VCON SecureConnect

1
VCON The Video over IP Company
Danny On VP RD and Technical Alliances
2
VCON SecureConnect

• Solutions for Secure Firewall Traversal
  Encrypted Communications

3
SecureConnect Family Overview

• Extends the benefits of IP-based communications
  safely beyond the edges of the managed data
  network
• Remote branch offices
• Home office workers
• Customers and business partners
• Solves the connectivity problems associated with
  firewalls and NAT servers without eliminating
  security
• Encryption component for added security of the
  actual media and signaling streams
• Highly scalable and centrally manageable

4
Firewalls and IP-Based Communications

• Most firewalls allow only very specific types of
  inbound traffic
• When a session is initiated from inside the
  firewall, usually returned data streams to the
  originating IP address and port are allowed
• However, H.323 allows for a dynamically-selected
  and very wide range of ports to be used for these
  return streams
• Many firewalls also perform Network Address
  Translation (NAT) or Network Address Port
  Translation (NAPT)
• NAT usage typically makes it impossible to
  initiate calls from outside the firewall
• NAPT usage greatly conflicts with well known
  portsthat are used for H.323

5
The VCON ALG Proxy Server

• Application-level gateway (ALG) that can proxy
• Gatekeeper registration
• Call setup messages signaling
• Media streams (audio video)
• Neighbor gatekeeper messages
• VCON interactive multicast streams
• MXM admin console login andremote device
  administration
• Far-end camera control messages
• Solves connectivity problems from firewalls and
  NAT
• Scalable up to 100 concurrent video calls per
  server
• Encryption option

6
ALG Proxy Server - continued

• Supports any standard H.323 device (endpoint,
  MCU, gateway)
• Firewall cooperation and synergy
• No firewall ports are opened in the inward
  direction
• Firewall does not need to accommodate requests to
  open random or dynamic ports
• External devices never connect directly to the
  inside network
• Internal devices never connect directly to the
  outside network
• Media streams pass directly between conference
  participants
• Configurable QoS (DiffServ or IP Precedence) for
  audio, video and data streams
• Single or dual-server configurationsavailable

7
Single vs Dual-Server Config
Dual-Server Config
Single-Server Config
Public Network
Private Network
Private Network
Inside Proxy
Outside Proxy
Firewall or NAT
Inside Outside Proxy

• Inside outside proxy elements of the ALG can be
  combined or split
• Both configurations prevent direct connections
  between private and public network entities
• With either configuration, the outside proxy can
  be encrypted for added security

8
Typical Headquarter / NOC Configuration
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
MXM
Firewall/NAT
Settop Appliance
Video Directory
MCU
9
Typical Branch Office or Small-Medium Business
Configuration
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
Firewall/NAT
Settop Appliance
MCU

• Local devices point to the inside proxy for GK
  registration
• Calls between local devices does not result in
  mediastreams passing through the ALG Proxy

10
Endpoints in the Public Address Space
ALG Proxy
Firewall/NAT

• Remote devices point to the outside ALG Proxy for
  GK registration
• Calls between outside devices does not result in
  mediastreams passing through the ALG Proxy

11
Multi-Zone Gatekeeper Configuration
Peer-to-Peer or Meshed
Hierarchical
MXM
ALG Proxy

• Neighbor gatekeeper zone definitions utilize
  thepublic IP address of the outside ALG Proxy
  component

12
The VCON Advanced Encryption Server

• Supports DES, 3DES AES encryption standards
• Establishes peer-to-peer encryptedtunnels
  between authenticated users
• Combine with ALG Proxy to encrypt all traffic
  that leavesthe proxy
• Scalable up to 10,000 concurrently logged in
  clients and 1,000 concurrent calls per server
• Remote users only have access to pre-determined,
  application-specific resources
• Versus traditional VPN solutions, which give
  theuser full access to the enterprise or service
  provider network

13
The VCON Encryption Client

• Supports PC-based devices
• Windows 98, NT, 2000, XP
• UserID and Password authentication to the
  Encryption Server
• Encrypts signaling and media streams immediately
  as they leave the PC-based device
• DES, 3DES, AES encryption standards
• No charge client
• Downloadable from the VCON website

14
All PC-Based Devices Configuration
Advanced Encryption Server
Encryption Client
PC-Based Endpoints
Public Network
MXM
Firewall/NAT
VCB (MCU)

• All PC-based devices running the Encryption
  Client are logged in to the Advanced Encryption
  Server
• Data streams flow directly between the devices
  withoutpassing through the Encryption Server
• Unless both participants have private IP addresses

15
Leveraging the ALG Proxy for Encryption
Advanced Encryption Server
Encryption Client
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
Firewall/NAT
Non-PC Devices
MCU

• The outside proxy is enabled with encryption
• This proxy only counts as a single client login
  on the Encryption Server
• Allows encryption for non-PC devices, including
  MCUs
• All traffic across the public network is encrypted

16
Versatility of the SecureConnect Solution
Branch Office or Small Business
Headquarter / NOC
Encryption Server
ALG Proxy
MXM
Public Network
ALG Proxy
Home Office
VCB
Non-Encrypted Segments
Does not necessarily reflect the actual path of
the media streams during a conference
Road Warriers
Encrypted Segments
17
High Availability Features
Dual NIC cards
RAID controller mirrored hard drives
Dual memory modules
Software watchdog for services
18
Other SecureConnect Features

• 1 year software subscription included with all
  SecureConnect servers
• Access to all SW enhancements for a period of 1
  year
• Scalability upgrades accomplished via a license
  key
• No need to take the system out of service

19
Thank you!