Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications. www.vidyo.com 1.866.99.VIDYO



Similar documents
VidyoConferencing for Service Providers A Solution & Business Model that Works VIDYO

GTS VIDEOCONFERENCE. Powered by: Valid from: 1 June 2014

Personal Telepresence. Place the VidyoPortal/VidyoRouter on a public Static IP address

VidyoWay IT Guide Product Version 3.0 Document Version 3.0 A 5/9/2014

VIDEOCONFERENCE. 1 Introduction. Service Description Videoconferece

Integrating VoIP Phones and IP PBX s with VidyoGateway

ReadyNAS Remote White Paper. NETGEAR May 2010

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

WHITE PAPER Personal Telepresence: The Next Generation of Video Communication VIDYO

The VidyoConferencing Portfolio. Everything you need for HD video conferencing with incredible quality, reach and savings

VidyoDesktop VE. Quick User Guide. Product Version 3.0 Document Version A July, 2014

LifeSize Transit Deployment Guide June 2011

VidyoDesktop Quick User Guide

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

Vidyo Hosted Services Description for VidyoCloud Services

WebEx Security Overview Security Documentation

Security Overview Introduction Application Firewall Compatibility

SIP Security Controllers. Product Overview

The Vidyo Conferencing Portfolio. Everything you need for HD video conferencing with incredible quality, reach and savings

VidyoConferencing Administrator Guide

Polycom Recommended Best Security Practices for Unified Communications

IP Ports and Protocols used by H.323 Devices

Recommended IP Telephony Architecture

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Polycom RealPresence Access Director System

Firewall Security. Presented by: Daminda Perera

Security Considerations for DirectAccess Deployments. Whitepaper

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Did you know your security solution can help with PCI compliance too?

Global Network. Whitepaper. September Page 1 of 9

Copyright Telerad Tech RADSpa. HIPAA Compliance

Standard Information Communications Technology. Videoconferencing. January2013 Version 1.4. Department of Corporate and Information Services

Acano solution. Security Considerations. August E

Interwise Connect. Working with Reverse Proxy Version 7.x

The VidyoConferencing Portfolio. All you need for HD collaboration with incredible quality, reach and savings

A POLYCOM WHITEPAPER Polycom. Recommended Best Security Practices for Unified Communications

BeamYourScreen Security

Proof of Concept Guide

Technical Brief: Virtualization

Data Security using Encryption in SwiftStack

MIKOGO SECURITY DOCUMENT

2003, Rainbow Technologies, Inc.

Unified Communications in RealPresence Access Director System Environments

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Security Architecture Whitepaper

Passing PCI Compliance How to Address the Application Security Mandates

FileCloud Security FAQ

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

White Paper. BD Assurity Linc Software Security. Overview

VidyoPanorama SOLUTION BRIEF VIDYO

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

VidyoConferencing Administrator Guide

The Benefits of SSL Content Inspection ABSTRACT

Locking down a Hitachi ID Suite server

Sync Security and Privacy Brief

nexvortex Setup Guide

Security White Paper The Goverlan Solution

IBX Business Network Platform Information Security Controls Document Classification [Public]

Connectivity to Polycom RealPresence Platform Source Data

Monitoring Hybrid Cloud Applications in VMware vcloud Air

Network Security Topologies. Chapter 11

How to Secure a Groove Manager Web Site

The next generation of knowledge and expertise Wireless Security Basics

ACE Management Server Deployment Guide VMware ACE 2.0

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WebEx Remote Access White Paper. The CBORD Group, Inc.

LifeSize UVC Multipoint Deployment Guide

Vidyo Desktop User Guide. Telemedicine Development Center of Asia April 2011

VPN. Date: 4/15/2004 By: Heena Patel

Guidance Regarding Skype and Other P2P VoIP Solutions

Video Conferencing and Security

Security and the Mitel Teleworker Solution

Novell Access Manager SSL Virtual Private Network


IP Office Avaya Radvision Interoperation Notes

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Cisco Expressway Series

Virtual Private Networks (VPN) Connectivity and Management Policy

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

LifeSize UVC Manager TM Deployment Guide

Topics in Network Security

The MOST Affordable HD Video Conferencing. Conferencing for Enterprises, Conferencing for SMBs

Wireless VPN White Paper. WIALAN Technologies, Inc.

"ASM s INTERNATIONAL E-Journal on Ongoing Research in Management and IT"

Cornerstones of Security

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

ReadyNAS Replicate. Software Reference Manual. 350 East Plumeria Drive San Jose, CA USA. November v1.0

Building A Secure Microsoft Exchange Continuity Appliance

Transcription:

TECHNICAL NOTE Secure VidyoConferencing SM Protecting your communications 2012 Vidyo, Inc. All rights reserved. Vidyo, VidyoTechnology, VidyoConferencing, VidyoLine, VidyoRouter, VidyoPortal,, VidyoRouter, VidyoGateway, VidyoRoom, VidyoReplay, VidyoRoom and VidyoDesktop are trademarks of Vidyo, Inc. All other trademarks are the property of their respective owners. All specifications subject to change without notice; system specifics may vary. All images are for representational purposes only; actual products may differ. Vidyo products are covered by U.S. Pat. Nos. 7,593,032 B3 and 7,643,560, as well as additional International patents or pending U.S. or International patent applications owned by Vidyo, Inc. www.vidyo.com 1.866.99.VIDYO SECVIDYO_072012_TECHNOTE_US

A holistic approach to secured communication Vidyo has made telepresence both personal and affordable with its revolutionary VidyoRouter architecture that leverages Scalable Video Coding (SVC), enabling end users to participate in high quality Vidyo conferences from just about anywhere using standard broadband internet connections. While the internet affords us great flexibility in access and endpoints, we also recognize the importance of protecting sensitive information transmitted over this medium from would be hackers with malicious intent. This document provides an overview of the features of Vidyo s Secure VidyoConferencing SM option, designed to guard the integrity of your network and keep your communication and private information safe. More than just encryption User authentication/ login Component authentication Component access protection Database protection Password protection Signaling encryption Media encryption Secure firewall traversal Key Security Features AES-128 bit media encryption HTTPS with certification login TLS with certification for signaling Password hashing in database New component blocking for spoof prevention Hardened Linux based appliances for component access control Optional firewall traversal using builtin Optional explicit IP-to-IP firewall traversal using networked VidyoRouter deployment Encrypted token technology for session security No login information kept at the desktop Graphic indication for encrypted calls on the call screen User login and database security Ensuring that only administered users and administrators are able to gain access to user accounts and the system administration portal respectively is fundamental to securing the VidyoConferencing SM system. Vidyo establishes this critical front line of defense in a similar manner to the way online banking access is secured. With SSL security enabled the VidyoPortal automatically establishes an encrypted HTTPS channel with each Vidyo endpoint that attempts to access the system and performs certificate exchange, issued by third party certifying authority. Once certificate verification is completed, login and password information is transmitted securely to the VidyoPortal over the same encrypted HTTPS channel. Visual indication that the call is secured is provided to the end user as a lock icon on the call screen. To safeguard user login credentials, no login information is kept at the Vidyo soft clients and the password information is always hashed in the database while the VidyoPortal connections to the database are done over secured HTTPS links as well. The admin has complete control to set passwords at all levels including changing the default passwords for the VidyoConferencing servers. This is the first step recommended in commissioning any VidyoConferencing system. Media Encryption TECHNICAL NOTE: Secure VidyoConferencing SM Page 2

To ensure that the content of your Vidyo conferences cannot be intercepted and decoded without your knowledge, with secure VidyoConferencing system option enabled, Vidyo employs AES-128 bit encryption over SRTP for audio, video and shared content. A set of keys is used for each form of media for each leg of the Vidyo conference. The VidyoRouter decrypts and re-encrypts each media stream as it passes through for unprecedented security from one endpoint to the other over public networks. With media encryption enabled for the system, a single VidyoRouter is able to support up to 100 concurrent HD 1080p connections, significantly more capacity than MCUs costing 5 to 10 times as much. Signaling Encryption Signaling is the way different components within the Vidyo architecture communicate with one another. Ensuring that the information that is passed in this machine to machine communication is not viewable by would-be hackers is important for securing the network. Secure VidyoConferencing leverages HTTPS with certificate support for all web access signaling as described in the User login and database security section of this document. For the client/ server application signaling, TLS is employed with key exchange taking place over secured TLS connections and support for the same certificate process as HTTPS. Component Authentication (spoof prevention) & Session Security Spoofing refers to a tactic used by hackers to steal the identity of a trusted component of a network in order to gain access. Vidyo prevents spoofing through a rigorous component authentication scheme. Each machine in the Vidyo network has a unique identifier which is communicated to the VidyoPortal over a secure link and is otherwise not accessible. New components added to the network go to the VidyoPortal for configuration. If the VidyoPortal doesn t have a configuration defined for that machine s specific ID, the machine is blocked from joining the network until the administrator accepts the new ID and manually configures the component. On the client side, a unique token is generated and encrypted by the VidyoPortal and sent to the Vidyo endpoint at login over a secured link after the Vidyo endpoint has sent the VidyoPortal its unique identifier. The encrypted token is stored at the Vidyo endpoint and the session is kept alive until the next time the user successfully logs in, whether from the same machine or a different machine, at which point a new token is issued and a new session is started. Each time the Vidyo endpoint attempts to access the VidyoPortal for services (such as call initiation), the endpoint presents its session token to the VidyoPortal, ensuring that the endpoint is in fact the machine where the credentialed user last logged in. Component Access Protection The Vidyo infrastructure appliances are all Linux based. To prevent hackers from accessing the box itself, Vidyo leverages the security features of Linux while hardening the box by closing all ports that are not relevant or used and making it impossible to access the board without VidyoAdmin and root passwords. Secure Firewall Traversal TECHNICAL NOTE: Secure VidyoConferencing SM Page 3

Depending on the specific deployment model, Vidyo provides optional methods of secure firewall traversal, enabling organizations to leverage the public network to provide connectivity for mobile end users without compromising the integrity of the private network or requiring additional expensive equipment. For implementations where the necessary range of UDP ports are opened on the company network, the VidyoDesktop client uses industry standard ICE/STUN to negotiate UDP ports directly with the VidyoRouter. These same protocols are employed for NAT traversal. VidyoDesktop Client with VidyoDesktop negotiates UDP ports with VidyoRouter VidyoRouter with Internet Fig 1: Firewall with UDP Port Range Opened VidyoDesktop Client with Vidyo s Proxy tunnels on port 443 VidyoRouter with Fig 2: Firewall with UDP Ports Closed For implementations where the UDP ports are closed on the company network, Vidyo s proxy solution overcomes these blocking issues in a secure fashion by tunneling on port 443 using industry standard TCP. The VidyoDesktop is able to auto-detect if firewall blocking is taking place and automatically switch to Vidyo s proxy configuration as needed. If the firewall configuration is known, auto-detection can be easily overridden. client is embedded with the VidyoDesktop application and the server is embaded with the VidyoRouter application. The same proxy client and server s are also able to traverse Web Proxies, enabling the Vidyo deployment to fully integrate with existing web proxy devices and follow established policies rather than working around them. For deployments where multiple VidyoRouters are networked together, a single low cost VidyoRouter can be position on each side of the firewall. The combination of the robust component TECHNICAL NOTE: Secure VidyoConferencing SM Page 4

authentication described in the Component Authentication (spoof prevention) & Session Security section of the this document and a set of explicit IP-to-IP rules on the firewall enable the VidyoRouters to communicate securely with one another without the performance impact that tunneling on port 443 may have and without compromising the security of the private network. Using this approach, it becomes easy to keep on-premise Vidyo endpoints on the corporate network, behind the firewall, without sacrificing performance or accessibility to the public network, and without adding cost to deployment. Enterprise Intranet VidyoRouter DMZ/Public Network VidyoRouter Internet Static IP-to-IP rule on firewall explicitly for communication between VidyoRouters Fig 3: Firewall with explicit IP-to-IP rules for communication between VidyoRouters Regardless of whether an organization deploys a DMZ, VPN or other network topology, Vidyo s suite of cost effective firewall traversal solutions integrate with the topology and extend the reach of your video communications infrastructure beyond the private network securely. TECHNICAL NOTE: Secure VidyoConferencing SM Page 5

User Meeting Room Access All of the Vidyo endpoints connect through the VidyoRouter and are not directly accessible from another endpoint. Therefore, even if it were on the public network, it would not be possible for someone to connect directly to a Vidyo endpoint by dialing an IP address. The VidyoRouter architecture inherently provides the endpoint with a layer of security from third party hacking and voyeurism with technology built in for spoof prevention such as encrypted token technology for session security, HTTPS with certificate support on login, and TLS with certification for signaling as mentioned along this document. No matter what Vidyo endpoint you utilize, your Vidyo meeting room is the core of your virtual office. Just like with a physical office, you may want to have an open door policy for your Vidyo meeting room where anyone with an account on your VidyoPortal can drop in any time, or you may wish to close the door to your Vidyo meeting room and selectively control access. Vidyo affords you the flexibility to do both. If you prefer open door, you need not do anything. If you wish to control access, you have the ability to define a PIN for your room and share it only with the people that you want to have access to your room. Additionally, if you take advantage of guest linking to your room (inviting an unregistered user to join your conference room via hyperlink), every user has the ability to change their hashed hyperlink to their personal meeting space as frequently as desired. Conclusion Vidyo s architecture is more secure inherently. To ensure continues high level of security we scan our on a regular basis using industry leading security auditing tools such as Qualys, Nessus, and Rapid7. All identified vulnerabilities are being addressed with security packages and upgrades. By enabling the Secure VidyoConferencing option on the VidyoPortal, administrators and IT departments can rest easy, knowing that the VidyoConferencing network is safe and user data and communications will be secure. For more information: 1.866.99.VIDYO TECHNICAL NOTE: Secure VidyoConferencing SM Page 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information