You are here: Home Page » Storage & Networking » Securing broadcast networks

Securing broadcast networks

May 1, 2009 12:00 PM, By Jeff Prince

Concentric-ring network design protects LAN content.

    

Keep in mind that each ring is a zone of control, created either physically or logically. Physical segmentation is a challenge and can prove ineffective if an unauthorized user gains entry to a restricted area and no user- or application-based access controls are in place. Virtual LANs are a common means to logically segment a network, but are cumbersome to administer, have no application awareness and can be circumvented by users plugging into a different LAN segment.

Media organizations need a set of technologies that let them logically segment traffic based on users and applications, allowing them to create a tiered network design that's granular, flexible and easy to administer.

Technologies to deploy

To address the requirements for securing the LAN, media organizations should consider deploying the following technologies.

  • Authentication
    By verifying that users and IP devices are who/what they say they are and only admitting authorized users and devices to the LAN, authentication protects the network from unauthorized access. Look for systems that leverage existing identity stores, such as Active Directory (AD) and RADIUS, to automatically learn each user's identity and role during authentication. This capability, known as passive authentication, ensures that users aren't burdened with additional log-in information. An authentication system should also support a browser-based captive portal to provide active authentication for contractors, guests and other users not known to the identity store.

    The ability to identify a user's role during authentication makes it possible to apply control policies to that user following admission to the network. Another benefit is that management changes are centralized. Deleting a user from an identity store such as Active Directory results in revocation of all network access rights.

    A robust, role-based authentication system also allows for differentiated LAN access for contractors, vendors, guests and employees, providing a first level of traffic segmentation. For example, guests may be restricted to accessing the Internet. (See Figure 2.)

  • Host posture check
    Performed at log-in time, host posture check prevents malware outbreaks by ensuring that users' computers comply with corporate standards and are running an approved operating system with current patches and fixes and an updated antivirus program. Look for a host posture check system that supports hosts not under corporate control and applies to all classes of users, including employees, contractors and visitors, without burdening IT.

    A posture check solution should automatically scan hosts for malware, not just the presence of antivirus software. This step will prevent worms, DoS attacks and other malware from entering the network even if current antivirus software is detected.

  • Stateful (deep packet) inspection
    Maintaining state information enables a network device to track and forward traffic based on flows rather than packets, while deep packet inspection up through Layer 7 provides user identity and detailed application information, including events within an application such as the destination URL in an HTTP session or the file name in an FTP download.

    A device that performs stateful deep packet inspection on all flows can correlate user, device, application, destination and other information, enabling IT to apply granular access control and quality of service policies at the user and application level.

  • Role-based policies
    Knowledge of users and application-level visibility enable a system to tie all LAN activity back to specific users. As a result, IT can define rights and permissions, as well as control and enforcement actions, based on a user's role in the organization, ensuring tight access to applications, data and other resources on specific parts of the network.

    By supporting user- and application-based traffic segmentation, role-based policies make it easy to implement a logically tiered network design with firewall-like traffic separation. In addition, the correct rights and permissions are applied to each user regardless of the access medium used or location from which they attach to the LAN.

  • Audit trail
    Robust auditing enables a system to retain statistics about all flows and display flows by user name, role, application, file or destination, greatly simplifying compliance and client reporting as well as troubleshooting and forensics. Look for an auditing system that provides key user data, including log-in/log-out time, applications run, transactions performed and resources reached.

It should also track security incidents, including those related to host posture checks, policy violations, authentication failures and malware events, and provide real-time and historical data as well as aggregated views.

Shopping for solutions

Securing the LAN internally is imperative for digital media providers, whose content can too easily “escape” and compromise transmission facilities. Fortunately, IT doesn't have to piece together a solution. A new class of application-aware devices makes it possible to embed directly into the LAN all the technologies and controls discussed above with minimum impact on users and IT resources.

Organizations that aren't making changes to their LAN can get user and application control with a drop-in appliance. Those planning a LAN infrastructure upgrade or refresh can deploy intelligent LAN switches, which combine high-performance LAN switching with user and application controls.

Both types of devices give media organizations the ability to control who gains access to the LAN and to segment traffic based on users and resources, providing the stringent level of LAN security required in today's all-digital environments.

Jeff Prince is chairman and CTO of ConSentry Networks and a managing partner at Prince Ventures.

Role User account Network resource access control
AD DNS File Mail Intranet Internet
Unauthorized Local Allow Deny Deny Deny Deny Deny
Visitor Guest Deny Allow Deny Deny Deny Allow
Employee Bob Allow Allow Allow Allow Allow Deny
Regular Alice John Allow Allow Allow Allow Allow Allow
Evaluator Tim Allow Allow Allow Deny Deny Allow




Want to use this article?
Click here for options!		Get Copyright Clearance

Share this article

blog comments powered by Disqus

 

Current Issue

Broadcast Engineering May Issue Broadcast Engineering May World Issue

Online captioning compliance

May 2012

The FCC has issued captioning requirements for all online video. Learn how to meet the requirements of the new rules and how to automate the technical process.

Read More articles...

Related Newsletter

Transition to Digital
A twice per month tutorial on digital technology.

Related Posts


Confused about the terminology in an article? Find definitions of common terms and abbreviations in Broadcast Engineering's Glossary.

 

Video Compression, Editing and Displays

Video Compression, Editing and Displays

Video compression, editing and displays is an in-depth tutorial on MPEG compression technology, editing MPEG content and evaluating color video monitors written by long-time video expert, trainer and writer Steve Mullen, Ph. D.

File Based Technology and Workflow

File Based Technology and Workflow

File-based technologies have replaced video tape methods for a majority of production and broadcast operations. The worlds of AV and IT are coalescing to create new methods and workflows for media

Sound Off Podcasts

 

Broadcast Engineering Digital Reference Guide

Browse Back Issues
Back to Top