Network security

Network security is an important topic for many broadcasters these days and for obvious reasons. The impact of a breach on our business is potentially disastrous. For this reason, Broadcast Engineering recently produced a webinar series in conjunction with Avid Technology and Cisco Systems. One of the webinars in the series focused on network security, a topic I'll discuss further this month.

Overall facility security

It is important to recognize that network security exists in the context of your overall facility security. (See Figure 1.) A security strategy should include four types of security: perimeter, network, server and client.

The strategy should be driven by overall security policies that inform decisions in all of these areas. Developing a security policy can help you create a more cohesive and logical security strategy.

As shown in Figure 1, perimeter security might consist of a firewall between the Internet and the corporate backbone. Network security can employ intrusion protection systems and access control lists (ACLs). Server security might use application access control, user authentication, antivirus scanning, and OS and application patches. Client security may include user authentication, antivirus scanning, and OS and application patches.

Physical security is an important element of your security strategy. Today, access to the core technical areas of most broadcast facilities is limited. It may be useful to determine who has access to these critical areas.

To see how an overall security strategy can be deployed in a typical broadcast facility, refer to Figure 2 on page 30. Most broadcasters use a tiered network approach. The production or on-air core is Ring 1, the enterprise network is Ring 2, and the Internet or the rest of world is Ring 3.

At the interface points between the rings, security devices are typically employed. For example, at the interface between the Internet and the enterprise network, most organizations use a firewall. The firewall permits or denies traffic based upon previously defined rules and the characteristics of the network communications.

The features and complexity of firewalls can vary considerably, but their purpose is the same — to allow permitted communications while denying the bad guys on the Internet access to your internal network. Similarly, at the interface between the enterprise network and the production and on-air core, a switch/router with ACLs may be employed.

This tiered network approach allows you to deploy different levels of security in different rings. Usually, the highest level of security is required in your production and on-air core.

Intrusion detection and prevention

An intrusion protection system (IPS) can be installed on your network to monitor network traffic and identify suspicious behavior. One of the activities hackers typically engage in before they actually break into a system is to conduct surveillance of the network, just as a robber might case a home looking for the best way to break in.

Most hackers use a network-scanning tool to conduct this surveillance. The scanning program steps through a range of network addresses, attempting to communicate with different ports and services on each IP address and logging all open ports and active services found. Scanning programs are quite sophisticated and are capable of determining what sort of servers are available, which operating systems they are running and which version of the operating system is loaded. Furthermore, they can determine which ports are available on the server and whether they are open or closed. Each network service requires one or more TCP or UDP ports. For example, a Web server typically uses TCP port 80.

Armed with this information, the hacker can consult a cookbook, which tells him, given the particular OS, version and available ports, which vulnerabilities exist on that server. An educated hacker is then prepared to run a specific exploit on the server, which he knows will allow him to gain access.

An IPS continually monitors network traffic looking for suspicious client behavior. When it sees something suspicious, such as a network scan, the IPS may be configured to deny the client's IP address, thereby blocking any further communication from this client. However, more typically, the IPS will notify an administrator via e-mail, cell phone, SNMP trap or some other means. The IPS may be configured to look for many other suspicious behaviors, including things like brute-force password attacks, in which a client attempts hundreds or even thousands of log-in attempts to a server, each time using a different user name or password.

One advantage of an IPS is that it can provide protection against an unknown attack — one that has never been documented before. These “day zero” attacks can be difficult to counter because most detection systems look for certain “signatures” associated with known attacks.

Because day zero attacks are by definition new, detection systems do not know what they look like. But if the hacker runs a scan first to identify a target system, the IPS may allow the opportunity to shut down the hacker before the day zero attack is launched.

Intrusion protection systems sound great, but it is important to know that these systems come with a cost. It takes time and knowledge to set up one of these systems, and they can produce false alarms.

A large part of IPS management is grooming the system to the traffic on your network so that false alarms are reduced as much as possible, while still keeping the system sensitive enough to detect a real break-in attempt. The systems must also be updated on a regular basis so that they are aware of the latest scanner and hacker behaviors. These are not systems you install and forget. So you might not want to install an IPS unless you are committed to managing, monitoring and maintaining it properly.

Restricting network access

Within your production and on-air core, you may want to implement strict limits on networking. Examples include prohibiting someone from bringing a laptop into the area or preventing someone from communicating from a given workstation to an on-air server in the core technical area.

These policies can be implemented using ACLs. ACLs are stored in routers. When packets arrive at one of the routers interface, the router checks the ACL to see if the originator is authorized and if the traffic is permitted to travel from the originator to the destination given on the packet.

Figure 3 shows an example of an ACL. In this figure, a workstation with an IP address of 172.16.3.100 is granted permission to communicate with servers that reside on a network specified as 172.16.4.0. The router, shown in the middle of the drawing, has three Ethernet interfaces: E0, E1 and E3. It is important to realize that if an ACL is applied to an interface, by default, all communication out of that specific interface is denyed. Communications between devices are selectively permitted through statements in the ACL.

To enable the workstation to communicate with the server, the network engineer makes the following entries in the ACL (this example is specific to Cisco's IOS, and other routers implementing ACLs may function differently):

Access-list 1 permit 172.16.3.100 0.0.0.0

Interface Ethernet 1

IP access-group 1 out

The first entry defines access list 1, consisting of the single IP address 172.16.3.100. The second and third entries show the application of the ACL E1 interface in the outbound direction. Thus, the only computer allowed to send traffic from one network to another is the one at 172.16.3.100.

This might also be a useful entry in a router located between Ring 1 and Ring 2 in Figure 2. This would allow a single computer, for example a newsroom workstation, to communicate with the on-air systems, while denying all other devices on the network access to Ring 1.

Any device, be it a switch, router, firewall or IPS, may cause latency or delay in the network. Consideration needs to be given to the possible impact on bandwidth and latency to time-sensitive IP traffic as security components are introduced into the network. Each “bump in the wire” induces some delay.

Brad Gilmer is president of Gilmer & Associates, executive director of the AAF Association and executive director of the Video Services Forum.

Thanks to Pete Balkus of Avid Technology and Neville Wheeler and Robert Welch of Cisco Systems for permission to use their material for this article. The webinar can be viewed online atwww.broadcastengineering.com/webcast/networking_and_security.