Computer architectures
Aug 1, 2008 12:00 PM, By Brad Gilmer
Take steps to secure your network from attack.
Frequently, I have talked in this column about separating the broadcast core computer networks from business networks and the Internet. In the real world, things are not so clear-cut; there are many different network segments, all needing differing levels of connectivity and security.
Your facility probably consists of a number of networks, including a:
secure network for broadcast operations (automation, etc.);
traffic network for the traffic department;
production network for post production, graphics and so on;
news system network;
business network (billing, sales, traffic, employee e-mail, etc.);
demilitarized zone (DMZ) for Web hosting and streaming;
virtual private network (VPN) for connecting remote studios and facilities;
VPN for remote access from employees' homes, etc.;
wireless network for in-house employees;
wireless network for visitors; and
an Internet network.
Let's assume that you have analyzed your facility and come up with the list above. The next step is to think about the connectivity required between the networks and the level of security for these networks. You might create a table similar to Table 1. (See page 30.) While you may disagree with the classifications in Table 1, the point is that different networks require a variety of security and access, and that the architectures behind these networks are determined by the clients' requirements for access to data across the network.
There are a couple of interesting things to point out in this table. Note that the traffic network and the VPN for remote access by employees both have demanding networking requirements. Clients require a high degree of connectivity to other networks. They need broad access to office applications, but they also have a high need for security.
Figure 1. This diagram shows the high-level architectural design of a typical broadcast facility. Note that this architecture takes advantage of several different layers of security, while providing a high degree of connectivity within related departments.
These are challenging scenarios where security should be of considerable concern. The VPN requirement for security is clearly understood. But it may be less obvious that high security is required in the traffic department. Clients in these systems typically touch not only the business networks and the Internet, but also the highly sensitive broadcast network. Special care should be taken to ensure that the security of the broadcast network is not invalidated by problems with traffic clients. The same may be said of news systems because they demand a lot of connectivity to the outside world, but the information from these systems must also get to the broadcast core.
Figure 1 shows a high-level architecture that could be used to connect the various networks described in Table 1. The figure includes different network zones, or areas of security and access, such as Internet and DMZ, business/news/traffic, production/facilities, and broadcast core.
The networks on the left of the diagram have broad connectivity. The networks on the right are more secure. Starting at the left of the diagram is the wide area network (WAN) router. This device connects the facility to the Internet. It also allows us to establish a DMZ for publicly accessible equipment such as Web servers, streaming servers and visitor wireless connections. Note that this is a simplified diagram. There are firewall components in the WAN router, but they are not shown here. There are also security components in the Web and streaming servers. Security is present, but it is not as tight as it is further into the network. The router/firewall connected to local area network (LAN) side of the WAN router isolates the main facility from the Internet and from people using visitor wireless services.
Business/news/traffic network
In the business/news/traffic network zone, I have grouped networks with similar levels of connectivity and need for Internet access. Also, generally speaking, these areas have similar security requirements. That said, there is a lot going on in this system that isn't shown. The news and traffic systems both require connections to the broadcast core. This is done by configuring access control lists (ACLs) in the router/firewalls of the system. Also, the news or traffic system may have components that connect to the networks at various places.
Think carefully about how these connections are made. You can use as simple or complex an approach as you like, but increasing connectivity without increasing the complexity/security of the network can lead to security issues.
Production/facilities
Production/facilities are the next layer of the network. As the diagram shows, this zone is more secure, and as with the last network, the clients on these networks are grouped by similar access and security needs. The production network has to be secure; however, people in post facilities still need access to other areas of the facility and the broadcast core. In some facilities, a VPN is used to connect two or more production facilities on a semi-permanent basis. This allows users in two facilities to exchange content as they work together on a project.
Broadcast core
Finally, the innermost network is the broadcast core. This core network is protected by a series of firewalls and routers that severely restrict access. Once again, ACLs and other security mechanisms play a critical role in protecting this network. It is important to protect the core facility from the malicious actions of people on the Internet or within your facility. That said, in all the time I have been working in the industry, I have never heard of someone hacking into an automation system or other on-air system from the Internet or from the business side of a network.
On the other hand, I have personally tracked down and fixed three failed computer systems that crashed in such a way as to render the network unusable for everyone. In all cases, these were hardware failures, and in all cases (fortunately), the broadcast core was insulated from the failure by routers, which prevented the garbage transmitted by these failed computers from reaching critical systems.
Brad Gilmer is president of Gilmer & Associates, executive director of the Advanced Media Workflow Association and executive director of the Video Services Forum.
| Network | Connectivity | Security level | Access to office applications |
|---|---|---|---|
| Broadcast operations | Low | Very high | Very low |
| Traffic | Medium | High | High |
| Production | Medium | High | Medium |
| News | High | Medium | High |
| Business | High | Medium | High |
| DMZ | High | Low | None |
| VPN for facilities | Low | Very high | High |
| VPN for remote access | High | Very high | High |
| Wireless in-house | High | High | High |
| Wireless visitors | Low | Low | Low |
| Internet | Low | Low | Low |
Send questions and comments to: brad.gilmer@penton.com
| Want to use this article? Click here for options! |  |
