Securing broadcast networks

Media and entertainment organizations face content management and protection challenges as they transition to a digital world. Content can be compromised at any step in the production, post-production and distribution process in what many in the industry acknowledge is a “leaky environment.” And the stakes are high: Operators of broadcast video networks may be subject to stiff penalties along with loss of reputation if content is illegally distributed (for example, posted to YouTube) or transmission is interrupted.

Most organizations have security technologies such as firewalls and intrusion prevention systems in place at the boundary between their local area and wide area networks (LAN/WAN). These technologies provide a useful but limited set of controls in a business where content moves around the LAN, and contractors and clients may work on-site with their laptops.

Media companies need the ability to strictly control who gains access to their networks and what resources they're allowed to reach. This article details LAN-focused security procedures, technologies and solutions that enable media companies to preserve network uptime, protect client content and intellectual property, and ensure only authorized traffic reaches the transmission network.

Requirements for today's LAN

While business models and the types of services provided vary from one media company to another, there are a set of security requirements that are applicable across the board. These include the need to:

  • Restrict network access
    Only authorized users, such as employees, contractors or clients, should be granted access to the company network.
  • Prevent malware outbreaks
    IT needs to keep malware-infected devices, such as contractors' laptops not under its control, off the network.
  • Track all traffic on the network
    IT needs Layer 7+ visibility into network traffic to ensure only authorized applications and traffic types are being used on the network and to pinpoint the source (by user and machine) of any unauthorized traffic, such as Secure Shell (SSH).
  • Control access to data and resources by user role
    Once users are admitted to the network, IT needs strict controls regarding where on the network they can go and what resources they can reach based on their role. An employee in the accounting department might be restricted to business applications and servers, for example, while a guest is given Internet access only, and a freelance video editor is allowed to access select servers and content for post-production work. (See Figure 1.)
  • Document LAN usage
    Media organizations need auditing capabilities, including logs of who has accessed resources and the ability to easily document controls in place. Clients often ask for such documentation during bidding, in addition to auditors from industry organizations such as the Motion Picture Association of America.

Organizations can meet these requirements — securing data as it moves around the LAN — with the right design strategy, technologies and network devices.

Circle the wagons

A network design based on concentric rings can significantly boost security by segmenting users and resources. Logically structuring the network in a tiered or “ring” fashion ensures that access in a given ring is strictly limited to those who need it and that certain types of traffic are restricted to parts of the network.

For example, business applications such as e-mail should be part of the outermost ring of the network, which is available to virtually all users, while the transmission network is the innermost ring and has highly restricted access.

The number of rings in the network and which resources, users and functions are allowed in each ring will depend on your company's business model and operations. For organizations that perform production and/or post production, applications that support these functions should be logically, if not physically, separate from the business portion of the network and the transmission network.

Between the production tiers and the outermost tier may be one to accommodate commercial transfers from partners. FTP might be permitted at this tier, for example, but not at the post-production or transmission tiers.

Keep in mind that each ring is a zone of control, created either physically or logically. Physical segmentation is a challenge and can prove ineffective if an unauthorized user gains entry to a restricted area and no user- or application-based access controls are in place. Virtual LANs are a common means to logically segment a network, but are cumbersome to administer, have no application awareness and can be circumvented by users plugging into a different LAN segment.

Media organizations need a set of technologies that let them logically segment traffic based on users and applications, allowing them to create a tiered network design that's granular, flexible and easy to administer.

Technologies to deploy

To address the requirements for securing the LAN, media organizations should consider deploying the following technologies.

  • Authentication
    By verifying that users and IP devices are who/what they say they are and only admitting authorized users and devices to the LAN, authentication protects the network from unauthorized access. Look for systems that leverage existing identity stores, such as Active Directory (AD) and RADIUS, to automatically learn each user's identity and role during authentication. This capability, known as passive authentication, ensures that users aren't burdened with additional log-in information. An authentication system should also support a browser-based captive portal to provide active authentication for contractors, guests and other users not known to the identity store. The ability to identify a user's role during authentication makes it possible to apply control policies to that user following admission to the network. Another benefit is that management changes are centralized. Deleting a user from an identity store such as Active Directory results in revocation of all network access rights.A robust, role-based authentication system also allows for differentiated LAN access for contractors, vendors, guests and employees, providing a first level of traffic segmentation. For example, guests may be restricted to accessing the Internet. (See Figure 2.)
  • Host posture check
    Performed at log-in time, host posture check prevents malware outbreaks by ensuring that users' computers comply with corporate standards and are running an approved operating system with current patches and fixes and an updated antivirus program. Look for a host posture check system that supports hosts not under corporate control and applies to all classes of users, including employees, contractors and visitors, without burdening IT. A posture check solution should automatically scan hosts for malware, not just the presence of antivirus software. This step will prevent worms, DoS attacks and other malware from entering the network even if current antivirus software is detected.
  • Stateful (deep packet) inspection
    Maintaining state information enables a network device to track and forward traffic based on flows rather than packets, while deep packet inspection up through Layer 7 provides user identity and detailed application information, including events within an application such as the destination URL in an HTTP session or the file name in an FTP download. A device that performs stateful deep packet inspection on all flows can correlate user, device, application, destination and other information, enabling IT to apply granular access control and quality of service policies at the user and application level.
  • Role-based policies
    Knowledge of users and application-level visibility enable a system to tie all LAN activity back to specific users. As a result, IT can define rights and permissions, as well as control and enforcement actions, based on a user's role in the organization, ensuring tight access to applications, data and other resources on specific parts of the network. By supporting user- and application-based traffic segmentation, role-based policies make it easy to implement a logically tiered network design with firewall-like traffic separation. In addition, the correct rights and permissions are applied to each user regardless of the access medium used or location from which they attach to the LAN.
  • Audit trail
    Robust auditing enables a system to retain statistics about all flows and display flows by user name, role, application, file or destination, greatly simplifying compliance and client reporting as well as troubleshooting and forensics. Look for an auditing system that provides key user data, including log-in/log-out time, applications run, transactions performed and resources reached.

It should also track security incidents, including those related to host posture checks, policy violations, authentication failures and malware events, and provide real-time and historical data as well as aggregated views.

Shopping for solutions

Securing the LAN internally is imperative for digital media providers, whose content can too easily “escape” and compromise transmission facilities. Fortunately, IT doesn't have to piece together a solution. A new class of application-aware devices makes it possible to embed directly into the LAN all the technologies and controls discussed above with minimum impact on users and IT resources.

Organizations that aren't making changes to their LAN can get user and application control with a drop-in appliance. Those planning a LAN infrastructure upgrade or refresh can deploy intelligent LAN switches, which combine high-performance LAN switching with user and application controls.

Both types of devices give media organizations the ability to control who gains access to the LAN and to segment traffic based on users and resources, providing the stringent level of LAN security required in today's all-digital environments.

Jeff Prince is chairman and CTO of ConSentry Networks and a managing partner at Prince Ventures.

Role User account Network resource access control AD DNS File Mail Intranet Internet Unauthorized Local Allow Deny Deny Deny Deny Deny Visitor Guest Deny Allow Deny Deny Deny Allow Employee Bob Allow Allow Allow Allow Allow Deny Regular Alice John Allow Allow Allow Allow Allow Allow Evaluator Tim Allow Allow Allow Deny Deny Allow