Fundamental of VoIP and Security

    CHAPTER NO.4b     E. H.323

1. OVERVIEW OF H.323: The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the Internet. H.323 is an umbrella recommendation from the International Telecommunications Union (ITU) that sets standards for multimedia communications over Local Area Networks (LANs) that do not provide a guaranteed Quality of Service (QoS). Specifically on the H.323 standard, we find that the multimedia part of the title provides quite a bit of opportunity, allowing applications that support real time audio, video and data communications. Support for audio applications is mandatory, while the video and data parts are optional. Thus, our first interoperability challenge is identified, as it would be possible for two products. One supports audio only, and another audio, video and data. In order to support such a variety of media types, an H.323 system may consist of several different components that are discussed one by one. Terminals: a network endpoint which may provide audio only, audio and video, audio and data, or audio, video, and data communications with another H.323 terminal.  Gateways: a network function that provides access to terminals on a circuit switched network (such as the PSTN) or another H.323 network. Gatekeepers: a network function that provides address translation, access control, bandwidth management, and possibly other management operations for the network. Multipoint Control Units: a network function that allows three or more terminals to participate in a multipoint conference. These above four could be implemented individually or integrated as a group within a single product. Within an example it is easy to understand: a PC running an H.323 application, such as Microsoft's NetMeeting would be categorized simply as a terminal. Another device, such as a video conferencing system, could include the functions of the Terminal, Gateway, Gatekeeper and Multipoint Control Unit in a single box, which would be considerably more complex. And since H.323 attempts to support such as wide variety of communications media, there are a number of protocols that are required to support all of the possible voice, video and data combinations. As such, H.323 has been described as an umbrella standard, under which a number of other protocols, supporting call setup and disconnect audio encoding/decoding, video encoding/decoding, fit under. These protocols include the ITU-T H.225, H.245 protocols, plus the IETF's Real-Time Transport Protocol (RTP) and others.

2. H.323 SIGNALING: The term signaling is used to describe the processes that initiate or terminate a communication session between two parties. If those parties are using the traditional telephone network, the signaling consists of on-hook, off-hook, ringing tones, busy tones, and so on, that communicate the status of one of the parties, or the status of the network.

Table 1: ITU-T recommendations that are part of the H.323 specification

 H.323 is an ITU-T Study Group 16 recommendation that specifies a system and protocols for multimedia communications over packet-switched networks. In particular, H.323 consists of a set of protocols that are responsible for encoding, decoding, and packetizing audio and video signals, for call signaling and control as well as for capability exchange.

3. H.323 ENDPOINT TYPES: H.323 defines four major components for a network-based communication system: Terminals, Gateways, Gatekeepers and Multipoint Control Units (MCUs). Terminals are client endpoints on IP-based networks that provide real-time, two-way communications with other H.323 entities. H.323 terminals are required to support the following three functional parts: 

a. SIGNALING AND CONTROL: H.323 must support H.245, a complex standard for channel usage and capabilities, in addition to a Q.931-like protocol defined in H.225 for call signaling and establishment, as well as Registration/Administration/Status (RAS) protocol defined in H.225 for communication with gatekeepers. All of these protocols use ASN.1 encoding for their messages.

 b. REAL TIME COMMUNICATION: H.323 terminals must support RTP/RTCP, a protocol for sequencing audio and video packets.

 c. CODEC: Codec is piece of software that compresses audio/video before transmission and decompresses them back after receiving compressed packets. For interoperability purposes, every H.323 terminal is required to support the G.711 audio codec. Other audio and video codec are optional. Gateways provide the connection path between the packet-switched network and the Switched Circuit Network (SCN, which can be either public or private). The gateway is not required when there is no connection to other networks. In general, a gateway deflects the characteristics of a LAN endpoint to a SCN endpoint, and vice-versa. Gateways perform call setup and control on both the packet-switched network and on the SCN, and they translate between transmission formats and between communication procedures. Some gateways can also translate between different codec standards Terminal for audio and/or video (referred to as transcoding), with the purpose of reducing the bandwidth of the audio/video flow if the SCN bandwidth is limited. Gatekeepers are optional on an H.323 system, but they have certain mandatory functions if they are present. Gatekeepers perform four required functions: Address Translation (from alias addresses or phone numbers to transport addresses), Admission Control, Bandwidth Control and Zone Management. Gatekeepers can also support four optional functions: Call Control Signaling, Call Authorization, Bandwidth Management and Call Management. When a gatekeeper is present on an H.323 system, all other types of endpoints are required to register with the gatekeeper and receive its permission prior to making a call. Multipoint Control Units (MCU) support conferencing between three or more endpoints. The MCU typically consists of a Multipoint Controller (MC) and zero or more Multipoint Processors (MP). MC provides the control functions such as negotiation between terminals and determination of common capabilities for processing audio and video. MP performs the necessary processing on the media streams for a conference. Such processing typically involves audio mixing and audio/video switching.

 4. CHANNELS DEFINED IN H.323: H.323 uses the concept of channels to structure the information exchange between communication entities. A channel is a transport-layer connection, which can be either unidirectional or bi-directional. In particular, H.323 defines the following types of channels

 a. RAS CHANNEL: This channel provides a mechanism for communication between an endpoint and its gatekeeper. The RAS (Registration, Admission, and Status) protocol is specified in H.225.0. Through the RAS channel, an endpoint registers with the gatekeeper, and requests permission to place a call to another endpoint. If permission is granted, the gatekeeper returns the transport address for the call signaling channel of the called endpoint.

 b. CALL SIGNALING CHANNEL: This channel carries information for call control and supplementary service control. The Q.931-like protocol used over this channel is specified in H.225.0 and H.450.x. When the call is established, the transport address for H.245 Control Channel is indicated on this channel.

 c. H.245 CONTROL CHANNEL: This channel carries the H.245 protocol messages for media control with capability exchange support. After the call participants exchange their capabilities, logical channels for media are opened through the H.245 control channel.

 d. LOGICAL CHANNEL FOR MEDIA: These channels carry the audio, video, and other media information. Each media type is carried in a separate pair of uni-directional channels, one for each direction, using RTP and RTCP. H.323 specifies that the RAS channel and the logical channels for media are carried over an unreliable transport protocol, such as UDP. The H.245 control channel is specified to be carried over a reliable transport protocol, such as TCP.

5. ISSUE WITH REMEDIATION: The H.323 protocol suite is complex, but provides a great deal of flexibility. Protocol-specific problems will be addressed in a similar manner as problems with traditional protocols, through testing and independent audit followed by remediation. Unfortunately there are still issues that cannot be easily addressed using traditional security devices found in typical organizations.

 a.   FIREWALL ISSUE: As have been seen that many H.323 protocols particularly those involving the data streams are made up of dynamic IP address/port combinations. Each terminal-terminal conversation requires at a minimum 5 channels to be opened 2 control channels (one H.225 and one H.245) per endpoint plus one bidirectional voice channel. Three of these will be on dynamically allocated ports. In addition users naturally expect to be able to make both inbound and outbound calls. Since H.323 relies heavily on dynamic ports, packet filtering firewalls are not a viable solution, as every port above 1024 would have to be opened. Therefore, most firewall solutions supporting H.323 must at least disassemble the control stream packets (H.245, H.225.0) and then dynamically (and ideally, state fully) open up the firewall as needed. Additionally, H.323 contains embedded IP address information that is not re-written by most NAT implementations. All of these features make the implementation of H.323 security complex.

 b.   DATA ENCRYPTION: Payload or data encryption is another important piece of the H.323 security puzzle, but in most cases the ability of an attacker to access one or more control channels will yield information about a call that is almost as valuable as the data content. Today, analyses of a signal channel, for instance could allow an attacker to gather information regarding the duration, endpoints and other parameters of incoming and outgoing calls. Lastly, data encryption has no effect on the security of VoIP related infrastructure devices or their cognate applications. No amount of encryption can protect against a single bad password.