February 2005 may go down as the beginning of the end for the last technical hurdle blocking widespread adoption of corporate IP (Internet Protocol) videoconferencing -- the issue of firewall and network address translation traversal.
With US calls over IP networks (as opposed to using ISDN) hitting the 50 percent mark this year, according to Wainhouse Research, the issue of firewalls and NATs, which provide private IP addresses for a domain but are a wrench in the works when trying to make a successful IP video call, is coming to a head. The biggest names in the videoconferencing arena -- Polycom and Tandberg -- are among a handful of vendors releasing products that help transition H.323-based video calls through a firewall or private IP address (NAT) system to an outside party without having to make drastic changes to security policies.
H.323, the umbrella protocol that is the standard for IP conferencing, is inherently flawed when it comes to dealing with secured network perimeters and private IP addresses, which are used in the majority of corporate networks.
The issue is twofold, signaling and media, says Arnold Englander, an associate at Perey Research and Consulting. On the signaling side, the port addresses of incoming packets are varied in the H.323 header and not sitting at the top, where a firewall would look for the information.
"A firewall looks at the packet and asks, 'Is this coming from a place where I can receive it?' but the information is not there," Englander says. "The real information is inside the H.323 sub-packets. The TCP/IP wrapper does not have the detail information needed" for the firewall to make the right decision.
Even if the signaling issue were fixed, there is still the issue of passing voice and video through. H.323 uses multiple, somewhat random ports for each call. Two calls might use completely different ports. A firewall might let outgoing voice and video through but not the incoming side of the call. If both participants are behind a firewall, the call will be silent and black, Englander says.
For intra-company communications or with telecommuters on a VPN, the firewall issue usually doesn't come into play because most of the traffic stays inside the network perimeter. It comes up with inter-company communications, where one or more firewalls are in play.
The simple way to get around the firewall issue is to open the firewall to all H.323 traffic (not secure) or put the videoconferencing endpoint in the DMZ and give it a publicly routable IP address, also not a secure option, particularly when PC-based endpoints are used.
One major university that handles a video network for a government agency runs into the issue occasionally and uses a variation of the "open the firewall for H.323 traffic" method. "The solution, for most sites, has been for the sites to 'trust' the server addresses that deal with collaboration services, such as gatekeepers and MCUs," says the video network's administrator, who asked not to be named. The problem with this method is that an attacker could compromise one of the trusted domains and potentially have access to all the other sites in the community.
For those looking for something more secure, there are a now a number of options.
Tandberg's new Expressway offering is based on technology from Ridgeway Systems, which Tandberg acquired last year. It is designed to work with a firewall by tunneling H.323 traffic into three registered ports: 1719, 2776 and 2777. The only potential change needed in the firewall policy is to open these ports to traffic.
Two devices are needed, one on each side of the firewall. The Tandberg Border controller appliance sits on the outside of the firewall. On the inside, there must be a Tandberg MXP endpoint with the latest software update or a Gatekeeper appliance that can be used to aid non-Tandberg endpoints through the firewall, says Mike Walker, director of emerging technology at Tandberg. An endpoint must register with the Border Gateway to participate in a video call.
During a demonstration of the Expressway technology, Tandberg made video calls through Network World's firewall using an endpoint registered to a Border Gateway in Tandberg's Reston, Virgina, office. Tandberg made no changes to the Network World firewall. Port 80 usually blocks H.323 traffic.
Visual Nexus, a small videoconferencing vendor in England, is shipping a new version of its Linux-based Secured Transport appliance that works in a similar fashion to Tandberg's Expressway, but uses Port 80 to pass traffic. Port 80 is open in all but the strictest firewall setting.
Polycom and its partner Edgewater Networks are taking a different approach with V2IU, a new H.323-aware firewall that works alongside a company's firewall or can be used as a firewall replacement for smaller offices. The V2IU is a Polycom-branded Edgewater EdgeMarc appliance with added video capability.
The Alberta Supernet, an ambitious project that is rolling out a Multi-protocol Label Switching-based fiber network to virtually every education facility in the Canadian province, is piloting the Polycom/Edgewater technology with 16 groups in the province, says John Percevault, director of system planning and technology services for the Grand Yellowhead Regional Division, one of the leads on the pilot.
Each district has been, or is, in the process of getting a 6.5M bit/sec fiber connection with up to six VPN connections that can be used to connect all the educational facilities for the district's WAN and for videoconferencing traffic, among other things. For the video network, an EdgeMarc/V2IU appliance is being deployed at each district's head end and acts as a firewall and proxy for H.323 traffic.
Percevault says the firewall is needed because the districts are planning to use desktop-based conferencing endpoints, which might be connected to other sensitive networks, such as internal LAN or network management systems. Percevault also uses Polycom's PathNavigator product to help route video traffic between locations inside the Supernet.
None of the three new entrants represent a panacea for videoconferencing. A user has to register his endpoint to a gatekeeper for each organization with which he wants to communicate. "Every videoconferencing system that I've played with, and that's about 10, the gatekeeper address that you have to enter is about six levels down in the menu structure," says Andrew Davis, principal analyst at Wainhouse Research. The industry needs to fix that if it is going to go with this method of registering with gatekeepers and border controllers, he says.
Session Initiation Protocol (SIP), with its advanced call-handling features, could replace H.323 in the videoconferencing world. Polycom and Tandberg have pledged support for it in the future, and Microsoft is making it the centerpiece of its communication strategy in Live Communication Server and in Istanbul, the future version of Windows Messenger.
When it comes to firewall and NAT traversal, SIP suffers the same fate, but it does have one advantage: "In the world of SIP, large service providers [Tier 1 carriers] are doing SIP-based telephone networks, and when they choose to solve the problem for customers, it's for hundreds of thousands at a time," Englander says.
Radvision, which already offers an H.323 proxy appliance, and Jasomi Networks Inc. have announced a partnership to integrate Radvision's MCU with Jasomi's Peerpoint product to pass SIP-based traffic through a firewall or NAT. The companies are targeting corporations and service providers with its offerings.
A new standard also might be a solution to the problem. Rivals Polycom and Tandberg have proposed a standard called H.ASSENT to the ITU for connecting through a firewall using a session border controller on the outside. Davis says we're still a year or two away from such a standard becoming reality.