Page 220 - Asterisk™: The Future of Telephony
P. 220

Security considerations
               H.323 is a relatively secure protocol and does not require many security considerations
               beyond those that are common to any network communicating with the Internet. Since
               H.323 uses the RTP protocol for media communications, it does not natively support
               encrypted media paths. The use of a VPN or other encrypted tunnel between endpoints
               is the most common way of securely encapsulating communications. Of course, this
               has the disadvantage of requiring the establishment of these secure tunnels between
               endpoints, which may not always be convenient (or even possible). As VoIP becomes
               used more often to communicate with financial institutions such as banks, we’re likely
               to require extensions to the most commonly used VoIP protocols to natively support
               strong encryption methods.

               H.323 and NAT
               The H.323 standard uses the Internet Engineering Task Force (IETF) RTP protocol to
               transport media between endpoints. Because of this, H.323 has the same issues as SIP
               when dealing with network topologies involving NAT. The easiest method is to simply
               forward the appropriate ports through your NAT device to the internal client.

               To receive calls, you will always need to forward TCP port 1720 to the client. In addi-
               tion, you will need to forward the UDP ports for the RTP media and RTCP control
               streams (see the manual for your device for the port range it requires). Older clients,
               such as Microsoft NetMeeting, will also require TCP ports forwarded for H.245 tun-
               neling (again, see your client’s manual for the port number range).
               If  you  have  a  number  of  clients  behind  the  NAT  device,  you  will  need  to  use  a
               gatekeeper running in proxy mode. The gatekeeper will require an interface attached
               to the private IP subnet and the public Internet. Your H.323 client on the private IP
               subnet will then register to the gatekeeper, which will proxy calls on the clients’ behalf.
               Note that any external clients that wish to call you will also be required to register with
               the proxy server.
               At this time, Asterisk can’t act as an H.323 gatekeeper. You’ll have to use a separate
               application, such as the open source OpenH323 Gatekeeper (http://www.gnugk.org).


               MGCP
               The Media Gateway Control Protocol (MGCP) also comes to us from the IETF. While
               MGCP  deployment  is  more  widespread  than  one  might  think,  it  is  quickly  losing
               ground to protocols such as SIP and IAX. Still, Asterisk loves protocols, so naturally it
               has rudimentary support for it.
                                           *
               MGCP is defined in RFC 3435.  It was designed to make the end devices (such as
               phones) as simple as possible, and have all the call logic and processing handled by


               * RFC 3435 obsoletes RFC 2705.

               192 | Chapter 8: Protocols for VoIP
   215   216   217   218   219   220   221   222   223   224   225