How Video Conferencing Security Works

Video conferencing is a powerful tool that enables face-to-face, real-time communications between associates around the world. A business executive in Boston can hold a virtual meeting with his factory managers in China. A sales manager can demonstrate a new product to sales reps spread out across the country. Or, military commanders in the Pentagon can send new orders to soldiers in the field.

Security is crucial to video conferencing. During a video conference, sensitive information and data travels across internal and external networks where it's susceptible to the prying eyes of hackers -- or in the case of the military, the enemy. If a network is hacked, the video-conference stream becomes the hacker's own private surveillance camera, recording and re-broadcasting corporate secrets and top-secret intelligence [source: Wired].

Video-conferencing security is not only in a company's best interest -- it's the law. Recent government regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act of 2002 require that medical providers, financial institutions and other corporations secure all electronic data associated with their customers and patients [source: Centers for Medicare & Medicaid Service]. That includes all electronic transmissions of personal client data, even video conferences.

Since the terrorist attacks of Sept. 11, 2001, government and military agencies have also been required to comply with strict security protocols for all electronic transmissions [source: Military Information Technology]. The National Security Agency (NSA) and the Defense Information Systems Agency (DISA) have set guidelines for military video conferences wherein all transmissions are protected by several redundant layers of encryption.

In this HowStuffWorks article, we'll explain the basic concepts of video-conferencing security when using ISDN (phone line) networks.

Let's start by defining some basic concepts related to video-conferencing security.

Understanding Video Conferencing Security

For an ISDN video-conferencing system to be secure, it must have security protocols in place for:

Data storage
Data transmission

[source: InterCall]

Video conferences are often archived for later use. Since the information discussed in these video conferences could be sensitive, data storage needs to be secure and separate from all other networks. It's not advisable to use standard computers and hard drives to store video-conference data, since these machines are the most susceptible to intrusion, either from internal or external sources [source: Security for Videoconferencing].

Many companies use subscription video-conferencing services that store all video-conferencing data in special locked-down, off-site facilities. Access to the data is protected by 24-hour surveillance, key cards and biometric scanners [source: InterCall].

Data transmission is the most vulnerable area of video-conferencing security since the data must travel over so many public and private networks to reach its destination. Encryption and network security are the keys to protecting data transmission during a video conference.

The level of encryption depends on the sensitivity of the data. For most non-military organizations, the built-in encryption that comes with the video-conferencing product or service is sufficient. The two most common encryption protocols are 56-bit DES and 128-bit AES encryption [source: Military Information Technology]. The numbers refer to the length of the encryption key, 56 bits or 128 bits. A 128-bit key is nearly impossible to crack because it contains 3.4 X 10³⁸ possible variations.

For government and military data transmission, NSA regulations require that organizations install special encryption boxes to protect classified data. In military security terms, a "secure" network device transmitting classified data is labeled "red" while an unclassified, "unsecure" network component is "black." To secure a military network, there must be an NSA-approved encryption box between each red and black device.

Another video conferencing security concern is something called data radiation. All electronic devices give off a certain amount of radiation that can be intercepted by hackers. Copper phone line cable, for example, can act as an antenna, broadcasting data to those who know how to decipher it [source: Military Information Technology]. And the data radiation from a video screen can be read up to a kilometer away [source: Security for Videoconferencing].

To prevent data radiation during military video conferences, all network devices and materials need to comply with TEMPEST emissions guidelines set forth by the Joint Interoperability Test Command (JITC) [source: Security for Videoconferencing]. TEMPEST-approved devices are tested in a special anechoic chamber that can detect the slightest electronic leaks [source: Military Information Technology].

Now we'll go over how to detect and repair a partially secure ISDN video conferencing setup.

Detecting and Repairing Partially Secure Video Conferencing Setups

ISDN stands for Integrated Services Digital Network and is an international standard for transmitting high-speed digital data over regular phone lines [source: Michigan Technological University]. With ISDN video conferencing, all of the data from the video conference travels back and forth over the public switched telephone network, not the Internet. For this to work, each of the participants in an ISDN video conference must have the right equipment to prepare video, audio and data for transmission over the telephone network.

Most of the heavy lifting during a video conference is done by a special gateway called an inverse multiplexor or IMUX. The IMUX initiates video conference calls and manages the flow of data between the video-conferencing equipment (called the CODEC) and the telephone network [source: Security for Videoconferencing]. The main job of the IMUX is to make sure that there are enough ISDN channels open to provide sufficient bandwidth to handle the video-conference call. A business-quality video conference requires 384 kbps of bandwidth or six 64-kbps ISDN channels [source: Michigan Technological University].

The video conferencing CODEC communicates with the IMUX over two separate interfaces: an RS-366 line dedicated to dialing information and an RS-449/530 line that carries all of the video, audio and other data associated with the video conference itself.

A video-conference setup is considered unsecure if there's nothing encrypting the data between the "red" or classified CODEC and the "black" or unclassified IMUX. If only one of the interfaces between the camera and the IMUX is encrypted, then it's called a partially secure video-conferencing setup [source: Security for Videoconferencing].

For example, if an encryption box is installed on the video/audio/data line, then the video conference stream will be secure. But that still leaves the dialing line vulnerable. Since dialing lines are typically made of copper, it could leak data radiation that could be picked up by hackers [source: Security for Videoconferencing].

Now let's look at two simple ways to work around or repair a partially secure video-conferencing setup.

Secure Video Conferencing Setup

With an encryption box in place on the video/audio/data line, the only thing that needs to be secured is the dialing line. There are two options for securing the dialing line:

Dialing from the IMUX

One way to get around the security vulnerability associated with the dialing line is to bypass the dialing line entirely. A properly trained and certified technician can dial and initiate video-conference calls directly from the IMUX itself. To do this, the technician might have to disconnect and reconnect cables, sometimes located in remote areas [source: Security for Videoconferencing].

Dialing from the IMUX effectively secures the video-conference system, but requires time and special expertise to switch from nonsecure to secure mode and back again.

Dialing from the CODEC Menu Using an Optical Dial Isolator

For practical reasons, it's quicker and easier to initiate and dial both secure and unsecure calls from the video conferencing CODEC's on-screen menu rather than having to rewire the IMUX every time.

The problem is that the copper wire used in the dialing line produces data radiation levels that don't comply with the military's TEMPEST security standards. With the right equipment, however, it's possible to eliminate the data radiation problem without getting rid of the dialing line altogether.

This piece of equipment is called an optical dial isolator. Instead of transmitting data over a copper wire, the optical dial isolator uses fiber-optic cables that convert data into optical light streams that emit no data radiation at all. The isolator needs to be installed between the CODEC and the IMUX on the dialing line.

Using an optical dial isolator makes it easy for organizations like the government or the military to easily switch back and forth between unsecure and secure calls directly from the CODEC's on-screen menu. And with an encryption box already in place on the video/audio/data line, the video conferencing setup is now completely secure.

For more information about video-conferencing security and related topics, check out the links on the next page.