Rule #1 for Video and Firewalls: Say NO to Helper Services

Posted by ET Group on December 17, 2012

Video Conferencing and Firewalls

Firewalls are probably one of the biggest peace-of-mind purchases that an enterprise will make to ensure it’s secure from the outside world. More comprehensive firewalls offer a vast suite of tools and features to make the life of the administrator easier by automating as much of the process of security management as possible. When it comes to video conferencing technology, the lion’s share of firewall solutions are not as video friendly as the feature set suggests.

Today, many firewalls are equipped with things like SIP ALG or H.323 helper services, which the vendor suggests will allow clients to easily traverse the firewall and make a more seamless, more secure connection. The problem is that it’s rarely –if ever- the case. These services while helpful in theory, are often part of what is called Stateful Packet Inspection (SPI). SPI’s role in your protection is to open each bit of data passing in and out of your network to look for any threats and neutralize them before they cause any damage. This can cause significant performance problems for video conferencing.  Some firewalls can be “aware” or sensitive to the particulars of video conferencing protocol, although they also have some inherent risks, which need to be mitigated by your IT security policies.

What Does This All Mean? If it’s Not Fool Proof, Why Do it at All?

Every firewall is different and every enterprise uses their firewall differently. Hence, no two installations will be exactly the same. Because no two installations will be the same, firewall vendors have done quite a bit in recent years to provide the ability to turn off, or change the role of SPI and helper services on your firewall. Unfortunately in most cases, it isn’t enough. Video traffic passing through a firewall using helper services or SPI can severely lower performance because of the processing power required to monitor the traffic.

The other serious limitation of firewalls when it comes to video traffic and SPI is dynamic port allocation. All modern firewalls work very well against the model of fixed port allocation. In this model, the security admin defines what traffic on what port is allowed into and out of the network. As video and other business applications gain ground in network bandwidth usage this model becomes harder to maintain.

Video specifically requires very few fixed ports for connecting participants. It relies more heavily on dynamic port allocation, where a port or group of ports is chosen by the client to make a connection. Without a specific rule, most firewalls do not respond well to passing traffic through to allow this video connection. Ports used for video calls will fall within a set range as large as 10,000-20,000 possible port combinations and it’s a cumbersome undertaking to maintain. The firewall by design has to strike a balance between being porous and secure. Because that balance is required, video conferencing infrastructure has evolved to come up with ways of securely adapting to the needs of the network.

Two Ways to Handle the Firewall Question

There are two popular approaches to handling video traffic without compromising your network security. Video vendors understand that businesses want collaboration without compromising security, or network performance. With this in mind, two approaches have emerged to mitigate the risk to security and performance, and to provide the enterprise with peace-of-mind.

1. Larger Market Players take a Traversal Approach

They literally hop over the firewall, bypassing it with secured edge servers, or pass through it on a very limited range of open ports. This is a tried and true option utilized by large enterprises. It offers the greatest scalability and flexibility. IT Administrators prefer these solutions because they are designed with security policy in mind, resulting in an easy solution for the security minded to get behind.

2. Up and Coming Vendors Leverage Existing Infrastructure

Vendors can still offer rich experiences for their end users by leveraging existing infrastructure from the DMZ or the cloud. Depending on the deployment scenario, these solutions can require anywhere from 100 to as few as 0 ports.  In fact, they can even be offered as cloud services almost removing your corporate firewall from the equation. They are mobile focused, sleek, stylish and their flexibility makes them a sexy option for the “Bring Your Own Device” crowd.

Firewalls are not the only ‘helpers’ that can come into contact with your video conferencing traffic. At their core, WAN optimization technologies try to apply some kind of order to your public traffic. Their greatest advantage is that IT staff will already be familiar with the idea of Quality of Service (QoS). They will also be familiar with traffic shaping, which is fundamentally what these tools accomplish albeit on the open Internet instead of your corporate network.

These are relevant to a firewall discussion because unlike firewall helpers, WAN optimizers are generally very media sensitive tools. They are geared to improve your experience with video conferencing, but can also work to your advantage on other lines of business applications as well. Regardless of the vendor and the way it’s deployed, all video conferencing solutions eventually come back to the firewall.

Things to Consider Before Deploying Video Conferencing

1. Make Sure You Know What Your Firewall Vendor Supports and Their Limitations

2. Most Importantly, Discuss the Implications of Video Conferencing with an Integrator Before Deploying Video Conferencing to Your Users.

Having these two on your strategy checklist will be the difference between a rich pervasive collaborative experience and a pixelated game of charades.

If you have any questions concerning what your firewall vendor supports and the possible implications of your video conferencing system, please contact us.