN Integration in existing firewall structures Additional proxy in the DMZ Or additional software on the used firewall KOMproxyd features Dedicated firewall component Conform to the H.323 firewall requirements Supports different MM-Protocols: H.323, SIP, RTSP Extensible architecture Violation of the given requirements (Architecture) 9xx MCU Terminal Firewall KOM-DA 126 KOM DA UNI DD

12 H.323 Firewall - Products (III) - KOMproxyd Characteristics Standard firewall: Proxy: Terminal A Zone A GATEKEEPER A INSIDE NETWORK IP-Filter KOMproxyd Function KOMproxyd handles all external H.323 traffic Call routing KOMproxyd is involved in the RAS inter-zone communication Architecture Dedicated H.323 proxy component (Interaction between KOMproxyd and filter is possible) NAT DMZ FW KOMproxyd ROUTER INTERNET GATEKEEPER B Zone B Terminal B vc_firewall.fm 12

13 Summary Identification and classification of the problematic characteristics Problem class is not only H.323 related Evaluation of existing/proposed solutions A lot of research in the area of MM-Firewalls Candidates for immediate deployment: KOMproxyd Gatekeepers with integrated media proxy Test of KOMproxyd Tested by SURFNET Used at KOM (call for testing) /KOMproxyd Future work Test of other available solutions Extension of KOMproxyd vc_firewall.fm 13