Advanced Hybrid KVM - Part 2
In the previous article in this series, we looked at the advantages of software-KVM and how it differs from some of the VPN solutions available. In this article, we look at further improving security through end-to-end solutions.
Improved Security
When working with high-value content, security is in the foremost thoughts of most broadcasters and falls into two areas: media security and access.
VPNs do provide good security for remote access to IT systems, but the major challenge is that they need to be manually established before each session. Although this is relatively easy to achieve, it is another process to go through and has an impact on the quality of the user experience.
It is possible to provide a generic VPN server within a broadcast facility. This provides users an entry point to the network where they can then access the rest of the network. But this does have some security shortcomings as anybody accessing the VPN servers also potentially has access to the rest of the network.
A software-KVM system can directly access each of the servers it is connected to without a specific VPN being established. It may well use an SSH or its own VPN type connection at the transport level, but it will establish the connection as part of session start sequence and will be out of view of the user. Also, multiple sessions can be established so that a user’s terminal can connect to many different servers, none of which need to be in the same datacenter and can be geographically dispersed.
The upper part of the diagram shows a typical configuration using a hardware system. As the video connections need to be close to the hardware Tx and Rx KVM encoders, they must reside within close proximity of the user and server within the datacenter, this makes hardware KVM impossible to use with public cloud providers as users do not have access to the physical datacenter. The lower part of the diagram shows a software-KVM remote desktop solution where multiple servers can be accessed from the same or different datacenters throughout the world, even when they are situated in the public cloud.
Although security is incredibly important, it shouldn’t be the concern of the user. Broadcast teams vary greatly in their technical ability and the less they are involved with low-level security then the more secure a system is likely to be. Even though editors and QA engineers are usually highly technically skilled, they still want to just get on with the job in hand and not be concerned with establishing secure links into networks.
From a management point of view, system administrators can still see who is accessing servers from their management console. Not only does this give visibility of user access, but also allows them to see who is accessing which part of the systems.
Integration with Active Directory further empowers security as no special configurations are needed for the software-KVM remote desktop access. The login credentials provide the same level of access to the remote user as they would have if they were in the building sat by the side of the server.
As the video compression is very high quality when in transit between the data center and the user’s remote computer, broadcasters are increasingly concerned about cyber criminals stealing video and audio streams as they traverse the internet. This concern is further exasperated if a high-value content is streamed over a WiFi link in a user’s home as anybody with the WiFi access credentials can intercept the stream.
End to end video and audio encryption prevents anybody from illegally viewing the material. It’s entirely possible for them to access and even record the stream, but it’s almost impossible for them to view the encrypted content.
End To End Solution
Ease of use is paramount for any user and the software-KVM remote desktop not only provides secure access but makes the whole user experience much more enjoyable. The end user can use the remote desktop from their client device as if it is local and switch between each of the remote desktops.
It is certainly possible to bring together various software solutions such as VPN, SSH, and windows managers, but the whole experience is clunky and difficult to operate.
Without a complete end-to-end solution, the user would have to establish a VPN connection, then SSH into a server and finally establish a remote windows environment.
Although this is all possible, it proves far from optimal and does not create a harmonious user experience.
Furthermore, if multiple servers are needed to be accessed then it’s entirely possible that multiple VPN circuits will need to be established, especially if the datacenter servers are in physically different locations. If a user was accessing servers in three different datacenter locations, which may not even be on the same continent, then they would have to establish and keep track of three different VPN and SSH sessions. This is certainly difficult to achieve for seasoned IT professionals and would prove almost impossible for users who do not specialize in IT to achieve and maintain.
Multiple processes are used within the user’s computer and remote server to achieve full software-KVM remote desktop operation. Although these can be built manually, the resulting solution is almost unusable. The fully automated end-to-end software-KVM remote desktop makes the operation seamless and significantly improves the user experience.
Using a non-integrated method also creates incredible challenges for security. VPN and SSH sessions rely on dual key authentication leading to users and administrators having to maintain multiple SSH keys (potentially hundreds), and for most operational applications this will turn out to be an unrealistic proposition.
Adding the video feed into the mix further creates a complicated solution for anybody looking to manually encrypt the video feed. It is possible to do this but it’s not for the faint of heart and can lead to more problems than it solves.
Although an integrated solution may well use video encryption and VPNs with SSH sessions, abstracting away the underlying complexity leads to an efficient and secure method of access, especially if video encryption is also used. This is even more apparent when multiple servers are accessed from one user computer.
Adaptive Streaming
Internet connections vary enormously in their quality, that is, their bandwidth and latency. Even for low bandwidth requirements such as keyboard entries and mouse clicks, latency can have a detrimental impact on the user experience as the response time of these events becomes noticeable. Therefore, a greater awareness of the underlying transport stream must be achieved.
As we add video into the mix, the needs to understand how the internet is performing between servers and the user’s computer is paramount. Not only does the software-KVM remote desktop need to measure the bandwidth, but also the latency too. Adaptive video streaming is one of the tools that are available to deal with varying internet quality.
It’s also worth remembering that the internet quality isn’t static, it varies enormously from hour to hour, and sometimes from minute to minute. Having a system in place that dynamically adapts to the underlying changes in bandwidth and latency improves the user experience beyond all recognition.
Combining the video rate adaption with the bandwidth and latency analysis, allows the video data rate to be able to scale to the quality and availability of the network and internet. This is especially important if a user is switching between different servers. Furthermore, using a proprietary codec allows micro tuning of its parameters to deliver a very high user experience.
With high quality internet connections and by using proprietary codecs adapted to the network ability, it’s possible to achieve such incredibly high-quality video that QA and color grading could be achieved.
Software-KVM remote desktop delivers incredibly high levels of flexibility as the required code is installed directly on the server and user’s computer. This is especially important when working with public cloud installations as there is often no opportunity to install custom hardware into the datacenter. Security and video compression are often considered at the very beginning of the design leading to a rounded solution that is easy to use and provides an outstanding secure and flexible user experience.
Supported by
You might also like...
Designing IP Broadcast Systems - The Book
Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
If It Ain’t Broke Still Fix It: Part 2 - Security
The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.
NDI For Broadcast: Part 3 – Bridging The Gap
This third and for now, final part of our mini-series exploring NDI and its place in broadcast infrastructure moves on to a trio of tools released with NDI 5.0 which are all aimed at facilitating remote and collaborative workflows; NDI Audio,…