Advanced Hybrid KVM - Part 2

In the previous article in this series, we looked at the advantages of software-KVM and how it differs from some of the VPN solutions available. In this article, we look at further improving security through end-to-end solutions.



This article was first published as part of Essential Guide: Advanced Hybrid KVM - download the complete Essential Guide HERE.

Improved Security

When working with high-value content, security is in the foremost thoughts of most broadcasters and falls into two areas: media security and access.

VPNs do provide good security for remote access to IT systems, but the major challenge is that they need to be manually established before each session. Although this is relatively easy to achieve, it is another process to go through and has an impact on the quality of the user experience.

It is possible to provide a generic VPN server within a broadcast facility. This provides users an entry point to the network where they can then access the rest of the network. But this does have some security shortcomings as anybody accessing the VPN servers also potentially has access to the rest of the network.

A software-KVM system can directly access each of the servers it is connected to without a specific VPN being established. It may well use an SSH or its own VPN type connection at the transport level, but it will establish the connection as part of session start sequence and will be out of view of the user. Also, multiple sessions can be established so that a user’s terminal can connect to many different servers, none of which need to be in the same datacenter and can be geographically dispersed. 

The upper part of the diagram shows a typical configuration using a hardware system. As the video connections need to be close to the hardware Tx and Rx KVM encoders, they must reside within close proximity of the user and server within the datacenter, this makes hardware KVM impossible to use with public cloud providers as users do not have access to the physical datacenter. The lower part of the diagram shows a software-KVM remote desktop solution where multiple servers can be accessed from the same or different datacenters throughout the world, even when they are situated in the public cloud.

The upper part of the diagram shows a typical configuration using a hardware system. As the video connections need to be close to the hardware Tx and Rx KVM encoders, they must reside within close proximity of the user and server within the datacenter, this makes hardware KVM impossible to use with public cloud providers as users do not have access to the physical datacenter. The lower part of the diagram shows a software-KVM remote desktop solution where multiple servers can be accessed from the same or different datacenters throughout the world, even when they are situated in the public cloud.

Although security is incredibly important, it shouldn’t be the concern of the user. Broadcast teams vary greatly in their technical ability and the less they are involved with low-level security then the more secure a system is likely to be. Even though editors and QA engineers are usually highly technically skilled, they still want to just get on with the job in hand and not be concerned with establishing secure links into networks.

From a management point of view, system administrators can still see who is accessing servers from their management console. Not only does this give visibility of user access, but also allows them to see who is accessing which part of the systems.

Integration with Active Directory further empowers security as no special configurations are needed for the software-KVM remote desktop access. The login credentials provide the same level of access to the remote user as they would have if they were in the building sat by the side of the server.

As the video compression is very high quality when in transit between the data center and the user’s remote computer, broadcasters are increasingly concerned about cyber criminals stealing video and audio streams as they traverse the internet. This concern is further exasperated if a high-value content is streamed over a WiFi link in a user’s home as anybody with the WiFi access credentials can intercept the stream.

End to end video and audio encryption prevents anybody from illegally viewing the material. It’s entirely possible for them to access and even record the stream, but it’s almost impossible for them to view the encrypted content.

End To End Solution

Ease of use is paramount for any user and the software-KVM remote desktop not only provides secure access but makes the whole user experience much more enjoyable. The end user can use the remote desktop from their client device as if it is local and switch between each of the remote desktops.

It is certainly possible to bring together various software solutions such as VPN, SSH, and windows managers, but the whole experience is clunky and difficult to operate.

Without a complete end-to-end solution, the user would have to establish a VPN connection, then SSH into a server and finally establish a remote windows environment.

Although this is all possible, it proves far from optimal and does not create a harmonious user experience.

Furthermore, if multiple servers are needed to be accessed then it’s entirely possible that multiple VPN circuits will need to be established, especially if the datacenter servers are in physically different locations. If a user was accessing servers in three different datacenter locations, which may not even be on the same continent, then they would have to establish and keep track of three different VPN and SSH sessions. This is certainly difficult to achieve for seasoned IT professionals and would prove almost impossible for users who do not specialize in IT to achieve and maintain.

Multiple processes are used within the user’s computer and remote server to achieve full software-KVM remote desktop operation. Although these can be built manually, the resulting solution is almost unusable. The fully automated end-to-end software-KVM remote desktop makes the operation seamless and significantly improves the user experience.

Multiple processes are used within the user’s computer and remote server to achieve full software-KVM remote desktop operation. Although these can be built manually, the resulting solution is almost unusable. The fully automated end-to-end software-KVM remote desktop makes the operation seamless and significantly improves the user experience.

Using a non-integrated method also creates incredible challenges for security. VPN and SSH sessions rely on dual key authentication leading to users and administrators having to maintain multiple SSH keys (potentially hundreds), and for most operational applications this will turn out to be an unrealistic proposition.

Adding the video feed into the mix further creates a complicated solution for anybody looking to manually encrypt the video feed. It is possible to do this but it’s not for the faint of heart and can lead to more problems than it solves.

Although an integrated solution may well use video encryption and VPNs with SSH sessions, abstracting away the underlying complexity leads to an efficient and secure method of access, especially if video encryption is also used. This is even more apparent when multiple servers are accessed from one user computer.

Adaptive Streaming

Internet connections vary enormously in their quality, that is, their bandwidth and latency. Even for low bandwidth requirements such as keyboard entries and mouse clicks, latency can have a detrimental impact on the user experience as the response time of these events becomes noticeable. Therefore, a greater awareness of the underlying transport stream must be achieved.

As we add video into the mix, the needs to understand how the internet is performing between servers and the user’s computer is paramount. Not only does the software-KVM remote desktop need to measure the bandwidth, but also the latency too. Adaptive video streaming is one of the tools that are available to deal with varying internet quality.

It’s also worth remembering that the internet quality isn’t static, it varies enormously from hour to hour, and sometimes from minute to minute. Having a system in place that dynamically adapts to the underlying changes in bandwidth and latency improves the user experience beyond all recognition.

Combining the video rate adaption with the bandwidth and latency analysis, allows the video data rate to be able to scale to the quality and availability of the network and internet. This is especially important if a user is switching between different servers. Furthermore, using a proprietary codec allows micro tuning of its parameters to deliver a very high user experience.

With high quality internet connections and by using proprietary codecs adapted to the network ability, it’s possible to achieve such incredibly high-quality video that QA and color grading could be achieved.

Software-KVM remote desktop delivers incredibly high levels of flexibility as the required code is installed directly on the server and user’s computer. This is especially important when working with public cloud installations as there is often no opportunity to install custom hardware into the datacenter. Security and video compression are often considered at the very beginning of the design leading to a rounded solution that is easy to use and provides an outstanding secure and flexible user experience.

Supported by

You might also like...

HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows

Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…

IP Security For Broadcasters: Part 4 - MACsec Explained

IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.

Standards: Part 23 - Media Types Vs MIME Types

Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.

Building Software Defined Infrastructure: Part 1 - System Topologies

Welcome to Part 1 of Building Software Defined Infrastructure - a new multi-part content collection from Tony Orme. This series is for broadcast engineering & IT teams seeking to deepen their technical understanding of the microservices based IT technologies that are…

IP Security For Broadcasters: Part 3 - IPsec Explained

One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…