Securing broadcast networks
May 1, 2009 12:00 PM, By Jeff Prince
Concentric-ring network design protects LAN content.
Media and entertainment organizations face content management and protection challenges as they transition to a digital world. Content can be compromised at any step in the production, post-production and distribution process in what many in the industry acknowledge is a “leaky environment.” And the stakes are high: Operators of broadcast video networks may be subject to stiff penalties along with loss of reputation if content is illegally distributed (for example, posted to YouTube) or transmission is interrupted.
Most organizations have security technologies such as firewalls and intrusion prevention systems in place at the boundary between their local area and wide area networks (LAN/WAN). These technologies provide a useful but limited set of controls in a business where content moves around the LAN, and contractors and clients may work on-site with their laptops.
Media companies need the ability to strictly control who gains access to their networks and what resources they're allowed to reach. This article details LAN-focused security procedures, technologies and solutions that enable media companies to preserve network uptime, protect client content and intellectual property, and ensure only authorized traffic reaches the transmission network.
Requirements for today's LAN
While business models and the types of services provided vary from one media company to another, there are a set of security requirements that are applicable across the board. These include the need to:
Figure 1. An employee in the accounting department might be restricted to business applications and servers, while a freelance editor is allowed to access select servers and content for post production. Image courtesy ConSentry Networks.
- Restrict network access
Only authorized users, such as employees, contractors or clients, should be granted access to the company network. - Prevent malware outbreaks
IT needs to keep malware-infected devices, such as contractors' laptops not under its control, off the network. - Track all traffic on the network
IT needs Layer 7+ visibility into network traffic to ensure only authorized applications and traffic types are being used on the network and to pinpoint the source (by user and machine) of any unauthorized traffic, such as Secure Shell (SSH). - Control access to data and resources by user role
Once users are admitted to the network, IT needs strict controls regarding where on the network they can go and what resources they can reach based on their role. An employee in the accounting department might be restricted to business applications and servers, for example, while a guest is given Internet access only, and a freelance video editor is allowed to access select servers and content for post-production work. (See Figure 1.) - Document LAN usage
Media organizations need auditing capabilities, including logs of who has accessed resources and the ability to easily document controls in place. Clients often ask for such documentation during bidding, in addition to auditors from industry organizations such as the Motion Picture Association of America.
Organizations can meet these requirements — securing data as it moves around the LAN — with the right design strategy, technologies and network devices.
Circle the wagons
A network design based on concentric rings can significantly boost security by segmenting users and resources. Logically structuring the network in a tiered or “ring” fashion ensures that access in a given ring is strictly limited to those who need it and that certain types of traffic are restricted to parts of the network.
For example, business applications such as e-mail should be part of the outermost ring of the network, which is available to virtually all users, while the transmission network is the innermost ring and has highly restricted access.
The number of rings in the network and which resources, users and functions are allowed in each ring will depend on your company's business model and operations. For organizations that perform production and/or post production, applications that support these functions should be logically, if not physically, separate from the business portion of the network and the transmission network.
Between the production tiers and the outermost tier may be one to accommodate commercial transfers from partners. FTP might be permitted at this tier, for example, but not at the post-production or transmission tiers.
| Want to use this article? Click here for options! |  |
