Has anyone had any success running IP video over a "secure" network? I'm especially interested in answers from the government side but commercial solutions are welcome as well. My situation is that we're looking at adding a secure IP connection from a distant site into our Tandberg 6000, then using the built in bridging capability to connect that call to another via ISDN.

Our problem is convincing our local network guys that this setup is "secure". From their point of view we're asking to connect their live secure network to a network that goes both secure and nonsecure. Any suggestions on a method we should use here? We're alreayd thinking of using an A/B switch to turn off the secure side when not in use. Has anyone got a similar setup that they got blessed off on as a proper secure solution for IP video?

I'm not sure about how the Tandberg 6000 handles IP packets, but here is what I was told about the Polycom MGC-100:

It is actually a Gateway (Multipoint Control Gateway), for VTC. I was told at a seminar that you could use the bridge to connect internal network nodes (endpoints) to external ones by using two seperate network cards. One would be connected to the LAN, while the other would be connected in front of the firewall. Any packets that try to come through that are not recognized as VTC H.323 packets, are just discarded by the bridge.

I haven't even tried to convince anyone on the security side of this, however, because they do not understand the technology.

You might also find a cheaper H.323 Gateway, but I don't know how it would handle the packets.

Oops, I just realized that all that rambling didn't answer your question....

My experience with the security practices of the DOD is that they do not like to have anything that bypasses the firewall, even into the "secure" non-secure network.

When you say "secure" do you mean Classified? If so, you'll have to use an encryption device (KIV-7) to run ovewr ISDN.

Yeah I'm mainly an ISDN guy so I know all about the KIV family and KG-194. Yes it's over the classified network. I'm thinking of not only offering the A/B switch solution but also telling them that when not in use the classified connection will be disabled from within the Tandberg as well. That way they have dual redundancy in securing the line.

Any other suggestions or folks with similar experiences?

Originally posted by George@May 10 2004, 02:41 PM
Has anyone had any success running IP video over a "secure" network? I'm especially interested in answers from the government side but commercial solutions are welcome as well. My situation is that we're looking at adding a secure IP connection from a distant site into our Tandberg 6000, then using the built in bridging capability to connect that call to another via ISDN.

Our problem is convincing our local network guys that this setup is "secure". From their point of view we're asking to connect their live secure network to a network that goes both secure and nonsecure. Any suggestions on a method we should use here? We're alreayd thinking of using an A/B switch to turn off the secure side when not in use. Has anyone got a similar setup that they got blessed off on as a proper secure solution for IP video?
George,

My company actually manufacturers an IP switch for such a purpose. It is called the VWS-IP. We also manufacture a line of equipment for use in 320 networks, which will allow you to switch between secure/non-secure. I believe we have the only switch out there which is TEMPEST tested and certified. The IP switch is new, so we don't have a spec sheet on it yet. You can go to www.criticom.com to see the other products. I will talk to our guys tommorrow to see if I can get some advanced info for you on the VSW-IP.

This is from our latest press release. I apologize for the shameless plug, but it may work for your challenge. :D


CritiCom is a full-service integrator and value-added reseller of video communications products. The company also offers its secure/non-secure ISEC switch, the only COMSEC/
EMSEC-, TEMPEST- and JITC-certified video conferencing switch on the market. Enabling users to conduct classified and non-classified videoconferences from a single unit, ISEC is available as a stand-alone switch that can be integrated with any video system available, or as part of a complete integrated console or portable video solution. Compatible with ISDN, satellite and IP communications, the ISEC line also includes its own dial isolation capability, enabling customers for the first time to execute on-screen dialing in both secure and non-secure modes. CritiCom’s ISEC products have been accepted and installed at more than 35 Department of Defense agencies as well as at the White House and the Department of Homeland Security. Additional information about CritiCom, its ISEC product line and strategic partnerships can be found at www.criticom.com.
—

OK well the JITC certified part caught my eye.

We're lookibg for a switch with some sort of government blessing. This looks like a good candidate. Thanks and do you have any links to pictures and or a data sheet on the product?

George

Originally posted by George@May 15 2004, 09:10 AM
OK well the JITC certified part caught my eye.

We're lookibg for a switch with some sort of government blessing. This looks like a good candidate. Thanks and do you have any links to pictures and or a data sheet on the product?

George
George,

The IP switch has actually been going through Tempest testing this week. After that we will be moving to get it certified in other areas. I am doing a show on Tuesday and am showcasing the switch with a sales guy, so I will have to get some material together on Monday. I will pass on to you what we have so far once I get it all together.

Hello Everybody,
tjulian I just wanted to mention something about the MGC-100.
You had stated that it is a gateway. allthough it appears to the user that it is a gateway. (ISDN and IP in the same conference). It really is not a true gateway because you cannot call directly from a IP codec to an ISDN codec or visa versa. The MGC sets up a conference and bridges the two together. It may seem like a trivial point because it does look like a gateway, but as a support engineer I run into ... the sales guy said ....... Then I have to explain why the $100,000 dollar box doesn't do what they were sold on. I myself get peeved if I order a hambuger at McDonalds and it doesn't come with ketchup. If you look at some of the marketing info both Tandberg and Polycom are carefull not to say "Gateway"


As for the security issues I know that the latest Tandberg Codecs offer
DES and AES encryption provided you have recent versions of code and you are connected to other Tandbergs with recent versions of code.

Originally posted by SparkyIEEE@May 20 2004, 09:34 AM
You had stated that it is a gateway. allthough it appears to the user that it is a gateway. (ISDN and IP in the same conference). It really is not a true gateway because you cannot call directly from a IP codec to an ISDN codec or visa versa. The MGC sets up a conference and bridges the two together. It may seem like a trivial point because it does look like a gateway, but as a support engineer I run into ... the sales guy said ....... Then I have to explain why the $100,000 dollar box doesn't do what they were sold on. I myself get peeved if I order a hambuger at McDonalds and it doesn't come with ketchup. If you look at some of the marketing info both Tandberg and Polycom are carefull not to say "Gateway"
SparkIEEE,

I'm not sure that I can agree with you here. The MGC most certainly can place a single call from an IP codec to an ISDN endpoint providing the "Gateway" function. It is true that it creates a call on the H.323 side and a call on the H.320 side and then transcodes the two calls. This, if I'm not mistaken, is how all GWs actually work (creating two calls).

Using PathNaviagator, I can sit at any IP codec and dial an ISDN number either using the simplied dialing (9+ or 8+ or n?) and PathNavigator will find the available requested speed service or I can use the actual services number (example, 81* for 128kb bonded, 81*7705551212.. would dial as 128kb Bonded service).

Inbound, you can use the TCS4/E.164 capability to direct the inbound ISDN to the specified IP codec.

If we want to continue this discussion on Gateways, Can I suggest we start up a thread in the MCU section and get it out of the security section.

Thanks,

Gary Miyakawa

Originally posted by Gary Miyakawa@May 20 2004, 08:21 AM
I'm not sure that I can agree with you here. The MGC most certainly can place a single call from an IP codec to an ISDN endpoint providing the "Gateway" function. It is true that it creates a call on the H.323 side and a call on the H.320 side and then transcodes the two calls. This, if I'm not mistaken, is how all GWs actually work (creating two calls).

Using PathNaviagator, I can sit at any IP codec and dial an ISDN number either using the simplied dialing (9+ or 8+ or n?) and PathNavigator will find the available requested speed service or I can use the actual services number (example, 81* for 128kb bonded, 81*7705551212.. would dial as 128kb Bonded service).

Inbound, you can use the TCS4/E.164 capability to direct the inbound ISDN to the specified IP codec.

If we want to continue this discussion on Gateways, Can I suggest we start up a thread in the MCU section and get it out of the security section.

Thanks,

Gary Miyakawa
Gary,

I agree with you lets move this to the MCU group.
Iwill start a new thread over there.

SparkyIEEE

Hi George,

We have run the SCOTTY mobile encrypted using the KG-175 TACLANE NSA Type 1 IP encryption device. It works extremely well and there is usually enough bandwidth to make even IP video acceptable. We are currently testing the Motion Media equipment. We demonstrated this ability recently at an invitation only show out west. If you want some more info, let me know.

Kevin

Going back to the original question. What our company has been doing is going from a "secured" network using H.323, connecting to our Tandberg MCU, then connection to the other end by using H.320.

Through my limited experience, we ran a secure bridge for the military using phone lines (ISDN i think?) and hard-wired KIV-7 units. Ships were usually connected up via SHF (super high frequency) shots then connected manually through a patch panel to the desired KG-194 unit. Both the KG's and KIV's were hardwired to the bridge itself (PictureTel unit).

Secure always worked great so long as both sites were on the same cryptographic material... you usually found yourself doing the same routine troubleshooting if problems arose however sometimes the KIV-7 units would act really funny and even though they were good off of local and remote loops the damn things would never lock up TR with the distant end. Usually we could spare off and another KIV with the exact same settings would work but we couldnt ever figure out why the first one didnt. Oddly enough though, the KIV that wouldnt work would work with another station... ghosts in the line maybe? Your guess would be as good as mine.

-J

Michael,

Got anymore info on the VSW-IP?

We are still going through development on the VWS-IP switch. I will be keeping everyone informed as information becomes available.

If you are talking about using the Tandbergs codec to do the MCS function then it can't be done. The main reason being that to enable H.320 encryption you have to have a serial port connection from the codec to the crypto. I am not aware of any crypto that uses ISDN connections directly. But I do know that the latest Tandbergs allow for the serial ports now to be added to an MCS conference. So this may be the way to go. I have not had a chance to test it yet. But then you will need an ISDN to serial IMUX similar to the Adtran ISU512 or the Initia Access Switch 20/60. If you require further details I can provide it to you in an email.

As to using any other type of MCS, remember that it still must have a serial port for a connection to the crypto in H.320. And of coarse your H.323 must be connected to a secure network.

When securing an ISDN connection the common way I've seen is to simply ad an ISDN modem to the configuration. The ISDN modem (Adtran ISU 512 for example) can bring in up to 4 BRIs (512k). It has an RS-530 port that allows "serial" connectivity to your crypto device. From there your crypto device can connect directly to your Tandberg.

-George

George,

To answer your original question. Yes we have been doing H.323 conferencing for the past three years. We have found the best practice is to have a written procedure describing the disconnecting of the different classifed levels of LAN connections and the reconfiguring of the IP address in the codec. I have seen A/B switches used and they generally prove to be more trouble than they are worth. Plus they must be Tempest approved, so a simple A/B box from Radio Shack will not do. We also found that using different colored UTP cables and connectors helps give a visual clue as to what classification you are using. Plus using a patch panel (visually designate the different classifications for easy use) gives you the ability to do your connections from the front and not have to go into the rear of the rack.