Best practices: prevent your videoconferencing deployment from being compromised
A white paper by Ben Hockley, Software Developer
As videoconferencing and online collaboration have increased in use and popularity over the past few decades, new technologies, reduced costs, and increased capabilities open up for many more to engage in virtual meetings.
With increasing use comes increased risk of systems coming under attack from outsiders. Companies risk industrial and corporate espionage and information theft. Several recent scandals expose that companies and individuals are not always completely secure.
Pexip Infinity addresses these security challenges. Numerous security measures are in place to prevent unwanted audiences from listening in and stealing communications. The Pexip Infinity platform has been designed to comply with the strictest US Federal requirements.
The focus of this white paper is to discuss best practices that can help secure your videoconferencing deployment, and how Pexip Infinity will fit in with your existing network security architecture and help address your security concerns.
There are many types of potential attacks on video systems, including:
- attacks on the Operating System of video systems
- attacks on the management user interface or APIs of video servers
- DOS/DDOS Attacks on video servers
- rogue calls: signaling
- rogue calls: media
Thankfully there are also a wide variety of security measures that are commonly used to repel and mitigate the effects of such attacks. Some attacks and protective measures are discussed below.
Virtually all video systems – including many popular video conferencing servers, dedicated videoconferencing room systems and all desktop soft clients - run on some sort of general-purpose operating system (OS) such as Windows, OSX or Linux, or mobile operating systems such as iOS or Android. Pexip Infinity is no exception.
Because of this, these video systems may be vulnerable to security issues arising from misconfiguration of the OS or software vulnerabilities in the OS – just like any other comparable computer system.
- Ensure use of strong administrator credentials.
- Use a firewall to prevent unauthorized network traffic from reaching your devices.
- Use your firewall to block unauthorized access to services and network ports that are not required to be exposed for video communications to work correctly. (For example, the management UI HTTPS, SNMP and SSH services of your video systems do not usually need to be accessible to anyone other than your network administrator.)
- Keep the operating system updated with the latest versions of all relevant service packs and security updates.
- For software-based video solutions, always run the latest suitable release provided by your vendor.
- For embedded video solutions and mobile devices, keep the firmware updated to the latest revision.
- Disable unneeded operating system services where possible.
- For end-user systems, consider installing a personal firewall.
- Pexip Infinity uses a customized, cut-down version of Linux which has been designed to avoid exposing unnecessary network services and thus naturally limits the “attack surface” available to an attacker.
- Pexip regularly releases new software versions which incorporate the very latest operating system security patches.
For ease of management, many video servers expose management and monitoring APIs and user interfaces. These interfaces provide useful capabilities for managing your video deployment– but are also a potential target for attackers to use when launching an attack.
- Keep video server applications updated with the latest version of any software.
- Disable unneeded services.
- Use a firewall to block unauthorized access to services and network ports that are not required to be exposed for video communications – only your network administrator should have access to the HTTP(S), SSH and SNMP services of your video systems.
- Ensure use of strong administrator credentials.
- Pexip Infinity APIs and management interfaces are password or PIN protected.
- Pexip Infinity can benefit from standard firewall-based protection of services, just like any other enterprise application.
Many network services, including video-based services, can be vulnerable to a class of attack called a Denial of Service (DOS) attack (or a Distributed Denial of Service (DDOS) attack in which the DOS attack originates from multiple locations). In these attacks, access to the service is disrupted by a malicious attacker sending large volumes of unsolicited traffic to the server, causing CPU and/or network bandwidth to become overloaded to the point where legitimate genuine video calls can no longer be placed or maintained.
- Use a firewall to block unauthorized access to services and network ports that are not required to be exposed for video communications.
- Disable unneeded services altogether.
- Use the features of your firewall, your firewall traversal solution and/or Session Border Controller (SBC) and other call control systems to ensure only legitimate video calls are permitted to traverse your firewall.
- Pexip Infinity can be protected by your firewall just like all your other enterprise applications.
- Pexip Infinity is fully compatible with popular firewall traversal solutions and SBCs – which can themselves provide a further layer of protection.
Recent security scandals have revealed widespread spying on personal and corporate communications which were previously thought to have been private.
- Always deploy a firewall and use this to protect all of your devices.
- In sensitive deployments, consider use of a multi-layered and potentially multi-vendor solution. In a single vendor, single layer solution the same bugs and vulnerabilities may exist across multiple components which share common code; a multi-layered multi-vendor approach makes it harder for an attacker to penetrate the network.
- Disable auto-answer on all your room systems.
- Avoid using public services for sensitive video communications. Use your own trusted video servers or trusted service providers.
- Follow industry-standard best practices when deploying your video services.
- Where possible, ensure that internal communication between clients in the same corporate network stays within a trusted network (such as your corporate or a trusted service provider network).
- Enable the strongest level of authentication and encryption on all of your audio and video clients.
- Use proper (paid for) TLS/SSL certificates from a respectable source on all your video conferencing servers.
- Ensure your call control systems are configured to reject unauthorized calls.
- Enable PIN protection on your Virtual Meeting Rooms– and use a long, unique, randomly-generated PIN for each Virtual Meeting Room.
- Regularly change the PIN on each Virtual Meeting Room.
- Pexip Infinity supports the latest industry standards for encryption for communication with end-user devices, ensuring that end-to-end security is as strong as possible.
- The Pexip Infinity distributed solution employs IPsec security to provide strong protection of all inter-cluster communications.
- Pexip Infinity can connect legacy devices in the corporate network (which may not themselves support encryption) and encrypt on behalf of those devices when connecting to external devices which do support encryption.
- Pexip Infinity works with all popular video call control systems in the market today.
- Pexip Infinity supports TLS and supports installation of your own TLS certificates – so clients and other servers can verify that they have genuinely connected to the correct Pexip Infinity server and not an impostor (a “man-in-the-middle”).
- Pexip Infinity conference features such as the on-screen Audio Avatar and +n indicator make it hard for uninvited eavesdroppers to go undetected.
- The Pexip Infinity applications for web, Android an iOS show a roster list of all meeting participants – also making it harder for uninvited eavesdroppers to go undetected.
- Pexip Infinity supports PIN protected Virtual Meeting Rooms for an additional layer of security.
Popular signaling protocols often embed the IP address of the end-user system in certain messages during call establishment. This “leaks” information about the network topology - the IP addresses that the end-user systems are using – which could then be of use in subsequent “blended” attacks during a concerted attack against an organization.
- Protect video systems by keeping them behind the corporate firewall wherever possible.
- Ensure calls pass through a topology-hiding server such as the Pexip Infinity Distributed Gateway (in addition to using any such facilities provided by your existing firewall traversal solution or SBC).
- A Pexip Infinity Distributed Gateway solution, unlike a basic SIP proxy or non-call routed gatekeeper, will ensure that any call that reaches an external client has been generated entirely by Pexip Infinity itself (not by the internal client placing the initial call). This means that the IP address of the internal client is not leaked.
Popular voice and video clients use protocols such as SIP, H.323 and MS-SIP or proprietary protocols to initiate and receive video calls.
A common attack encountered is when rogue calls - such as Spam Over Internet Telephony (SPIT) or toll fraud call attempts – are targeted at an organization’s SIP (or, more rarely, H.323) infrastructure. In one common attack, the attacker will place a large volume of calls to numeric aliases (usually using SIP UDP) to try and gain access to a VoIP to PSTN gateway – and, if successful, use the gateway to commit toll fraud, running up a large phone bill for the victim.
Additionally, specially crafted attacks involving deliberately malformed packets can be used to exploit bugs in video clients and allow an attacker to cause a video call to disconnect, crash, or even to execute unauthorized code (a so-called “remote code execution vulnerability”) - often with the same user account privileges as the device's user.
- Protect against toll fraud by ensuring that access to your VoIP gateway or your VoIP provider's SIP trunk and other important resources is carefully restricted – especially for unauthenticated external SIP/H.323 callers.
- Ensure your WebRTC solution is configured securely – and that this also does not permit unrestricted/unauthorized access to valuable resources such as your PSTN gateway or your VoIP provider's SIP trunk
- Lock down call routing to ensure that calls to invalid aliases are rejected at the earliest opportunity, ideally at the perimeter of your network.
- Use all the relevant features available in your call control and SBC.
- Monitor the logs of your systems and use features of your firewall to block offenders.
- Consider disabling SIP UDP traffic support altogether in your solution as this is the most commonly targeted signaling service. SIP TLS is a much better solution and, at the time of writing, is less commonly the target of concerted attacks.
- Protect voice and video systems by keeping them behind the corporate firewall wherever possible.
- Keep your voice and video clients and servers updated with the latest version of any software (including all the newest security patches for both relevant applications and the host operating system).
- Enable authentication and call admission control features in your call control solution.
- Use a firewall traversal solution, SBC, and/or Edge Server in conjunction with a signaling gateway solution such as a Pexip Infinity Virtual Meeting Room (for multi-party calls) or a Pexip Infinity Distributed Gateway (for point to point calls) to allow mediated communication between internal and external video clients and to ensure that any signaling that reaches the client has passed through and been checked and re-encoded by one or more trusted servers.
- Pexip Infinity services (Pexip Infinity Virtual Meeting Rooms for multi-party calls, or Pexip Infinity Distributed Gateway for point to point calls) can be used to mediate communications between internal and external video clients.
- With an appropriately deployed Pexip Infinity solution, any signaling that reaches internal clients will have been generated by Pexip Infinity itself (not the external client) – thus internal clients will be isolated safely from signaling based attacks originating from outside the network.
Popular voice and video clients use audio and video codecs to encode the audio and video streams in video calls. Specially crafted attacks involving deliberately malformed packets can sometimes exploit bugs in video client software and allow an attacker to cause a call to disconnect, a client to crash or, in extreme cases, even to cause the client to run unauthorized code on the endpoint device - a so-called “remote code execution vulnerability”. The end-user device is often a standard laptop, tablet or desktop machine running the video client – thus the potential information leakage in such situations is of considerable concern.
- Protect video clients by keeping them behind the corporate firewall where possible.
- Keep your video clients updated with the latest version of any software (including all the newest security patches).
- Enable authentication, certificate verification and call admission control features on your call control solution as appropriate to your needs.
- Use a media handling solution such as a Pexip Infinity Virtual Meeting Room (for multi-party calls) or a Pexip Infinity Distributed Gateway (for point to point calls) to allow only mediated communication between internal and untrusted external video clients and to ensure that any media that reaches the internal video clients has passed through and been decoded safely checked by one or more trusted servers (such as a Pexip Infinity server).
- In sensitive deployments consider use of a multi-layered, multi-vendor solution. In a single vendor solution the same bugs and vulnerabilities may exist across multiple components which share common code; a multi-layered multi-vendor approach makes it harder for an attacker to penetrate the network.
- Pexip Infinity decodes and validates the media in audio and video calls and therefore can provide some protection against media-based attacks (unlike some switching MCUs and firewall traversal solutions which blindly forward them unaltered, or only perform a shallow inspection of media packets).
- Because Pexip Infinity handles all media streams it can therefore be used to ensure only server-mediated communication occurs between trusted internal and untrusted external audio and video clients. Any media that reaches the internal audio and video clients through Pexip Infinity Gateway will have passed through, been decoded and checked by the Pexip Infinity server – rendering many media based attacks harmless.
- Pexip Infinity uses a customized, hardened Linux distribution with both best-of-breed open source and proprietary components
- Pexip Infinity includes a cryptographic module that has been independently certified to comply with the FIPS (Federal Information Processing Standard) 140-2 standard.
- Pexip Infinity is JITC (Joint Interoperability Test Command) certified and is compliant with the relevant standards for interoperability and information assurance/security established by the US Department of Defense.
- Pexip Infinity management services are exposed only over HTTPS (with redirect from HTTP) and SSH – both secure, encrypted management protocols.
- To ensure security, Pexip Infinity’s password-protected management APIs are exposed over TLS only.
- Pexip Infinity supports certificate verification, including, optionally, the use of Online Certificate Status Protocol (OCSP) for certificate validity verification.
- Pexip Infinity uses IPsec to ensure the privacy and authenticity of all inter-cluster traffic.
- In addition to storing logs internally, the Pexip Infinity solution supports remote logging via the industry-standard syslog protocol to ensure that the audit trail can be stored externally.
- We release new software frequently, incorporating the latest bug-fixes and security enhancements into our Operating System and application software.
- We follow industry best practices and ensure that we limit our attack surface as far as possible, to ensure defense in depth.
- We ensure our application software runs as a low-privileged operating system user to ensure that, should the unthinkable happen and an attacker “break in”, damage is limited and compartmentalized as far as possible.
- We regularly run industry-standard protocol attack suites against our software as we develop it – to ensure that no vulnerabilities are inadvertently introduced.
- The Pexip Incident Reporting mechanism allows customers to automatically report issues affecting the correct operation of Pexip software – allowing Pexip developers to pro-actively and promptly identify and fix any such issues.
- In addition to careful manual testing, Pexip regularly runs large suites of automated tests and automated code quality checkers to try and identify potential issues before they are ever released.
If and when bugs (including security issues) are discovered, we write automated tests to verify that our fix for the issue works as intended. We run all such tests against every subsequent build of Pexip software to ensure that when we fix a bug it remains fixed in all future versions - and protect against regressions.
- Video clients and video servers represent an important resource in your network – and a potential target for external attackers.
- We have seen that there are a wide variety of different types of attacks possible on audio and video communication systems.
- We have also seen how a multi-layered, multifaceted approach to security is required to provide the best protection for your network.
- Carefully following industry-standard best practices in the use of credentials, encryption, authentication, certificates, firewalls, SBCs and firewall traversal can all play a part in maintaining security in your voice and video network.
- Pexip Infinity Virtual Meeting Rooms (for multi-point calls) and Pexip Infinity Gateway (for point to point calls) can provide an additional layer of isolation in your video solution – and enhance network security overall by providing protection against certain classes of attack.