Understanding IP Networks - Security Prevention and Detection

In the last article we looked at Firewalls and their place in a broadcast network. In this article we continue the theme of looking at a network from a broadcast engineers’ point of view so they can better communicate with the IT department, and look at how IT engineers use detection and prevention systems.

Compromise has to be reached between keeping a system secure and keeping it usable. Removing the network connection from a computer or camera is a very easy way of making the network highly secure, this results in the devices not being able to either communicate or send signals to the outside world.

Thousands of Protocols

The opposite extreme is to assign every device with a public IP address and connect them to the internet. Clearly this would be highly insecure and render the station useless in a matter of minutes as every hacker in the world launched their attacks.

Broadcast engineers have been spoilt as video and audio transfer their signals in well-ordered predictable point to point distribution systems and we generally know where a signal is going and if somebody else is trying to use our link.

Proactive Managers

In the IT world nothing could be further from the truth. There are thousands of different protocols using IP networks, bandwidth allocation is random, users come and go as their wifi devices come into range and it’s difficult to know who is accessing what, where and when.

IPS and IDS can be used to stop illegal copying of copyright material

Firewalls go some way to help IT network engineers understand what is going on in their systems but rely on managers being proactive and knowing which protocols to block and pass. Intrusion prevention (IPS) and detection (IDS) systems provide more visibility on what’s going on and the tools to control access.

Be Careful of Jitter and Delay

IPS is similar to a Firewall in that it sits in-line with a network segment such as an internet connection. A datagram is received by its network interface card (NIC) and compared to a list of rules as to whether it should be passed or rejected.

IPS systems tend to work at a higher data level and will construct many datagrams to form a complete data access before applying their rules check. For example, when a server sends a web page back to a browser the server will break the page into many datagrams for transfer over TCP. An IPS will construct the whole page before applying its rules for analysis to detect exploits such as embedded viruses or restricted links.

Viruses and Trojans

As the IPS is in-line it must be extremely well resourced as it cannot afford to drop packets or cause too much jitter and delay, doing so will have an adverse effect on the rest of the network especially if we are distributing real time video and audio streams.

IPS separates its functionality from the Firewall as it tends to be policy based. Employment legislation has advanced in recent years to protect employees from the perils of the internet in the work place. If an unscrupulous employee is viewing inappropriate material on a work computer and the screen can be seen by other users, the employer could find themselves liable as it has allowed other employees to be subject to unacceptable and often illegal material.

Monitoring

In the interest of enabling higher efficiency some employers may block their staff from using social media sites, especially as they can be a source of embedded viruses and Trojans. IPS can be distributed within a network so certain departments can be treated differently than others. A sales department may use Facebook as a key tool for its operation, IPS can allow sales access but block the rest of the company.

IPS can be used to allow Facebook access to one business unit and not another

IPS can be used to allow Facebook access to one business unit and not another

IDS differs from IPS and Firewalls as it is a monitoring system and effectively takes a da’ed feed of the segment of the network being monitored. Highly resourced computers must be used so packets are not dropped and meaningful data is recorded. It’s very useful for fault diagnosis as it can be configured to receive and analyze traffic anywhere in the network.

Alarm Thresholds

IPS is good at blocking known exploits across a network as the devices can be updated on the fly when an exploit is made known to the network manager without having to change firewall policies.

One of the major challenges with IPS and IDS is the amount of false alarms (sometimes referred to as false positives) and log data they create. Tuning these systems and analyzing the logs is a highly specialized job and can easily soak up many hours of effort.

If alarm thresholds are too high then they become useless as data that should be blocked is not being detected or dealt with. If they’re too low then many false positives are created generating work for the IT team.

Film Distributors Worry

IPS, IDS and Firewalls are all used together to help fine tune each other. IDS will show if one area of a network has problems and IPS and Firewalls are used as control devices to remove them. As IPS and Firewalls seem to complement each other there has been a move to unify these two devices into one design providing the Unified Threat Management (UTM).

Fundamentally the rules of IPS and Firewalls are very different, IPS works by denying everything and providing rules to opt in whereas Firewalls work the opposite way by assuming all datagrams are passed and the configuration provides deny and drop rules.

Copyright

Film distributors worry about employees illegally copying their material, especially when they have pre-released the latest blockbuster to a broadcaster ahead of transmission. IDS can be used to detect if somebody is trying to download the film from the media asset library, and IPS and Firewalls can be used to control where the files are downloaded to and by whom, potentially restricting access to just the playout servers.

Anybody who may need access to the film, for example an editor who has to create a bumper, will need to raise a recorded request with the IT department to access the media. This may all sound a bit draconian but recent high profile security breaches have meant film producers are on the ball more than ever as far as illegal copying is concerned.

Let us know what you think…

Log-in or Register for free to post comments…

You might also like...

Essential Guide: IP – A Practical Application

As broadcasters accelerate IP migration, we must move from a position of theory to that of practical application. Hybrid solutions to integrate SDI, AES, MADI, and IP will be needed for many years to come, even with green field sites,…

Broadcasters Now Need To Care About Quality Viewing Experiences

Thanks to Over-the-Top (OTT) streaming video, content owners and broadcasters have a very different relationship with the end consumer – often a direct one.

Essential Guide:  OTT Monitoring Uncovered

OTT distribution is worlds apart from traditional unidirectional broadcasting in terms of its fundamental operation and viewing preferences. The internet is a rapidly expanding collection of service providers, many in direct competition, transferring broadcaster video and audio streams alongside many…

OTT - What and Where to Monitor – Part 3

In the last two articles in this series we looked at why we need to monitor in OTT. Then, through analysing a typical OTT distribution chain, we sought to understand where the technical points of demarcation and challenges arise. In…

Why We Need OTT Monitoring – Part 2

In the previous article in this series, “Understanding OTT Systems”, we looked at the fundamental differences between unidirectional broadcast and OTT delivery. We investigated the complexity of OTT delivery and observed an insight into the multi-service provider silo culture. In thi…