Video: Securing Your Network with Firewall Tech

As true for corporate networks as for broadcast networks, security needs to underpin everything we do to ensure the smooth running of service, that ransomware is kept out and that our data is kept in. This doesn’t mean every device has to have every security feature turned up to 11, it means that security – and which threats need to be protected against – have been thought through at the system level.

Such importance has security in broadcast facilities, that we see it as the foundational layer of the EBU’s Technology Pyramid. We see SMPTE ST 2110 at the top and whilst this is seen as the ‘business end’, it’s not practical without all that underpins it; the system timing, the NMOS protocols and the security practices.

In this video, Ray Scites explains the threats to networks and challenges the audience to take them seriously showing how mitigations can be implemented. He explains some of the common attacks on networks, both technical and human. Human attacks are phishing attacks which effectively simply ask for the details. Starting with asking for seemingly innocuous information like “Is Donald available today?” and building on knowing that someone is away to put on pressure to hand over information “Donald told me this needs doing right now or the $1,000 deposit will be lost.” With enough small information providing the context, people can be tricked into thinking that an attacker is legitimately doing business and their requests complied with.

To supplement the human element, vulnerabilities can be used. Ray highlights that it’s not just Windows 10 that needs updates, the CVE list of vulnerabilities shows that just this year over 40 security issues with Netgear devices have been publicly reported; all elements in the network need to be kept up to date.

Ray looks at the levels of firewall available from the basic features such as port blocking and forwarding to advanced, like intrusion detection and deep-packet-inspection. The latter technology being where packets are not just forwarded, but read to determine their payload and make firewall decisions based upon the contents. He then explains how port forwarding and NAT (Network Address Translation) work in firewalls.

The cloud offloads all the functionality, but none of the liability.

Ray Scites
An important takeaway from this video is that moving infrastructure and/or data to the cloud can be a great move for your company’s workflow, IT overheads and costs but it doesn’t solve all your security issues. Your responsibility is still to implement secure practices both in the office and in the cloud. Whilst the job may be easier now as it may be someone else’s responsibility to update OSes or other software, you are still the one responsible for data breaches and for ensuring that your security coverage is complete.

Ray finishes by showing a brute-force password attack in real time and answering questions covering how to implement security around hardware devices which had no security features, using remote PC terminals to maintain security and whether attacks are on the increase.

Watch now!
Speaker

Ray Scites Ray Scites
KNL Consulting Services

Video: How to build two large Full-IP OB trucks (during COVID-19)

It’s never been easy building a large OB van. Keeping within axel weight, getting enough technology in and working within a tight project timeline, not to mention keeping the expanding sections cool and water-tight is no easy task. Add on that social distancing thanks to SARS-CoV-2 and life gets particularly tricky.

This project was intriguing before Covid-19 because it called for two identical SMPTE ST-2110 IP trucks to be built, explains Geert Thoelen from NEP Belgium. Both are 16-camera trucks with 3 EVS each. The idea being that people could walk into truck A on Saturday and do a show then walk into truck B on Sunday and work in exactly the same show but on a different match. Being identical, when these trucks will be delivered to Belgium public broadcaster RTBF, production crews won’t need to worry about getting a better or worse truck then the other programmes.. The added benefit is that weight is reduced compared to SDI baseband. The trucks come loaded with Sony Cameras, Arista Switches, Lawo audio, EVS replays and Riedel intercoms. It’s ready to take a software upgrade for UHD and offers 32 frame-synched and colour-corrected inputs plus 32 outputs.

Broadcast Solutions have worked with NEP Belgium for many years, an ironically close relationship which became a key asset in this project which had to be completed under social distancing rules. Working open book and having an existing trust between the parties, we hear, was important in completing this project on time. Broadcast Solutions separated internet access for the truck to access the truck as it was being built with 24/7 remote access for vendors.

Axel Kühlem fro broadcast solutions address a question from the audience of the benefits of 2110. He confirms that weight is reduced compared to SDI by about half, comparing like for like equipment. Furthermore, he says the power is reduced. The aim of having two identical trucks is to allow them to be occasionally joined for large events or even connected into RTBF’s studio infrastructure for those times when you just don’t have enough facilities. Geert points out that IP on its own is still more expensive than baseband, but you are paying for the ability to scale in the future. Once you count the flexibility it affords both the productions and the broadcaster, it may well turn out cheaper over its lifetime.

Watch now!
Speakers

Axel Kühlem Axel Kühlem
Senior System Architect
Broadcast Solutions
Geert Thoelen Geert Thoelen
Technical Director,
NEP Belgium

Video: IP Fundamentals For Broadcast Seminar IV

“When networking gets real”, perhaps, could have been the title of this last of 4 talks about IP for broadcast. This session wraps up a number of topics from the classic ‘TCP Vs. UDP’ discussion to IPv6 and examines the switches and networks that make up a network as well as the architecture options. Not only that, but we also look at VPNs and firewalls finishing by discussing some aspects of network security. When viewed with the previous three talks, this discusses many of the nuances from the topics already covered bringing in the relevance of ‘real world’ situations.

Wayne Pecena, President of SBE, starts by discussing subnets and collision domains. The issue with any NIC (Network Interface Controller) is that it’s not to know when someone else is talking on the wire (i.e. when another NIC is sending a message by changing the voltage of the wire). It’s important that NICs detect when other NICs are sending messages and seek to avoid sending while this is happening. If this does’t work out well, then two messages on the same wire are seen as a ‘collision’. It’s no surprise that collisions are to be avoided which is the starting point of Wayne’s discussion.

Moving from Layer 2 to Layer 4, Wayne pits TCP against UDP looking at the pros and cons of each protocol. Whilst this is no secret, as part of the previous talks this is just what’s needed to round the topic off ahead of talking about network architecture.

“Building and Securing a Segmented IP Network Infrastructure” is the title of the next talk which starts to deal with real-world problems when an engineer gets back from a training session and starts to actually specify a network herself. How should the routers and switches be interconnected to deliver the functionality required by the business and, as we shall see, which routers/switches are actually needed? Wayne discusses some of the considerations of purchasing switches (layer 2) and routers (layer 3 & 2) including the differing terms used by HP and Cisco before talking about how to assign IP addresses, also called an IP space. Wayne takes us through IP addressing plans, examples of what they would look like in excel along with a lot of the real-world thinking behind it.

Security is next on the list, not just in terms of ‘cybersecurity’ in the general sense but in terms of best practice, firewalls and VPNs. Wayne takes a good segment of time out to discus the different aspects of firewalls – how they work, ACLs (Access-control Lists), and port security amongst other topics before doing the same for VPNs (Virtual Private Networks) before making the point that a VPN and a firewall are not the same. A VPN allows you to extend a network out from a building to be in another – the typical example being from your work’s address into your home. Whilst a VPN is secured so that only certain people can extend the network, a firewall more generally acts to prevent anything coming into a network.

As an addendum to this talk, Wayne explains IPV4 depletion and how IPv6 addressing works. In practice, for broadcasters deploying within their company in the year 2020, IPv6 is unlikely to be a topic needed. However, for people who are distributing to homes and working closer with CDNs and ISPs, there is a chance that this information is more relevant on a day-to-day basis. Whilst IP address depletion is a real thing, since every company has a 10.x.x.x address space to play with, most companies use internal equipment with an IPv4 address plan.
Watch now!
Speaker

Wayne Pecena Wayne Pecena
Director of Engineering, KAMU TV/FM at Texas A&M University
President, Society of Broadcast Engineers AKA SBE

Video: Timing Tails & Buffers

Timing and synchronisation have always been a fundamental aspect of TV and as we move to IP, we see that timing is just as important. Whilst there are digital workflows that don’t need to be synchronised against each other, many do such as studio productions. However, as we see in this talk from The Broadcast Bridge’s Tony Orme, IP networks make timing all the more variable and accounting for this is key to success.

To start with Tony looks at the way the OBs, also known as REMIs, are moving to IP and need a timing plane across all of the different parts of production. We see how traditionally synchronisation is needed and the effect of timing problems not only in missed data but also with all essences being sent separately synchronisation problems between them can easily creep in.

When it comes to IP timing itself, Tony explains how PTP is used to record the capture time of the media/essences and distribute through the system. Looking at the data on the wire and the interval between that and the last will show a distribution of, hopefully, a few microseconds variation. This variation gives rise to jitter which is a varying delay in data arrival. The larger the spread, the more difficult it will be to recover data. To examine this more closely, Tony looks at the reasons for and the impacts of congestion, jitter, reordering of data.

Bursting, to make one of these as an example, is a much overlooked issue on networks. While it can occur in many scenarios without any undue problems, microbusting can be a major issue and one that you need to look for to find. This surrounds the issue of how you decide that a data flow is, say, 500Mbps. If you had an encoder which sent data at 1Gbps for 5 minutes and no data for 5 minutes, then over the 10 minute window, the average bitrate would have been 500Mbps. This clearly isn’t a 500Mbps encoder, but how narrow do you need to have your measurement window to be happy it is, indeed, 500Mbps by all reasonable definitions? Do you need to measure it over 1 second, 1 millisecond? Behind microbursting is the tendency of computers to send whatever data they have as quickly as possible; if a computer has a 10Gbe NIC, then it will send at 10Gbps. What video receivers actually need is well spaced packets which always come a set time apart.

Buffers a necessary for IP transmission, in fact within a computer there are many buffers. So using and understanding buffers is very important. Tony takes us through the thought process of considering what buffers are and why we need them. With this groundwork laid, understanding their use and potential problems is easier and well illustrated in this talk. For instance, since there are buffers in many parts of the chain to send data from an application to a NIC and have it arrive at the destination, the best way to maximise the chances of having a deterministic delay in the Tx path is to insert PTP information almost at the point of egress in the NIC rather than in the application itself.

The talk concludes by looking at buffer fill models and the problems that come with streaming using TCP/IP rather then UDP/IP (or RTP). The latter being the most common.

Watch now!
Download the presentations!

Speakers

Tony Orme Tony Orme
Editor,
The Broadcast Bridge