Title: VCON SecureConnect
1VCON SecureConnect
- Solutions for Secure Firewall Traversal
Encrypted Communications
2SecureConnect Family Overview
- Extends the benefits of IP-based communications
safely beyond the edges of the managed data
network - Remote branch offices
- Home office workers
- Customers and business partners
- Solves the connectivity problems associated with
firewalls and NAT servers without jeopardizing
security - Encryption option for securing media and
signaling streams - Highly scalable and centrally manageable
3Hurdles with Firewalls and IP-Based
Communications
- Firewalls
- Most are closed to inbound traffic.
- Minimize or eliminate open ports.
- NAT
- Used on LANs to create private IP addresses
- Addresses cant be reached from outside the LAN.
4The VCON ALG Proxy Server
- Overcomes Firewall and NAT Hurdles
- Firewall cooperation and synergy
- No firewall ports are opened in the inward
direction - Firewall does not need to accommodate requests to
open random or dynamic ports - External devices never connect directly to the
inside network - Internal devices never connect directly to the
outside network - Seamless Address Resolution
- Creates reachable addresses for endpoints on
the LAN
5The VCON ALG Proxy Server
- Able to securely proxy
- Gatekeeper registration
- Call setup messages signaling
- Media streams (audio video)
- Neighbor gatekeeper messages
- VCON Interactive Multicast streams
- MXM admin console login andremote device
administration - Far-end camera control messages
- Scalable up to 100 concurrent video calls per
server - Available encryption option
6ALG Proxy Server - continued
- Supports any standard H.323 device (endpoint,
MCU, gateway) - Media streams pass directly between conference
participants - Configurable QoS (DiffServ or IP Precedence) for
audio, video and data streams - Single and dual-server configurationsavailable
7Single vs Dual-Server Config
Dual-Server Config
Single-Server Config
Public Network
Private Network
Private Network
Inside Proxy
Outside Proxy
Firewall or NAT
Inside Outside Proxy
- Inside outside proxy elements of the ALG can be
combined or split - Both configurations prevent direct connections
between private and public network entities - With either configuration, the outside proxy can
be encrypted for added security
8Typical Headquarter / NOC Configuration
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
MXM
Firewall/NAT
Settop Appliance
Video Directory
MCU
9Typical Branch Office or Small-Medium Business
Configuration
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
Firewall/NAT
Settop Appliance
MCU
- Local devices point to the inside proxy for GK
registration - Calls between local devices does not result in
mediastreams passing through the ALG Proxy
10Endpoints in the Public Address Space
ALG Proxy
Firewall/NAT
- Remote devices point to the outside ALG Proxy for
GK registration - Calls between outside devices does not result in
mediastreams passing through the ALG Proxy
11Multi-Zone Gatekeeper Configuration
Peer-to-Peer or Meshed
Hierarchical
MXM
ALG Proxy
- Neighbor gatekeeper zone definitions utilize
thepublic IP address of the outside ALG Proxy
component
12The VCON Advanced Encryption Server
- Supports DES, 3DES AES encryption standards
- Establishes peer-to-peer encryptedtunnels
between authenticated users - Combine with ALG Proxy to encrypt all traffic
that leavesthe proxy - Scalable up to 10,000 concurrently logged in
clients and 1,000 concurrent calls per server - Remote users only have access to pre-determined,
application-specific resources - Versus traditional VPN solutions, which give
theuser full access to the enterprise or service
provider network
13The VCON Encryption Client
- Supports PC-based devices
- Windows 98, NT, 2000, XP
- UserID and Password authentication to the
Encryption Server - Encrypts signaling and media streams immediately
as they leave the PC-based device - DES, 3DES, AES encryption standards
- No charge downloadable client
- Give to customers or business partners for access
to video network - Downloadable from the VCON website
14All PC-Based Devices Configuration
Advanced Encryption Server
Encryption Client
PC-Based Endpoints
Public Network
MXM
Firewall/NAT
VCB (MCU)
- All PC-based devices running the Encryption
Client are logged in to the Advanced Encryption
Server - Data streams flow directly between the devices
withoutpassing through the Encryption Server - Unless both participants have private IP addresses
15Leveraging the ALG Proxy for Encryption
Advanced Encryption Server
Encryption Client
PC-Based Endpoints
ALG Proxy (Inside)
ALG Proxy (Outside)
Public Network
Firewall/NAT
Non-PC Devices
MCU
- The outside proxy is enabled with encryption
- This proxy only counts as a single client login
on the Encryption Server - Allows encryption for non-PC devices, including
MCUs - All traffic across the public network is encrypted
16Versatility of the SecureConnect Solution
Branch Office or Small Business
Headquarter / NOC
Encryption Server
ALG Proxy
MXM
Public Network
ALG Proxy
Home Office
VCB
Road Warriors
17High Availability Features
Dual NIC cards
RAID controller mirrored hard drives
Dual memory modules
Software watchdog for services
18Other SecureConnect Features
- 1 year software subscription included with all
SecureConnect servers - Access to all SW enhancements for a period of 1
year - Scalability upgrades accomplished via a license
key - No need to take the system out of service