“My broadcast plant network is secure. Is yours?”
Wayne Pecena, director of engineering at Texas A&M’s KAMU and a longtime premier SBE educator, posed this somewhat daunting question to engineers at this year’s NAB Broadcast Engineering & Information Technology Conference.
By design, the question provokes angst and uncertainty among most broadcast engineers who are tasked with handling the IT and LAN operations at their stations.
PCs, IP networks and the internet have been major components of broadcast plant operations and infrastructures for more than 25 years. Over the course of that time, a lot of lessons about security have been learned the hard way.
Hackers and their malware payloads can drill into devices on IP networks at any moment with ever-increasing sophistication. Recall the ransomware attack on KQED of June 2017, the Max Headroom hack in Chicago in 1987, the Captain Midnight hack on HBO TV in 1986 and several EAS “zombie” attacks not long ago.
Historically, easy methods to secure networks — like running private 10 dot subnets with AntiVirus software on all hosts and users changing passwords regularly — are no longer quite enough. Successful attacks can cause dead air, lost revenue, public embarrassment, stolen personal data and huge liability problems for the victims.
Pecena’s paper and presentation focus primarily on network security as the first line of defense against intruders. He identifies the key attributes that define a secure network and then provides a structured-but-practical approach for how to implement “best practices” for achieving real security. He concludes by demonstrating verification of the effectiveness of the various security measures deployed by “penetration testing” to make sure those measures are in fact correctly implemented.
Most of Pecena’s presentation assumes a good understanding of IP and LAN operations, so some additional study and research with Mr. Google may be necessary to be able to implement many of his recommendations. The first task in a structured approach for implementing network security is to consider a well-established cybersecurity model, such as used in larger organizations like the CIA and Cisco.
Network security is often based upon three cornerstone goals: confidentiality, integrity and availability. These goals are often referred to as the “CIA Triad” — which, by the way, does not refer to a governmental agency known by the same acronym.
A carefully defined security policy describes the attributes of a well-secured LAN with a layered design approach, including: user privileges and resource access limited to only those needed to perform assigned tasks, as well as LAN activities and transactions continuously monitored and logged as necessary with help desk support. The CIA triad structure balances the three goals of good network security.
THE OSI MODEL
Pecena uses the Open Systems Interconnection model as a guide to better organize the various layers of network security.
Layer One is the physical layer. We want to close off any and all possible physical “air gaps” to prevent LAN intrusion at this level, which controls physical access to the network infrastructure. Those tools include locks, cages, access badges for authorized personnel, cyber locks and bio-recognition. This should include associated monitoring and logging of all access events.
Beginning with Layer One or the physical layer, you simply protect the physical network components from tampering. This can be a wall-mounted locked equipment rack for network switches in a small station, caged racks in mid-size facility or a dedicated data center in a larger facility. Monitoring with recorded security cameras, security badge access and cyber locks fulfill the restricted access monitoring and logging need.
Layer Two is the Ethernet switch port programming for the LAN. Use VLANs to segment traffic for specific user groups or functions. Disable all unused ports. Only enable trunk or tagged ports with caution.
Layer Three is the network layer programming. This is the layer often neglected by smaller stations or those without significant corporate IT operations support. It includes firewall implementation that sets up access control lists with ACL “rule scripts,” packet Filtering and other Rule Lists. The effective use of firewalls, both hardware- and software-based, is the most common tool LAN and WAN administrators use to control which packets are allowed to enter and which are dropped.
OTHER CYBERSECURITY TOOLS
Pecena describes the use of encryption and cryptology as another available tool for keeping your LAN secure. Internet Security Protocol (IPSec) is a family of services commonly used to add better security against intruders. The simplified IPSec modes are Transport mode and Tunnel Mode. Many stations and groups now use a virtual private network — known commonly as a “VPN” — which is a tunnel mode application of encrypted communications across the internet into a protected LAN.
The final step needed to make sure your LAN is actually secure is verification penetration testing.
Pecena cites 10 popular IP/LAN scanning and “hacking” tools available to use for such testing, just as if you were an actual intruder. WireShark and AngryIP scanner are perhaps the best known and can be downloaded and used for free. Nmap is also free and is one of Wayne’s favorites. Nmap/Zenmap uses scripts that probe host’s ports and reports running apps and services that can reveal where vulnerabilities may exist. Pecena suggests running all nMap scripts on a regular basis.
Pecena is one of the best-known IP education resources for broadcast engineers. He has offered this comprehensive presentation as a five-hour course/webinar available via SBE.org. It delves into all of the issues affecting and implementing better network security in detail.
After thinking about all of the layers we need to peel back and deal with regarding our IP operations, Pecena’s axiom about networks rings loud and clear: “There’s more to networking than just hooking things up.”
Tom McGinley is a technical advisor for Radio World.
Comment on this or any story. Email radioworld@futurenet.com with “Letter to the Editor” in the subject field.