Vendors target IP video hurdles

February 2005 may go down as the beginning of the end for the last technical hurdle blocking widespread adoption of corporate IP videoconferencing - the issue of firewall and network address translation traversal.

With calls over IP networks (as opposed to using ISDN) hitting the 50% mark this year, according to Wainhouse Research, the issue of firewalls and NATs, which provide private IP addresses for a domain but are a wrench in the works when trying to make a successful IP video call, is coming to a head. The biggest names in the videoconferencing arena - Polycom and Tandberg - are among a handful of vendors releasing products that help transition H.323-based video calls through a firewall or private IP address (NAT) system to an outside party without having to make drastic changes to security policies.

H.323, the umbrella protocol that is the standard for IP conferencing, is inherently flawed when it comes to dealing with secured network perimeters and private IP addresses, which are used in the majority of corporate networks.

The issue is twofold, signaling and media, says Arnold Englander, an associate at Perey Research and Consulting. On the signaling side, the port addresses of incoming packets are varied in the H.323 header and not sitting at the top, where a firewall would look for the information.

"A firewall looks at the packet and asks, 'Is this coming from a place where I can receive it?' but the information is not there," Englander says. "The real information is inside the H.323 sub-packets. The TCP/IP wrapper does not have the detail information needed" for the firewall to make the right decision.

Even if the signaling issue were fixed, there is still the issue of passing voice and video through. H.323 uses multiple, somewhat random ports for each call. Two calls might use completely different ports. A firewall might let outgoing voice and video through but not the incoming side of the call. If both participants are behind a firewall, the call will be silent and black, Englander says.

For intra-company communications or with telecommuters on a VPN, the firewall issue usually doesn't come into play because most of the traffic stays inside the network perimeter. It comes up with inter-company communications, where one or more firewalls are in play.

The simple way to get around the firewall issue is to open the firewall to all H.323 traffic (not secure) or put the videoconferencing endpoint in the DMZ and give it a publicly routable IP address, also not a secure option, particularly when PC-based endpoints are used.

One major university that handles a video network for a government agency runs into the issue occasionally and uses a variation of the "open the firewall for H.323 traffic" method. "The solution, for most sites, has been for the sites to 'trust' the server addresses that deal with collaboration services, such as gatekeepers and MCUs," says the video network's administrator, who asked not to be named. The problem with this method is that an attacker could compromise one of the trusted domains and potentially have access to all the other sites in the community.