Firewalls and VPNs

Last month we looked at the important role a security policy can play in professional video networks. This month’s column will examine two technologies — firewalls and virtual private networks (VPNs) — that can help keep your facilities safe when connected to the Internet.

Network security — a top-level view

Let’s take a look at how different security technologies fit into an overall security strategy. As Figure 1 illustrates, a firewall sits at the perimeter of your network, acting as a gatekeeper for information entering and leaving the facility. For security reasons, firewalls are typically configured to block many different protocols, including User Datagram Protocol (UDP), a key technology that is the basis for the efficient transfer of large files. A VPN can be configured to pass UDP traffic through the firewall for specific remote users.

Firewall basics

In a car, a firewall is the wall between the engine and passenger compartment. Its purpose is to protect passengers in case of an engine fire. In networking, a firewall is used to protect a local computer network from whatever may be happening on the Internet. But a car could not function without allowing a few cables to pass through the firewall. In the same way, local networks could not provide the functionality users need without allowing certain signals to pass through the firewall.

What is a firewall? At its base level, a firewall is simply a computer containing two network cards. The computer is initially configured to not allow any traffic to pass from one card to another. One network card is connected to the wide area network (WAN) or Internet; the other network card is connected to the local area network (LAN) inside a facility.

Typically, the configuration of a new firewall intended for commercial service is not useful. The device sits between the WAN and LAN and blocks all traffic trying to go between the two. (I make the distinction between a commercial firewall and one that’s intended for consumer use because consumer firewalls come preconfigured to pass certain common protocols.) A network engineer configures the commercial firewall to allow certain traffic to pass between the two network cards on a limited basis. The network engineer has many different choices in how he decides which traffic to allow or deny. In Cisco equipment, this information is frequently contained in access control lists (ACLs). Traffic may be allowed or denied based on origination IP address, destination IP address, traffic type or port number, to name just a few methods.

Firewalls can also check to see if traffic crossing the firewall makes sense in relation to other traffic on the network. This is called stateful packet inspection. For example, if a local client requests a Web page from a remote server, it makes sense for the firewall to see a server on the Internet responding to this request. But if no user internally requested a Web page, then traffic generated by a server on the Internet directed to a computer behind the firewall would make no sense and would be blocked by this check.

Of course, this type of checking goes far beyond checking for unrequested Web pages. However, stateful packet inspection works by inspecting headers on packets and thus may miss malicious information buried within a packet. To find malware (harmful information contained in packets), a firewall must perform deep packet inspection. This kind of checking can detect and block malicious content, but deep packet inspection may introduce delays that are not tolerable in professional media applications.

Virtual private networks

As the name implies, a virtual private network allows a network administrator to create a virtual network that is actually comprised of several separate networks, some of which may be located remotely. This allows a single computer or even an entire facility to appear to be connected to the local network even though the remote facility may be hundreds or thousands of miles away. The VPN can be configured to allow users to bypass restrictions put in place by the firewall. For example, using VPN technology, a network engineer can permit UDP traffic to flow between two facilities without having to allow UDP traffic to flow unrestricted through the firewall.

To the firewall, the VPN appears as a separate network within the local facility. Typically all traffic is blocked from flowing from the VPN network to or from the local network. Using ACLs, the network engineer can allow or restrict traffic from the VPN, just as he can allow or restrict traffic from the Internet. This allows the network engineer to develop two sets of criteria: one more restrictive set for the Internet and another less restrictive set for VPN users.

To establish the VPN, the remote system must authenticate itself to the local firewall using one of several methods that are generally accepted by the IT and financial communities as being secure. Once the VPN is established, all communications across the VPN are strongly encrypted to keep an attacker from monitoring the VPN traffic. (See Figure 2.)

In this example, we will assume that a reporter at a remote location wants to send a video file from his laptop back to the station using UDP. UDP is blocked by the firewall, so he must first access the VPN to send the file.

At the start of the VPN session, the reporter’s laptop is connected to the Internet. The laptop’s IP address is When the reporter starts the VPN client and begins the VPN log-in process, several important steps occur. (Note: This is a simplified description.) First, the VPN client verifies that the VPN-capable router is available at the station. Second, the VPN client asks the reporter to log in, preventing unauthorized access to the VPN if the laptop is stolen. Third, the VPN client and router communicate, verifying the log-in data is correct and then applying any policies for the VPN link that have been established by the network engineer. Finally, the VPN client connects to the LAN using the policies established by ACLs.

When the process is complete, several changes have taken place. All communications between the laptop and the station are now encrypted. Also, the laptop has been assigned a second IP address within the station’s VPN pool. The reporter’s laptop is now attached to a network behind the station’s firewall (illustrated by the grayed-out laptop in Figure 2). In this example, the network address assigned to the laptop is The reporter wants to send his file to a feed room server on another network within the station —

During the VPN log-in process, security policies were applied to the connection. Parts of these policies determine which routes are established between various networks. In this case, when the laptop connects to the VPN, a predefined route is established between the 10.35.2 network and the 10.35.1 network. These policies permit UDP traffic to flow from the laptop to the feed room server network. This connectivity is not an all or nothing approach. The network engineer has many possibilities in determining what traffic is allowed to pass from the VPN onto the local network. With the VPN connection up and running, the reporter may now feed his story to the station using a UDP-based file transfer acceleration program. The station remains secure from UDP-based attacks because the station firewall blocks UDP traffic.

Other security technologies

Firewalls and VPNs are but two of many security approaches available.Space prevents me from going into detail, but Table 1 gives a quick summary of some other methods that may be employed to keep your media networks secure.

Brad Gilmer is president of Gilmer & Associates and executive director of the Advanced Media Workflow Association.