Figure 1. Subsection from hypothetical IP address planning worksheet. Click here to see an enlarged diagram.
Training is key
Last year, I wrote a column on how I became an accidental system administrator. An accidental system administrator is someone who finds himself in the position of administering computer systems and networks, even though it is not his “regular job.” Generally, the move into system administration is not planned. The interesting thing about this phenomenon is that there are people reading this column right now who are system administrators in their organizations but don't realize it.
It is difficult to be an effective system administrator without some education on the topic. Once you realize you are a system administrator, one of the first things you should do is seek opportunities for training, whether it is formal or informal. For me, the training that really sticks is the training that is directly related to my job. What does not work for me is to take some general computer classes covering techniques that I may never use. That said, if you find yourself becoming responsible for computer networks, switches, routers and so on, a general course on networking can be extremely useful. If you find that you are responsible for a specific operating system, Windows Server or FreeBSD, for example, a class on system administration of these operating systems can be useful. Community colleges in many areas offer these types of classes at reasonable cost.
If you cannot find appropriate classes in your area, you can learn a great deal through books. People always ask me for a list of books that they can read to learn more about computers and networks. Unfortunately, the most appropriate books for you will not be appropriate for someone else. I have found that people prefer different writing styles, and that while some people need basic information, others are asking detailed questions.
The best thing to do is go to a bookstore and take the time to find a book that contains the information you are seeking. If you have a specific question, you may have to buy an entire book just for one or two chapters. I have found this “cherry picking” approach to be quite effective in bolstering my own knowledge, although it can be expensive.
Speaking of expense, it seems that computer books are among the most expensive books in the store. For this reason, I almost always buy used books unless I need information that I cannot get anywhere else. I strongly recommend Powell's City of Books in Portland, OR (www.powells.com), as a great online source for training materials for system administrators. (If you ever find yourself in Portland, it is worth the trip to look over this technical bookstore.)
As an accidental system administrator, you will find yourself involved in system integration projects. You should consider how you will handle integration of vendor-provided equipment with your networks. In some cases, the vendor may require that its network be completely stand-alone. In many cases, it is up to you to decide how and where vendor systems will integrate into your networks. As a broadcast engineer, you will probably be in a better position than a strictly IT-based person to decide these issues. It will help if you have taken some time in advance to plan for these systems.
Figure 1 shows a hypothetical worksheet for IP address configuration. Note that this is just a small section of the total worksheet. The complete worksheet would show the office network as well. It would also assign addresses in cases where vendors would like to have their own networks.
Isolate critical systems
Figure 2. One network can be reserved for critical on-air systems and another for other general office applications. Click here to see an enlarged diagram.
One of the hot topics with system administrators these days is security. Threats seem to be everywhere — from worms and viruses to the loading of unauthorized software on critical systems; there are more than enough challenges to go around. If you are charged with maintaining networks and servers for both on-air and office environments, there are several things you can do to reduce security risks.
Most people in the industry feel that it is best to run several physical networks within a facility and then interconnect these physical networks at specific, predetermined points. As Figure 2, one network may be reserved for critical on-air systems and another for general office applications. You may also want to establish a network for visitors. The visitor network is severely restricted, providing an Internet connection for http-based traffic and not much more.
Putting in several networks may seem like overkill, but the on-air environment needs to be strictly controlled to assure that risks are minimized. Unfortunately, this is in direct conflict with requirements of an office network, where people want to be able to share all sorts of information quickly and easily. The easiest way to deal with these conflicting technical goals is to create two (or more) physical networks in your facility.
As soon as you put in two networks, you will be faced with requests to connect the two together. You can take the easy way out and deny all bridging requests, but there is perhaps a more elegant and efficient solution. There are layer two switches that you can configure to pass traffic from one network to another based upon MAC addresses. MAC addresses are assigned to the network interface card installed in a computer. This will allow you to restrict access from one network to another. You should also configure the switch to block undesirable traffic that you would not want to appear on your on-air network, such as any electronic messages and email traffic.
Security of the on-air network traffic can be controlled in this way as well. You can strictly limit the traffic allowed on the network by type — no e-mail or electronic messages, for example. The network can also be locked down so that only computers with known Network Interface Card (NIC) addresses can talk. This will prevent someone from plugging a laptop or other unauthorized computer into the network. Computers in the on-air environment can be configured so that only authorized users can load new applications. The computers can also be configured so that removable media devices such as CD-ROMs and USB ports will not allow the introduction of unauthorized programs or viruses into the system.
There is a significant potential issue that I addressed in last year's column, which bears repeating. As a system administrator, perhaps the most important pitfall you should avoid is that of becoming a jerk. You probably have heard the saying, “Power tends to corrupt, and absolute power corrupts absolutely.” I have observed several times that perfectly reasonable and pleasant people become very difficult to deal with when they become system administrators.
As a system administrator, you will find yourself as a gatekeeper for many activities. People will need to get information from you. They will need you to do critical things for them. As you move into the system administrator role, you must realize that you are there to help others. Your main job is to make the technology serve the company and the people who work there. If you hold back information — if you are unresponsive to requests from others — you may find yourself up to your elbows in mineral oil changing rectifier stacks at the transmitter rather than taking care of the core IT systems that will support your organization for the future. As you work to protect your organization's critical systems, be cognizant of the fact that some of the measures you put into place will affect peoples' lives on a daily basis. You will need to balance the need for security with the impact of security on daily operations.
Brad Gilmer is president of Gilmer & Associates, executive director of the AAF Association and executive director of the Video Services Forum.
Send questions and comments to:firstname.lastname@example.org