Wayne M. Pecena is assistant director information technology of educational broadcast services at Texas A&M University. He serves as the director of engineering for KAMU Public Radio and Television. He was the 2014 recipient of the Radio World Excellence in Engineering Award.
This interview is from the recent Radio World eBook “The Internet of Broadcast Things”; read it here.
Radio World: Give us the “10,000-foot view” on internet security in the broadcast plant.
Wayne Pecena: Security is an ongoing process that, unfortunately, tends to be treated as a one-time, set-it-up-and-forget-it event. It involves continuous assessment, monitoring and action steps.
Security is a lot of nonstop work. For the broadcast engineer actively engaged in maintaining the station technical plant, network security is the “Permanent Employment Act.”
Fig. 1: This image from a Pecena presentation about IP network security identifies attributes of a secure network. Common threats to network infrastructure include DHCP snooping, ARP spoofing/IP spoofing, rogue router advertisements, denial of service attacks and application layer attacks.
RW: Generally speaking, what are the key advantages to broadcasters of having internet connectivity? With all the attention to breaches, it might be tempting to just disconnect everything. Instead, how can media professionals do it smart, and practice “safe IP”?
Pecena: It’s really all about capability and flexibility. Having an internet connection provides things such as program origination, simplified device remote control, as well as remote management and equipment diagnostics.
Appropriate protection(s) must be used. The days of the open internet are long gone. I am a proponent of segmented networks, which provide performance enhancement and are also the platform for multi-level security defense implementation. The VLAN, VPN and a firewall are some key components used to build a secure environment.
A firewall is important, as connections to the outside world are usually necessary. Inside the station, don’t overlook protection among isolated internal networks. Having said all that, it is important not to become overly reliant on a firewall and assume that everything is safe just because you have one. Finally, utilize the OSI model as a structured guide, and implement security at Layers 1–3 at the minimum.
RW: Passwords seem like such a basic concern, but we probably hear about problems there more than any other. What can you recommend to help radio organizations better protect their assets?
Pecena: Passwords are a surprisingly overlooked issue. The first step is to change default device passwords. This is too commonly overlooked. Then develop your own approach to creating unique and strong passwords. That means something other than your station’s call sign, slogan or frequency.
A weak password is usually seven characters or less, and consists of dictionary words. Such passwords are dangerous because a hacker can run a script that goes through a dictionary trying words as passwords. And it can do this in fractions of a second. I always recommend passwords that are made up of eight or more characters, containing a mixture of letters and numbers, special characters and upper and lower case. It’s also important to avoid using the same password across multiple sites. Otherwise, once a hacker has one password they will have access to all of your accounts.
Fig. 2 Best Practices to consider when securing a broadcast IP network.
RW: Let’s talk a bit more in depth. Can you share some important highlights from your presentations about this topic?
Pecena: As I said, security is an ongoing IT process and should never be considered a one-time, set-up-and-forget process.
Simple-to-implement best practices towards creating a secure network environment include changing host default logins; disabling unnecessary host services; closing unused host TCP/UDP ports; keeping your system software updated and patched; terminating the use of unsecure protocols like Telnet; and using encrypted communications paths such as VPN. (See Fig. 2.)
Firewalls are an essential tool in the network security toolbox. However, don’t over rely on a firewall as the sole protection device. Have more than one “lock” on your door! Deny everything. Open only needed ports. Implement stateless source and destination filtering through an Access Control List (ACL).
Segment networks into protection zones. Minimize the network size/scope. Learn from the “Castle Approach.”
Keep in mind that a firewall adds latency. Could impact real-time media found in a broadcast plant. Mitigate by having adequate firewall hardware resources (processor/memory/interfaces).
Fig. 3 The Castle or “Defense-in-Depth” approach to network security is based upon a centuries-old concept. Credit: CC BY-SA 2.0
RW: What is the “Castle Approach”?
Pecena: There are several attributes that define a “secure” network. These attributes include utilization of a system design approach that establishes multiple layers of security. There is no single technique to securing a network infrastructure due to the diversity of potential threats.
The “Castle Approach,” also known as “Defense-in-Depth” approach, implements multiple perimeters or layers of security such that if one perimeter is breached another exists to prevent further exploit. Whereas this may be a new approach to network security, it is a centuries-old approach beginning with the design of a castle where the outermost perimeter is protected by a “moat” and additional perimeters must be conquered to reach the core inhabitants or treasures.
A practical implementation approach is to use the OSI Model “Data Flow” layers as a structured guide to network security (Fig. 4).
Fig. 4 The Open Systems Interconnection (OSI) Model
Start at the Physical layer and limit physical access to network infrastructure hardware and cabling. This can range from electronic access controlled wiring distribution closets to simple lockable rack equipment covers.
At the Data-Link layer implement managed Ethernet switch security provisions. Control what can be connected to the network by utilizing switch port security. Configure switch to shut-down port when a violation occurs. Implement VLAN’s to segment or separate network traffic into security domains. This approach also can improve network performance by limiting a network broadcast domain.
At the Network layer implement firewall filtering techniques and Layer 3 encryption such as IPSec between critical network devices and/or hosts. Firewall techniques included stateless implementations via Access Control Lists as well as statefull implementation at the network border. Implement Ingress and Egress filtering. Deny by default. Be a good network neighbor by implementing egress filtering. Do not overlook internal firewalls.
The Transport layer provides another opportunity to implement encryption. Layer 4 encryption includes techniques such as Secure Sockets Layer (SSL).
And finally, a secure network establishes an “Audit Trail” by tracking and monitoring of network activity. Monitoring of unusual network activity is often an indication that a breach has occurred. Audit trails are the key to determining how a breach occurred and to the development of preventative measures for the future. Logging of denied access attempts give indication of potential threats being imposed on the network.
In summary, a network is considered secure when Defense-in-Depth design techniques are implemented with restricted access via internal and external firewall techniques where all activity is monitored and logged.
Fig. 5: Applying a layered network design.
RW: You’ve also noted that many discussions of IT security focus on protection of servers and desktop workstations but that this might not be sufficient for broadcasters.
Pecena: Servers and desktops commonly incorporate robust security features based on their native operating system. Think about how many Tuesday Windows updates are security related.
Outside of the administrative offices, the typical broadcast plant has functional devices in the program content stream such as an EAS decoder, maybe a transmission codec, automation systems and a media content storage server. These platforms likely have a common operating system such as Windows or Linux at their core; however these systems are often “stripped down” versions of the operating system or an embedded operating system that often lack the robust operating system security systems.
From a practical standpoint, can I execute a common antivirus protection program on my EAS encoder/decoder? Likely not!
The broadcast plant offers additional challenges as a result that must be addressed outside the scope of the broadcast device. Thus, techniques outlined in virtually all of the responses point to solutions such as network isolation or segmentation, firewalls with multiple DMZs or security zones, limiting host communications scope to or from the broadcast device, and outright eliminating outside access to the device.
With regards to remote access, I am a champion for an IP-based KVM switch of your favorite brand. I like Raritan. Of course the KVM switch should be accessed via a VPN when offsite.