IP Security For Broadcasters: Part 8 - RADIUS Network Access
Maintaining controlled access is critical for any secure network, especially when working with high-value media in broadcast environments.
Articles in this series:
In small networks, consisting of just a few servers or desktops, management authentication systems are often a bit of an overkill. However, as the number of devices increases, a centralized approach to authentication is a necessity.
Broadcast facilities have two principal security challenges: they must protect high-value media assets and they often attract unwelcome attention from political dissidents looking for an outlet to disseminate their propaganda. The potential for either of these occurring increases massively when the broadcaster provides remote access for their users.
Accelerating Remote Operations
Lockdown has not only demonstrated the need for user remote access but has also accelerated its use. This has the potential to compromise the broadcast network if adequate security measures are not installed.
Remote Authentication Dial-In User Service (RADIUS) was first developed in the 1990s and is widely used in the IT industry. It has stood the test of time and provides potent additional security for networks and VPNs through the triple-A approach, that is Authentication, Authorization, and Accounting.
Before a user can access a broadcaster’s network, they first need to state who they are. RADIUS is a server-side software application that provides a centralized repository of usernames and passwords with which the user can be validated. Furthermore, RADIUS facilitates extra measures such as secret keys and two-factor-authentication to improve security.
Centralized User Validation
Keeping a centralized database of user credentials makes management of the whole network and its associated servers, desktop computers, printers, and other IT devices much easier to administer. It is possible to write scripts to automatically update devices with all the user credentials and broadcast them into the network for download by each device, but this methodology is fraught with potential security breaches, especially if a server is switched off at the time of the update. And that’s before we start thinking about protecting passwords through encryption. By providing a central resource for user validation, users can be added or removed from the system quickly, efficiently, and securely.
Associated with each user credential entry, RADIUS keeps a copy of user rights, that is a list of who has access to which resource. It might be that one group of operators only needs read access to a transcoding server to monitor its progress, but higher privileged users may need write access to change certain parameters within the transcoder configuration.
Security isn’t just about stopping theft of data but also maintaining its integrity. In a typical broadcast operation, the transcoder configuration will only need to be changed occasionally by users who are experienced in advanced video processing, so keeping a restricted access to the server will help improve data integrity and hence security.
Activity Logging
One of the most powerful aspects of RADIUS is its accounting facility as it’s able to log user access and activity. This is particularly useful when a broadcaster frequently stores high-value media that it intends to broadcast but doesn’t own. There are often rights holder contract clauses that specify forensic audit trails to be maintained by the broadcaster. They must know where the media is stored, who has (had) access to it and when. RADIUS has the potential to provide this level of forensic audit.
In modern scalable broadcast infrastructures, knowing who is using a resource and how often provides the ability to optimize system use. A myriad of monitoring and usage data is available with RADIUS so that deep network and resource analysis can be achieved, and greater optimization and efficiencies of the whole broadcast system gained.
Although RADIUS provides the authentication, authorization, and accounting, at some point, users must have physical access the network, and two methods are generally available: ethernet cable and WiFi.
Network Ringfence
To maintain the highest levels of security, users must be validated before gaining access to the network. To achieve this with ethernet connectivity, users will physically connect to a Network Access Control (NAC) point that ring fences the broadcaster’s network. This is analogous to somebody knocking on your front door and you looking through the viewing hole before you unlock the door and let them in.
The NAC liaises with the RADIUS server to authenticate the user’s credentials and if RADIUS can validate the user, then the NAC will allow access to the network. An airgap within the NAC separates the user’s device from the network, often using two physical network interface cards (NICs), one connected to the user network and the other to the broadcast network.
When RADIUS was first developed in the 1990s dial-up connections were the dominant method of remote connectivity, but as technology has developed, the ethernet access point has moved from a NAC server to specialized ethernet switches to provide the authentication negotiation and the physical airgap. This switch will also be connected to the internet access point so that when a user logs into the broadcaster’s network through the internet, the authentication switch communicates with the RADIUS server to provide the necessary authentication.
Fig 1 – When the laptop moves from Access Point AP1 to AP2 the session authenticated in the ethernet switch with the RADIUS server is maintained so the user doesn’t have to log into the network again. Also, through the RADIUS configuration, the system administrator can allow the user to access just the internet if they are a guest, or have access to the broadcast network if they are an employee.
Securing WiFi
A similar system exists for WiFi using the IEEE 802.1x protocol. This is a secure method of authentication using wireless access points (AP) connected to the authenticating switch. The APs are WiFi nodes that a user can access from their mobile device. When a user tries to log on to the network, the AP sends secure messages to the authentication switch using the Extensible Authentication Protocol (EAP), which in turn liaises with the RADIUS server to determine whether the user should be granted access.
EAP is particularly powerful as it provides a method of sending secure messages encapsulating the username and password credentials over a wired or wireless network. Using EAP to connect to the RADIUS server via the authentication switch provides a convenient method for roaming. If all the APs are connected to the same authentication switch, then a session can be created for the user once they’ve authenticated against the RADIUS server. As the user moves between APs, they are still authenticated so there is no need to keep logging in.
Using RADIUS in this manner allows system administrators to decide who has access to the network and how. For example, a guest visiting the broadcast facility may only need internet access. Using the authentication system, the administrator can configure a special guest user account to only have access to the internet. This saves the need to keep reissuing user credentials for every guest that enters the building. And using the accounting facility, system administrators can monitor access. So if somebody is maliciously using the internet from an adjacent building, then the excessive usage will be detected, and the device can be blocked by disabling the access of its unique MAC address.
RADIUS has the potential to provide multiple types of user access to a broadcaster’s network including WiFi and ethernet. And combined with APs using IEEE 802.1x the user experience can be greatly improved through roaming while maintaining flexible security and system monitoring.
Part of a series supported by
You might also like...
Designing IP Broadcast Systems - The Book
Designing IP Broadcast Systems is another massive body of research driven work - with over 27,000 words in 18 articles, in a free 84 page eBook. It provides extensive insight into the technology and engineering methodology required to create practical IP based broadcast…
IP Security For Broadcasters: Part 1 - Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and t…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
If It Ain’t Broke Still Fix It: Part 2 - Security
The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.