Understanding IP Networks - Security Prevention and Detection
In the last article we looked at Firewalls and their place in a broadcast network. In this article we continue the theme of looking at a network from a broadcast engineers’ point of view so they can better communicate with the IT department, and look at how IT engineers use detection and prevention systems.
Compromise has to be reached between keeping a system secure and keeping it usable. Removing the network connection from a computer or camera is a very easy way of making the network highly secure, this results in the devices not being able to either communicate or send signals to the outside world.
Thousands of Protocols
The opposite extreme is to assign every device with a public IP address and connect them to the internet. Clearly this would be highly insecure and render the station useless in a matter of minutes as every hacker in the world launched their attacks.
Broadcast engineers have been spoilt as video and audio transfer their signals in well-ordered predictable point to point distribution systems and we generally know where a signal is going and if somebody else is trying to use our link.
Proactive Managers
In the IT world nothing could be further from the truth. There are thousands of different protocols using IP networks, bandwidth allocation is random, users come and go as their wifi devices come into range and it’s difficult to know who is accessing what, where and when.
Firewalls go some way to help IT network engineers understand what is going on in their systems but rely on managers being proactive and knowing which protocols to block and pass. Intrusion prevention (IPS) and detection (IDS) systems provide more visibility on what’s going on and the tools to control access.
Be Careful of Jitter and Delay
IPS is similar to a Firewall in that it sits in-line with a network segment such as an internet connection. A datagram is received by its network interface card (NIC) and compared to a list of rules as to whether it should be passed or rejected.
IPS systems tend to work at a higher data level and will construct many datagrams to form a complete data access before applying their rules check. For example, when a server sends a web page back to a browser the server will break the page into many datagrams for transfer over TCP. An IPS will construct the whole page before applying its rules for analysis to detect exploits such as embedded viruses or restricted links.
Viruses and Trojans
As the IPS is in-line it must be extremely well resourced as it cannot afford to drop packets or cause too much jitter and delay, doing so will have an adverse effect on the rest of the network especially if we are distributing real time video and audio streams.
IPS separates its functionality from the Firewall as it tends to be policy based. Employment legislation has advanced in recent years to protect employees from the perils of the internet in the work place. If an unscrupulous employee is viewing inappropriate material on a work computer and the screen can be seen by other users, the employer could find themselves liable as it has allowed other employees to be subject to unacceptable and often illegal material.
Monitoring
In the interest of enabling higher efficiency some employers may block their staff from using social media sites, especially as they can be a source of embedded viruses and Trojans. IPS can be distributed within a network so certain departments can be treated differently than others. A sales department may use Facebook as a key tool for its operation, IPS can allow sales access but block the rest of the company.
IDS differs from IPS and Firewalls as it is a monitoring system and effectively takes a da’ed feed of the segment of the network being monitored. Highly resourced computers must be used so packets are not dropped and meaningful data is recorded. It’s very useful for fault diagnosis as it can be configured to receive and analyze traffic anywhere in the network.
Alarm Thresholds
IPS is good at blocking known exploits across a network as the devices can be updated on the fly when an exploit is made known to the network manager without having to change firewall policies.
One of the major challenges with IPS and IDS is the amount of false alarms (sometimes referred to as false positives) and log data they create. Tuning these systems and analyzing the logs is a highly specialized job and can easily soak up many hours of effort.
If alarm thresholds are too high then they become useless as data that should be blocked is not being detected or dealt with. If they’re too low then many false positives are created generating work for the IT team.
Film Distributors Worry
IPS, IDS and Firewalls are all used together to help fine tune each other. IDS will show if one area of a network has problems and IPS and Firewalls are used as control devices to remove them. As IPS and Firewalls seem to complement each other there has been a move to unify these two devices into one design providing the Unified Threat Management (UTM).
Fundamentally the rules of IPS and Firewalls are very different, IPS works by denying everything and providing rules to opt in whereas Firewalls work the opposite way by assuming all datagrams are passed and the configuration provides deny and drop rules.
Copyright
Film distributors worry about employees illegally copying their material, especially when they have pre-released the latest blockbuster to a broadcaster ahead of transmission. IDS can be used to detect if somebody is trying to download the film from the media asset library, and IPS and Firewalls can be used to control where the files are downloaded to and by whom, potentially restricting access to just the playout servers.
Anybody who may need access to the film, for example an editor who has to create a bumper, will need to raise a recorded request with the IT department to access the media. This may all sound a bit draconian but recent high profile security breaches have meant film producers are on the ball more than ever as far as illegal copying is concerned.
You might also like...
HDR & WCG For Broadcast: Part 3 - Achieving Simultaneous HDR-SDR Workflows
Welcome to Part 3 of ‘HDR & WCG For Broadcast’ - a major 10 article exploration of the science and practical applications of all aspects of High Dynamic Range and Wide Color Gamut for broadcast production. Part 3 discusses the creative challenges of HDR…
IP Security For Broadcasters: Part 4 - MACsec Explained
IPsec and VPN provide much improved security over untrusted networks such as the internet. However, security may need to improve within a local area network, and to achieve this we have MACsec in our arsenal of security solutions.
Standards: Part 23 - Media Types Vs MIME Types
Media Types describe the container and content format when delivering media over a network. Historically they were described as MIME Types.
Building Software Defined Infrastructure: Part 1 - System Topologies
Welcome to Part 1 of Building Software Defined Infrastructure - a new multi-part content collection from Tony Orme. This series is for broadcast engineering & IT teams seeking to deepen their technical understanding of the microservices based IT technologies that are…
IP Security For Broadcasters: Part 3 - IPsec Explained
One of the great advantages of the internet is that it relies on open standards that promote routing of IP packets between multiple networks. But this provides many challenges when considering security. The good news is that we have solutions…