Summary of site setup recommendations

Download as PDFDownload as PDF

In this section we list security-related issues to consider when deploying an H.323 service, in particular when joining the JANET H.323 service, using a studio system on the local campus.

Using Janet Videoconferencing

In the context of Janet Videoconferencing, that service will be responsible for:

  • MCU set-up at the JANET C-PoPs;
  • gatekeeper set-up at the JANET C-PoPs;
  • monitoring and security checks of the publicly accessible C-PoP H.323 devices;
  • informing users of the booking system of the importance of the privacy of any booking information the users see (having logged into the booking system);
  • resilience to DoS attacks on the C-PoP-hosted H.323 components.

Responsibilities for sites connecting to the service include:

  • set-up, configuration and security checks of any site gatekeeper used;
  • set-up, configuration and security checks of any site proxy and/or firewall;
  • security of the site H.323 videoconferencing studio;
  • deployment of switched Ethernet paths to the studio and for network management;
  • physical security of the H.323 terminal;
  • lockdown of configuration options for the H.323 terminal;
  • ensuring any site gatekeeper is manually configured, not using multicast discovery;
  • liaising with the Regional Networks for QoS provision where required.

Further site-specific issues are described in Appendix A.

The JANET Videoconferencing Management Centre is responsible for performing site (studio) tests for quality assurance.

Risk assessment

The following table shows some recommendations and suggested risk assessment considerations. This is not an exhaustive list; sites should perform their own assessment exercises.





Theft of system



Physical security, alarms, CCTV.

Unauthorised use of system.



Security controls on dedicated device or passwords on PC system.

Unauthorised monitoring of an H.323 session.


Variable, depending on nature of conference.

Use of encryption methods: e.g. H.235, VPNs, IPSec.

Use of switched Ethernet.

Do not publish future sessions.

Unauthorised joining of an H.323 session.


Variable, depending on nature of conference.

Controls at the gatekeeper/MCU.

Do not publish future sessions.

Network adapter/cable problems causing poor performance.



Test physical cabling.

Check duplex/speed settings.

Gatekeeper ceases to function through hardware or failure.



Offer redundant gatekeeper devices to avoid single point of failure problem.

User at client terminal is an impostor.

Very Low


Unlikely to be required as the person should be recognisable visually, so the threat is very low.

Figure 7: H.323 risk assessment threats