IBC 2009 Videos

You are here: Home Page » Storage & Networking » Securing broadcast networks

Securing broadcast networks

May 1, 2009 12:00 PM, By Jeff Prince

Concentric-ring network design protects LAN content.


             

Media and entertainment organizations face content management and protection challenges as they transition to a digital world. Content can be compromised at any step in the production, post-production and distribution process in what many in the industry acknowledge is a “leaky environment.” And the stakes are high: Operators of broadcast video networks may be subject to stiff penalties along with loss of reputation if content is illegally distributed (for example, posted to YouTube) or transmission is interrupted.

Most organizations have security technologies such as firewalls and intrusion prevention systems in place at the boundary between their local area and wide area networks (LAN/WAN). These technologies provide a useful but limited set of controls in a business where content moves around the LAN, and contractors and clients may work on-site with their laptops.

Media companies need the ability to strictly control who gains access to their networks and what resources they're allowed to reach. This article details LAN-focused security procedures, technologies and solutions that enable media companies to preserve network uptime, protect client content and intellectual property, and ensure only authorized traffic reaches the transmission network.

Requirements for today's LAN

While business models and the types of services provided vary from one media company to another, there are a set of security requirements that are applicable across the board. These include the need to:

Figure 1. An employee in the accounting department might be restricted to business applications and servers, while a freelance editor is allowed to access select servers and content for post production. Image courtesy ConSentry Networks.

Figure 1. An employee in the accounting department might be restricted to business applications and servers, while a freelance editor is allowed to access select servers and content for post production. Image courtesy ConSentry Networks.

  • Restrict network access
    Only authorized users, such as employees, contractors or clients, should be granted access to the company network.
  • Prevent malware outbreaks
    IT needs to keep malware-infected devices, such as contractors' laptops not under its control, off the network.
  • Track all traffic on the network
    IT needs Layer 7+ visibility into network traffic to ensure only authorized applications and traffic types are being used on the network and to pinpoint the source (by user and machine) of any unauthorized traffic, such as Secure Shell (SSH).
  • Control access to data and resources by user role
    Once users are admitted to the network, IT needs strict controls regarding where on the network they can go and what resources they can reach based on their role. An employee in the accounting department might be restricted to business applications and servers, for example, while a guest is given Internet access only, and a freelance video editor is allowed to access select servers and content for post-production work. (See Figure 1.)
  • Document LAN usage
    Media organizations need auditing capabilities, including logs of who has accessed resources and the ability to easily document controls in place. Clients often ask for such documentation during bidding, in addition to auditors from industry organizations such as the Motion Picture Association of America.

Organizations can meet these requirements — securing data as it moves around the LAN — with the right design strategy, technologies and network devices.

Circle the wagons

A network design based on concentric rings can significantly boost security by segmenting users and resources. Logically structuring the network in a tiered or “ring” fashion ensures that access in a given ring is strictly limited to those who need it and that certain types of traffic are restricted to parts of the network.

For example, business applications such as e-mail should be part of the outermost ring of the network, which is available to virtually all users, while the transmission network is the innermost ring and has highly restricted access.

The number of rings in the network and which resources, users and functions are allowed in each ring will depend on your company's business model and operations. For organizations that perform production and/or post production, applications that support these functions should be logically, if not physically, separate from the business portion of the network and the transmission network.

Between the production tiers and the outermost tier may be one to accommodate commercial transfers from partners. FTP might be permitted at this tier, for example, but not at the post-production or transmission tiers.


Want to use this article?
Click here for options!		Get Copyright Clearance


blog comments powered by Disqus

Related Newsletter

Transition to Digital
A twice per month tutorial on digital technology.

Confused about the terminology in an article? Find definitions of common terms and abbreviations in Broadcast Engineering's Glossary.

 

Browse Back Issues



Resources

Broadcast Engineering Newsletters Broadcast Engineering Essential Guides Broadcast Engineering White Papers Broadcast Engineering Videos Broadcast Engineering Podcasts Broadcast Engineering Industry Calendar

Industry Calendar

Broadcast Engineering Glossary of Terms

Glossary

Broadcast Engineering RSS feed

RSS

Interactive Media

Broadcast Engineering Webinars Broadcast Engineering Training Broadcast Engineering Blogs Broadcast Engineering Forums Broadcast Engineering on Facebook

Facebook

Broadcast Engineering JobZone

JobZone

Broadcast Engineering BE Roll

Blog

 

BE Digital Reference Guide

Broadcast Engineering Digital Reference Guide Category Search
Back to Top