In the last article we looked at Firewalls and their place in a broadcast network. In this article we continue the theme of looking at a network from a broadcast engineers’ point of view so they can better communicate with the IT department, and look at how IT engineers use detection and prevention systems.
Compromise has to be reached between keeping a system secure and keeping it usable. Removing the network connection from a computer or camera is a very easy way of making the network highly secure, this results in the devices not being able to either communicate or send signals to the outside world.
Thousands of Protocols
The opposite extreme is to assign every device with a public IP address and connect them to the internet. Clearly this would be highly insecure and render the station useless in a matter of minutes as every hacker in the world launched their attacks.
Broadcast engineers have been spoilt as video and audio transfer their signals in well-ordered predictable point to point distribution systems and we generally know where a signal is going and if somebody else is trying to use our link.
In the IT world nothing could be further from the truth. There are thousands of different protocols using IP networks, bandwidth allocation is random, users come and go as their wifi devices come into range and it’s difficult to know who is accessing what, where and when.
Firewalls go some way to help IT network engineers understand what is going on in their systems but rely on managers being proactive and knowing which protocols to block and pass. Intrusion prevention (IPS) and detection (IDS) systems provide more visibility on what’s going on and the tools to control access.
Be Careful of Jitter and Delay
IPS is similar to a Firewall in that it sits in-line with a network segment such as an internet connection. A datagram is received by its network interface card (NIC) and compared to a list of rules as to whether it should be passed or rejected.
IPS systems tend to work at a higher data level and will construct many datagrams to form a complete data access before applying their rules check. For example, when a server sends a web page back to a browser the server will break the page into many datagrams for transfer over TCP. An IPS will construct the whole page before applying its rules for analysis to detect exploits such as embedded viruses or restricted links.
Viruses and Trojans
As the IPS is in-line it must be extremely well resourced as it cannot afford to drop packets or cause too much jitter and delay, doing so will have an adverse effect on the rest of the network especially if we are distributing real time video and audio streams.
IPS separates its functionality from the Firewall as it tends to be policy based. Employment legislation has advanced in recent years to protect employees from the perils of the internet in the work place. If an unscrupulous employee is viewing inappropriate material on a work computer and the screen can be seen by other users, the employer could find themselves liable as it has allowed other employees to be subject to unacceptable and often illegal material.
In the interest of enabling higher efficiency some employers may block their staff from using social media sites, especially as they can be a source of embedded viruses and Trojans. IPS can be distributed within a network so certain departments can be treated differently than others. A sales department may use Facebook as a key tool for its operation, IPS can allow sales access but block the rest of the company.
IDS differs from IPS and Firewalls as it is a monitoring system and effectively takes a da’ed feed of the segment of the network being monitored. Highly resourced computers must be used so packets are not dropped and meaningful data is recorded. It’s very useful for fault diagnosis as it can be configured to receive and analyze traffic anywhere in the network.
IPS is good at blocking known exploits across a network as the devices can be updated on the fly when an exploit is made known to the network manager without having to change firewall policies.
One of the major challenges with IPS and IDS is the amount of false alarms (sometimes referred to as false positives) and log data they create. Tuning these systems and analyzing the logs is a highly specialized job and can easily soak up many hours of effort.
If alarm thresholds are too high then they become useless as data that should be blocked is not being detected or dealt with. If they’re too low then many false positives are created generating work for the IT team.
Film Distributors Worry
IPS, IDS and Firewalls are all used together to help fine tune each other. IDS will show if one area of a network has problems and IPS and Firewalls are used as control devices to remove them. As IPS and Firewalls seem to complement each other there has been a move to unify these two devices into one design providing the Unified Threat Management (UTM).
Fundamentally the rules of IPS and Firewalls are very different, IPS works by denying everything and providing rules to opt in whereas Firewalls work the opposite way by assuming all datagrams are passed and the configuration provides deny and drop rules.
Film distributors worry about employees illegally copying their material, especially when they have pre-released the latest blockbuster to a broadcaster ahead of transmission. IDS can be used to detect if somebody is trying to download the film from the media asset library, and IPS and Firewalls can be used to control where the files are downloaded to and by whom, potentially restricting access to just the playout servers.
Anybody who may need access to the film, for example an editor who has to create a bumper, will need to raise a recorded request with the IT department to access the media. This may all sound a bit draconian but recent high profile security breaches have meant film producers are on the ball more than ever as far as illegal copying is concerned.
You might also like...
In the previous articles in this series we looked at advanced server security and out-of-band monitoring and control, especially with security validation of peripheral device firmware. In this article, we investigate virtualization further and its benefits for building secure broadcast…
In this thought-provoking missive, Gary Olson delivers his predictions and insights for IBC 2019.
In the previous article in this series we looked at advanced server security and how the controller within a hard disk drive or SSD can be vulnerable to hacking even with the most advanced firewalls and anti-virus software. In this…
A major development has happened in the broadcast industry with the adoption of software running on COTS servers for processing uncompressed real-time video. Up to recently, this had not even appeared on the radar, but new technology evolution and innovation…
Broadcasters continue to see the benefits of IP and many are integrating piecemeal to build hybrid SDI-IP systems. At a first glance, monitoring of hybrid systems may seem to be just an extension of existing practices. However, the complex interaction…