Summary of site setup recommendations

Download as PDFDownload as PDF

In this section we list security-related issues to consider when deploying an H.323 service, in particular when joining the JANET H.323 service, using a studio system on the local campus.

Using the JVCS-IP

In the context of the JVCS-IP, that service will be responsible for:

  • MCU set-up at the JANET C-PoPs;
  • gatekeeper set-up at the JANET C-PoPs;
  • monitoring and security checks of the publicly accessible C-PoP H.323 devices;
  • informing users of the booking system of the importance of the privacy of any booking information the users see (having logged into the booking system);
  • resilience to DoS attacks on the C-PoP-hosted H.323 components.

Responsibilities for sites connecting to the service include:

  • set-up, configuration and security checks of any site gatekeeper used;
  • set-up, configuration and security checks of any site proxy and/or firewall;
  • security of the site H.323 videoconferencing studio;
  • deployment of switched Ethernet paths to the studio and for network management;
  • physical security of the H.323 terminal;
  • lockdown of configuration options for the H.323 terminal;
  • ensuring any site gatekeeper is manually configured, not using multicast discovery;
  • liaising with the Regional Networks for QoS provision where required.

Further site-specific issues are described in Appendix A.

The JANET Videoconferencing Management Centre is responsible for performing site (studio) tests for quality assurance [JVCS-IP].

Risk assessment

The following table shows some recommendations and suggested risk assessment considerations. This is not an exhaustive list; sites should perform their own assessment exercises.

Figure 7: H.323 risk assessment threats
Threat Likelihood Impact Countermeasures
Theft of system Low High Physical security, alarms, CCTV.

Unauthorised monitoring

of an H.323 session


Variable, depending

on nature of conference

Use of encryption methids: e.g. H.235,

VPNs, IPSec.

Use of switched Ethernet.

Do not publish future sessions.

Unauthorised joining in an

H.323 session


Variable, depending

on nature of conference

Controls at the gatekeeper / MCU.

Do not publish future sessions.

Network adaptor / cable

problems causing poor


High High

Test physical cabling.

Check duplex / speed settings.

Gatekeeper ceases to

function through hardware

or failure

Low High

Offer redundant gatekeeper devices to avoid single

point of failure

User at client terminal

is an imposter

Very low Variable

Unlikely to be required as the person should be

recognisable visually, so the threat is very low