Audio Over IP Primer For Broadcast - Part 3
In Part 2 we looked at solutions to keep AoIP systems simple and discussed the compromise and efficiency vendor specific network systems provide. In Part 3, we look further into system management and network security.
This article was first published as part of Essential Guide: Audio Over IP Primer For Broadcast
Traditional SDI, MADI, and AES broadcast infrastructures using point to point connections have the advantage that it’s relatively easy to work out where signals are being routed. The downside is that cable looms suddenly become very bulky and to achieve redundancy and improved reliability, complex redundant systems must be designed, further adding to the size and cost of wire looms.
Adding devices usually involves installing more cables and increasing the capacity of signal routers. This often leads to static systems that are difficult to scale and are challenging to adapt. When building a broadcast facility, how can you estimate with any level of certainty your resource requirements in five to ten years? Especially with technology progressing at the pace it is today.
Built in Redundancy
Networked IP systems, by their very nature, have built in redundancy and the physical cabling systems are significantly smaller than their point-to-point counterparts. Expanding routers and switches requires less forward planning because IP is data agnostic, so the same physical ports for video, audio, and metadata can be used. We don’t need to worry about provisioning for specific audio, video, or control circuits.
Networked systems, by definition, do not employ point-to-point connectivity, so we often have to represent signal flows and devices in abstract terms to get a better understanding of them. Although network cables exist in the AoIP world, we don’t generally follow system diagrams with cable numbers to get a sense of the system design. Point-to-point systems, although relatively static and inflexible, give a natural demarcation between functionality and locality. For example, each studio would be physically separated from another in terms of equipment and cabling.
Sharing Resource
In the IP world, multiple studios can easily find themselves sharing cables, switches, and infrastructure resource. Especially as we move more to virtualization. This is one of the great benefits of moving to IP as we can better utilize resource as it becomes sharable over many different locations.
To better understand networked systems, we can use logical grouping of resource. The concept of domains is well established in IP using address masks and VLAN segmentation. Using networked solutions, vendors provide methods of grouping devices into specific functionality. This helps engineers better visualize a system to assist with configuration and maintenance.
Organizing devices into domains is a logical solution and provides maximum flexibility. If a Loudness processor is currently grouped in studio-1’s domain, then it can be easily moved to studio-2’s domain to make it available as a resource should studio-1 not need it anymore. As well as providing greater flexibility, domain organizing further improves security for the broadcaster.
Diagram 1 – In IP, devices are abstracted from their physical presence so they can be moved to other domains. Here, two domains have been created, one each for studio 1 and 2. The Loudness Console, when not being used by studio 1 is dragged to studio 2. As well as providing this feature, the management software must make sure only authorized people have access to this facility.
Security is a very emotive generic term and means so many different things. We may be referring to the prevention of outside hackers, or we may want to stop people inadvertently configuring systems in error, or we may not want one studio to have access to another studio’s resource. Administering security is notoriously difficult as we first have to decide what we want when we talk about security.
Vendors have recognized the need for security in AoIP solutions and now provide several layers to keep systems secure. To understand this better we can look at how enterprise IT provides security.
Every device in an enterprise system, whether it’s a desktop computer or switcher, requires the user to enter their credentials to access the resource. As well as stopping unauthorized access, it also provides a forensic audit trail showing who logged in and when. Access rights associated with a username further provides granularity so that specific users can only access authorized functionality within a resource.
Enforcing Authorized Access
The same is true for AoIP network solutions. Even devices such as microphones have parameters built into them that can be remotely controlled to improve their operation. To keep systems secure, remote login is used so that only authorized personnel can access the potentially sensitive control. This isn’t just about stopping malicious hackers, this is also about stopping somebody who is trying to be helpful and starts trying to configure a device without the necessary skillset or experience.
One of the enterprise IT policies to keep facilities secure requires users to regularly change their passwords. LDAP (Lightweight Directory Access Protocol) is a centralized method of keeping a record of usernames and passwords. LDAP enforces the policies set by the IT manager and forces users to change passwords on a regular basis. However, trying to maintain multiple IT and broadcast infrastructure databases by keeping two sets of password policy rules is incredibly difficult, often resulting in the rules not being enforced on broadcast infrastructure resource.
To deal with this, vendors offering advanced AoIP network solutions provide a gateway to the enterprise IT central LDAP server. This means, the same username and password can be used by the engineer for both their IT and AoIP resource. As the AoIP management server queries the LDAP server when a login request is made for an audio resource, any change in password is automatically passed to it thus negating the need to keep two credential databases.
Diagram 2 – Light Directory Access Protocol (LDAP) is integrated into the AoIP management server so only one record of user credentials is kept to enforce authentication and security.
Access rights within the management software combined with the domain manager further refine the security of the system. Users within studio-1’s domain for example, can be restricted to accessing and monitoring resource for just that studio. Although the network is available to all the studios in the facility, only those with access rights for that studio can access its facilities. Monitoring rights and configuration rights can be granted individually to improve security.
This may all seem obvious and in the enterprise IT domain these are well proven working practices. This level of access is also available in many broadcast devices and resource.
IT Integration
However, the key here is that vendors in the AoIP space have combined their solutions with the enterprise IT LDAP server to provide a fully integrated system. As usernames and password changes become automatically available in the AoIP manager, systems designers and integrators are more likely to use it.
This level of integration further includes monitoring and logging, both essential in maintaining systems and keeping them secure.
Enterprise IT managers often use infrastructure wide monitors such as Nagios and Paessler PRTG. These network monitoring tools probe servers, networks, and even applications running on servers to determine the efficiency with which they are operating. These dashboard monitoring systems quickly show errors and give easy access to deep menu structures, allowing engineers to dig further into individual servers, network devices, or other infrastructure equipment.
SNMP (Simple Network Management Protocol) is an internet standard for gathering data and monitoring managed devices on IP networks. They can even change parameters in these devices to fine tune their operation.
VM Improvement
Providing SNMP with its associated monitoring and control parameters on AoIP managers not only provides early alarms when an error occurs, but also provide a level of security as devices behaving erratically can be easily detected. This level of analysis is further improved if the management software is virtualized and running on a virtual machine (VM).
With the correct configuration, VM’s can significantly improve security by providing a layer of access validation between the code and its underlying hardware resource. Hypervisor code running on the VM provides a level of abstraction from the underlying code so suspect scripts, device access, and memory violation requests can be quickly detected and blocked. This helps stop malicious scripts from running.
Throughout this series of articles we have seen how AoIP vendors, with their wealth of knowledge and experience, gained over the past twenty years have fine-tuned IP to work seamlessly for broadcasters. Not only have they been able to make systems work reliably, but they’ve gone the extra mile and integrated them into enterprise IT systems to provide efficient and easy to use solutions.
Reliable Integration is Key
Open standards certainly have their place and standards such as AES67 provide well defined solutions to specific transport challenges. It’s only when we start moving up the implementation tree that we start to see the limitations of “design by committee” standards. Once we’ve got past the ability to move the signal data reliably across an IP network, we must turn our attention to integration.
Discovery, control, and security are incredibly important aspects of the total system integration and user experience. Reliability is more than just efficient signal flow; it also embraces the full operation of the system. We took this for granted with point-to-point connectivity, but if we want to take advantage of the flexibility and scalability of IP solutions, we must look to vendors who have brought all the different elements together and provided fully integrated solutions.
Part of a series supported by
You might also like...
IP Security For Broadcasters: Part 1 - Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and t…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
If It Ain’t Broke Still Fix It: Part 2 - Security
The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.
NDI For Broadcast: Part 3 – Bridging The Gap
This third and for now, final part of our mini-series exploring NDI and its place in broadcast infrastructure moves on to a trio of tools released with NDI 5.0 which are all aimed at facilitating remote and collaborative workflows; NDI Audio,…