Configuring Basic Security

Figure 8-4 shows a general configuration for video conferencing security. This configuration involves layers of security, with protection both at the edges of the network and inside the network.

Figure 8-4 Basic Configuration for Video Conferencing Security

Call Control Servers

Guest Call Control

Servers fji + HIPS EJn

Router + Microflow Policing

Figure 8-4 Basic Configuration for Video Conferencing Security

Call Control Servers

Guest Call Control

Servers fji + HIPS EJn

Router + Microflow Policing

Internal Firewall SSS! <r

External VPN

NAT/Firewall Concentrator

Teleworker

Internal Firewall SSS! <r

Switches

+ L2 Protection

External VPN

NAT/Firewall Concentrator

Switches

+ L2 Protection

Internal Video Conferencing Endpoints

Teleworker

Internal Video Conferencing Endpoints

This topology shows a three-legged firewall. The firewall has connections for the enterprise, the Internet, and a demilitarized zone (DMZ). The DMZ contains servers that are accessible by both the internal network and the public Internet. These servers consist of authoritative DNS servers and call control servers that allow endpoints on the public Internet to connect to endpoints inside the enterprise. The firewall has a relatively loose set of rules to allow internal and external endpoints to connect to servers in the DMZ, but it has a stricter set of rules that protects the interior of the enterprise network from both the DMZ and the public Internet.

In addition, the firewall connection for the inner enterprise network also runs a Network Address Translation (NAT) device. The NAT translates private IP addresses inside the enterprise to public addresses routable on the public Internet. The ability for endpoints inside the network to connect to endpoints outside the network through the NAT and firewall is called NAT/firewall traversal, often abbreviated as NAT/FW. NAT/FW traversal can pose a problem for video conferencing protocols, as you learn later in the "NAT/FW Traversal" section.

The enterprise also has a VPN concentrator that allows remote workers or small remote branch offices to connect through a firewall. Tunneling authenticated virtual private network (VPN) streams from teleworkers through a firewall requires a simple firewall configuration and is highly secure.

Also shown in Figure 8-4 is Layer 2 protection in the form of port security, dynamic ARP inspection, and DHCP snooping, all of which are features of Cisco switches.

The configuration shows three layers of protection for the call control servers: firewalls to allow only call control traffic, microflow policing on the routers to prevent DoS attacks, and a HIPS located on each of the servers to further protect against malware.

Was this article helpful?

0 0
Homeowners Guide To Landscaping

Homeowners Guide To Landscaping

How would you like to save a ton of money and increase the value of your home by as much as thirty percent! If your homes landscape is designed properly it will be a source of enjoyment for your entire family, it will enhance your community and add to the resale value of your property. Landscape design involves much more than placing trees, shrubs and other plants on the property. It is an art which deals with conscious arrangement or organization of outdoor space for human satisfaction and enjoyment.

Get My Free Ebook


Post a comment