Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 1 H.323 & Firewalls

Computing Center of Max-Planck-Society andInstitute of Plasmaphysics

K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 1

H.323 & Firewalls

Experiences with an OpenSource Experiences with an OpenSource solution for the H.323 Firewall issuessolution for the H.323 Firewall issues

Kewin Stoeckigt, Ulrich Schwenn

Computing Center Garching (RZG),Max-Planck-Gesellschaft (MPG) &

Max-Planck-Institut für Plasmaphysik (IPP)

[email protected], [email protected]

SURA/ViDe 6th Annual Digital Video WorkshopIndianapolis, Indiana, USA

March 22-25, 2004



Outline of talk• Introduction (MPG, IPP, RZG)• VC infrastructure overview• H.323 & Firewalls – The Problem• An OpenSource solution

– Why do we use it?– How it works– ViDe.Net– Authentication methods– Other features– Statistics/Experiences– QoS Activities

• Summary



Max-Planck-Society (MPG)

• Independent, non-profit research organization• Promotes and supports research at its own institutes• Institutes are organized in three sections with 80 institutes

• Budget for 2004: ~ US$ 1.66 billion

# Inst: Chemistry, Physics and Technology section: 29 Biological and medical section: 35 Arts and human science: 16



Institute of Plasmaphysics (IPP)

• Investigates physical principles underlying a nuclear fusion power plant, which – like the sun – will gain energy from the fusion of light atomic nuclei

• Member of the European Fusion Programme (EFDA)• Member of Helmholtz Association of

National Research Centers• Budget in 2002: US$ 150 million



Institute of Plasmaphysics (IPP)• Current Experiments

– ASDEX Upgrade tokamak (Axially Symmetric Divertor EXperiment) Garching

• Confinement with external fields and plasma current

• Investigates crucial problems in fusion research under reactor-like conditions

– Wendelstein 7-X Greifswald• Confinement with external

magnetic fields only• Theoretically optimized magnetic

fields to overcome difficulties due to genuine 3D topology



Computing Center (RZG)• Located in Garching near Munich• Since 1980 common computing center for IPP and MPG• Offers different services of MPG institutes

– General network access

– High Performance Computing power (Clusters, vector machines, etc.)

– Code optimization

– Videoconferencing (since 1995)

– …

• Fastest supercomputer in Germany – IBM Regatta (27 Nodes)

(4.2 TFlops/s) • # 31 of Top500 (11/2003)



VC infrastructure: IPP

T500T880 T500

Garching

Greifswald

T5003 T880

DFNVCDFNVC

T6000MS

T6000MS

10 VV

15 VV

DFNVCDFNVC T6000MS

T500

2 T1000

2 VS-EX

T7000

• Main Institute (700) in Garching;Branch Institute (300) in Greifswald

• 500 miles: Garching toGreifswald take longer than traveling from Garching to New York



VC infrastructure IPP:• 3 lecture halls

– 2 in Garching: Tandberg 6000 systems– 1 in Greifswald: Tandberg 6000 system

• 8 seminar rooms– 4 Tandberg 550, 7 Tandberg 880, 2 Tandberg 1000

• ~ 30 ViaVideo

• Multizone gatekeeper– Located in Garching– OpenSource (More about this later)

• Use of DFNVC service



VC infrastructure: IPP- EFDA

DE

GARAUG

2 T6000 / 3 T880T500 / 15 VV

GnuGK-Proxy

DFNVCDFNVC

VRVS

VRVS

VS128

VV VRVS

VV

VV

IL UK

DK

FR

CH

FI

HU IT

VV

VRVS

2 VV

NM

VV

NM

VV

NM

ES

Aethra

VS

PT

8 Mbps8 Mbps

VV

T880

HGWW7-X

T6000 3 T500 T880 10 VV



H.323 & Firewalls – The Problem

• Complexity of media streams– Use of several sub-protocols for many channels per session

• Dynamic allocation of several information– Bandwidth/Bandwidth change– # data channel changes– Port allocation




• Dynamic port allocation– H.323 uses a few “fixed” ports, e.g. 1503 (T.120), 1719, 1720 – Many dynamic allocated ports

• Port range: >210 & <216

• Session-Management of H.323 client allocates ports randomly during setup (Phase C)

• Approx. 4 to 6 ports per videoconference

– Dynamic negotiated ports can’t be handled by firewall• How do you open ports if you don’t know them?




• The communication or….what happens if…• Setup (often) can run thru firewall, data communication is

blocked by firewall (→ dynamic ports)

Firewall

internal H.323 terminal external H.323 terminal

Setup

Data stream



An OpenSource solution

• Former firewall solution– “OpenFirewalling”

• No videoconferencing client was secured by firewall

• Securityproblem: Desktops with ‘special’ data on it are not protected

• Desired solution– “Low-Cost” solution– Easy to configure/administer– No network changes, e.g. rerouting, etc.

• We use GnuGK or TPFNAO (“The Program Formally Known As OpenH323 Gatekeeper”)




• Why do we use it?– Costs

• GnuGK is free (→ GPL)

• Runs on Linux…which is also free • Just the hardware is necessary

– Linux• Approx 80% of all computer at RZG are Linux/Unix based

• Linux/Unix seem more reliable than other operating systems

– OpenSource• We can change the code whenever we want to, e.g. include

afs support, etc.




• GnuGK is gatekeeper/proxy combination• ALL videoconferencing traffic runs over GnuGK• The communication…or what happens if…

Firewall

internal H.323 terminal external H.323 terminal

Setup

Data stream

Gatekeeper/Proxy

Data stream

Setup




• GnuGK works with ViDeNet– Neighbor principle

• If LRQ can not be answered by RZG-GK, LRQ I then send to German Country GK and so forth

[RoutedMode]…AcceptNeighborCalls=1…[RasSvr::Neighbor]CGK=194.95.240.35:1719;*;




• Authentication methods– Security and videoconferencing are getting more important– GnuGK supports several different authentication methods

• IP authentication

• Prefix authentication

• mySQL authentication

• LDAP authentication/H.350 authentication

• Radius authentication (includes billing)

– It is possible to limit access of dedicated IPs, E.164 numbers, etc.




• We use mySQL authentication on RRQ• If host has valid

DB entry, RCF issend, otherwiseRRJ

• DBTable also usedfor phonebook

internal H.323 terminal

Gatekeeper/ProxymySQL Database

RRQ|130.216.13.164:1720|00491401006:dialedDigits=NZ-RZG-KFSLh323_ID|terminal|9999_rzg.mpg.de;




• Other features– Port range can be limited (H.245, T.120, RTP ports)– LoadBalancing– T.120 proxy– Support for NATed endpoints– Calls can be queued– …




• GnuGK is used in RZG & IPP for ALL videoconferences(internal ↔ external, internal ↔ internal, external ↔ external)

• Solution works fine in point-to-point environments as well as multipoint ((cascaded) internal/external MCUs)

• No problems with different ‘speeds’ (minimum connections speed: 512kbit/s, maximum 3MBits/s)

• We were not able to ‘force proxy down’



An OpenSource solution• What is meant by “..is used for ALL videoconference…”?



An OpenSource solution• Some statistics (1)

– GK system (until 03/2004): P3, 1.6 GHz, running SuSE Linux 7.3– Used videoconferencing systems

• 3 Tandberg 6000, 7 Tandberg 550/880, 2 Tandberg 1000, 1 Tandberg 7000, 2 Viewstations EX, 30 ViaVideos

• We tested our GK with several Polycom systems, Sony PCS1, NetMeeting, GnomeMeeting, VCon, etc.

• Worked with exotic clients like VRVS-H.323 gateway, FVC Webconferencing server

– System has been up and running for 169 days– More than 6000 calls were handled, approx 1500 coming from

external institutions/organization




– Approx 1000 videoconference per month– Monthly data throughput: 120GB– Interrupts in 2003: 2 (System crashes)

GK call statistics

0

1000

2000

3000

4000

5000

1 2 3 4 5 6 7 8

# C

alls Calls (overall)

Calls (successful)

Calls (from outside)




– Current use:• Directorates meetings IPP• Meetings of RZG (Garching / Greifswald / Auckland)• RZGs Users group (3-7 sites all over Germany)• Monday Meetings ASDEX-Upgrade (Garching / several clients in

Europe, e.g. UK, France, etc.)• VC-Group meetings (almost every day)• Regular meeting of MPG Presidents • Project meetings• Meeting of Viktas group• …



Summary– Disadvantages

• Monitoring just via telnet (allowed IPs can be specified)

– Advantages• Its free • OpenSource

• Proxy can be deactivated (completely or just for dedicated IP/subnets)

• Limitation of Port range

• Bunch of authentication methods

• Runs on Linux/Windows/Apple

• Support for NATed endpoints

• E.164 rewrite (important for password protected conferences were password is separated with * (new VV software can’t handle *))



Summary

H.323 & Firewall issue can be solvedusing OpenSource software



Further Activities: QoS– H.323 Beacon– DFN Projects (Erlangen)– Own Tools

Greifswald – GarchingHGW

GAR



Acknowledgement

• U. Schwenn, P. Pflueger, H. Soenke, Th. V. Weber, RZG • J. Hornung, DFNVC• F. Schulze et al., VCC Dresden• H. Pfeiffenberger, Sybilla Bunne AWI

Questions??Questions??

Documents

Computing Center of Max-Planck-Society and Institute of Plasmaphysics K. Stoeckigt, U. Schwenn – H.323 Opensource Firewall Solutions 1 H.323 & Firewalls