Video: Securing Your Network with Firewall Tech

As true for corporate networks as for broadcast networks, security needs to underpin everything we do to ensure the smooth running of service, that ransomware is kept out and that our data is kept in. This doesn’t mean every device has to have every security feature turned up to 11, it means that security – and which threats need to be protected against – have been thought through at the system level.

Such importance has security in broadcast facilities, that we see it as the foundational layer of the EBU’s Technology Pyramid. We see SMPTE ST 2110 at the top and whilst this is seen as the ‘business end’, it’s not practical without all that underpins it; the system timing, the NMOS protocols and the security practices.

In this video, Ray Scites explains the threats to networks and challenges the audience to take them seriously showing how mitigations can be implemented. He explains some of the common attacks on networks, both technical and human. Human attacks are phishing attacks which effectively simply ask for the details. Starting with asking for seemingly innocuous information like “Is Donald available today?” and building on knowing that someone is away to put on pressure to hand over information “Donald told me this needs doing right now or the $1,000 deposit will be lost.” With enough small information providing the context, people can be tricked into thinking that an attacker is legitimately doing business and their requests complied with.

To supplement the human element, vulnerabilities can be used. Ray highlights that it’s not just Windows 10 that needs updates, the CVE list of vulnerabilities shows that just this year over 40 security issues with Netgear devices have been publicly reported; all elements in the network need to be kept up to date.

Ray looks at the levels of firewall available from the basic features such as port blocking and forwarding to advanced, like intrusion detection and deep-packet-inspection. The latter technology being where packets are not just forwarded, but read to determine their payload and make firewall decisions based upon the contents. He then explains how port forwarding and NAT (Network Address Translation) work in firewalls.

The cloud offloads all the functionality, but none of the liability.

Ray Scites
An important takeaway from this video is that moving infrastructure and/or data to the cloud can be a great move for your company’s workflow, IT overheads and costs but it doesn’t solve all your security issues. Your responsibility is still to implement secure practices both in the office and in the cloud. Whilst the job may be easier now as it may be someone else’s responsibility to update OSes or other software, you are still the one responsible for data breaches and for ensuring that your security coverage is complete.

Ray finishes by showing a brute-force password attack in real time and answering questions covering how to implement security around hardware devices which had no security features, using remote PC terminals to maintain security and whether attacks are on the increase.

Watch now!

Ray Scites Ray Scites
KNL Consulting Services

Video: What is NMOS? with a Secure Control Case Study

Once you’ve implemented SMPTE ST 2110‘s suite of standards on your network, you’ve still got all your work ahead of you in order to implement large-scale workflows. How are you doing to discover new devices? How will you make or change connections between devices? How will you associate audios to the video? Creating a functioning system requires an whole ecosystem of control protocols and information exchange which is exactly what AMWA, the Advanced Media Workflow Association has been working on for many years now.

Jed Deame from Nextera introduces the main specifications that have been developed to work hand-in-hand with uncompressed workflows. All prefixed with IS- which stands for ‘Interface Specificaion’, they are IS-04, IS-05, IS-08, IS-09 and IS-10. Between them they allow you to discover new devices, create connections between then, manage the association of audio with video as well as manage system-wide information. Each of these, Jed goes through in turn. The only relevant ones which are skipped are IS-06 which allows devices to communicate northbound to an SDN controller and IS-07 which manages GPI and tally information.

Jed sets the scene by describing an example ST-2110 setup with devices able to join a network, register their presence and be quickly involved in routing events. He then looks at the first specification in today’s talk, NMOS IS-04. IS-04’s job is to provide an API for nodes (cameras, monitors etc.) to use when they start up to talk to a central registry and lodge some details for further communication. The registry contains a GUID for every resource which covers nodes, devices, sources, flows, senders and receivers. IS-04 also provides a query API for controllers (for instance a control panel).

While IS-04 started off very basic, as it’s moved to version 1.4, it’s added HTTPS transport, paged queries and support for connection management with IS-05 and IS-06. IS-04 is a foundational part of the system allowing each element to have an identity, track when entities are changes and update clients accordingly.

IS-05 manages connections between senders and receivers allowing changes to be immediate or set for the future. It allows, for example, querying of a sender to get the multicast settings and provides for sending that to a receiver. Naturally, when a change has been made, it will update the IS-04 registry.

IS-08 helps manage the complexity which is wrought by allowing all audios to flow separately from the video. Whilst this is a boon for flexibility and reduces much unnecessary processing (in extracting and recombining audio) it also adds a burden of tracking which audios should be used where. IS-08 is the answer from AMWA on how to manage this complexity. This can be used in association with BCP-002 (Best Current Practice) which allows for essences in the IS-04 registry to be tagged showing how they were grouped when they were created.

Jed looks next at IS-09 which he explains provides a way for global facts of the system to be distributed to all devices. Examples of this would be whether HTTPS is in use in the facility, syslog servers, the registration server address and NMOS versions supported.

Security is the topic of the last part of talk. As we’ve seen, IS-04 already allows for encrypted API traffic, and this is mandated in the EBU’s TR-1001. However BCP 003 and IS-10 have also been created to improve this further. IS-10 deals with authorisation to make sure that only intended controllers, senders and receivers are allowed access to the system. And it’s the difference between encryption (confidentiality) and authorisation which Jed looks at next.

It’s no accident that security implementations in AMWA specifications shares a lot in common with widely deployed security practices already in use elsewhere. In fact, in security, if you can at all avoid developing your own system, you should avoid it. In use here is the PKI system and TLS encryption we use on every secure website. Jed steppes through how this works and the importance of the cipher suite which lives under TLS.

The final part of this talk is a case study where a customer required encrypted control, an authorisation server, 4K video over 1GbE, essence encryption, unified routing interface and KVM capabilities. Jed explains how this can all be achieved with the existing specifications or an extension non top of them. Extending the encryption methods for the API to essences allowed them to meet the encryption requirements and adding some other calls on top of the existing NMOS provided a unified routing interface which allowed setting modes on equipment.

Watch now!
For more information, download these slides from a SMPTE UK Section meeting on NMOS

Jed Deame Jed Deame
Nextera Video

Video: Broadcast Content Protection

With video piracy estimated to cost the US economy $29M a year and programming rights costing 100s of millions of dollars or more, there’s plenty of reason to look to technology to protect your content. There is a long history of copy protection for broadcast/linear content which is continually changing.

Graham Turner, who has worked extensively in copy protection for many years, gives us an overview of how pay TV works, a look at the different types of protection and a look back at the history to see what we can learn from the mistakes made since the late 1980s.

After explaining the many reasons different types of channels have to protect their content, Graham explains the fundamentals of content protection, encryption and decryption being central to protection discussing symmetric and asymmetric cryptography. He then discusses key length which is something we hear a lot of, but can be non-trivial to understand. After all, AES talks of 128 and 256-bit keys, whereas in other areas we hear 1024, 2048 and more. Graham shows how these relate to the different keys in symmetric and asymmetric cryptography.

Pay TV is the area of focus for this video whereby live decryption keys need to be available at the set top box (STB) in the home. For DVD copy protection, the key is already in the DVD player and revocation of the rights of that DVD player are difficult. For TV there is a path from the broadcaster to the receiver which allows for more reactive rights management. ECM, Entitlement Checking Messages and EMM, Entitlement Management Messages, are the ways in which these permissions are spread so we look at how these work.

The architecture of the STB comes in focus next as Graham explains how the decryption and describing fit together along with hardware security and software security. Naturally after the STB has decoded the video, there’s interest in making sure the delivery to the TV is also secure which is where HDMI’s HDCP comes in with HDCP 2.2 protecting UHD content. HDCP is a method of ensuring that recording devices don’t get to record protected video whereas TVs or display devices can. Fingerprinting and watermarking are two technologies which are also examined showing how they are useful, to an extent, in identification of footage though not directly useful in preventing piracy itself.

The video ends with a very interesting look at the various high profile hacks from the last 30 or so years examining what was broken and how – in particular whether the cryptography itself was broken or whether the attack succeeded due to a weak link in the chain of another part of the system.

Watch now!

​ Graham Turner ​Graham Turner
Television Technologist,
Former Chair, IET Media

Video: Hacking ATSC 3.0

ATSC’s effort to bring IP into over-the-air broadcast has been long in the making and its deployment in South Korea along with the ITU’s inclusion of it in it’s list of recommended digital broadcast standards is a testament to it gaining acceptance. But as US broadcasters continue with test broadcasts and roll-outs in 2020, what security problems arise when IP’s included in the mix?

Acting is a great network security primer, this talk from Texas A&M’s Wayne Pecena, explains the premise and implications of creating and maintaining security in your broadcast plant. Starting by documenting the high profile attacks on broadcasters over the years, Wayne hones in on the reasons they should care from the obvious, omnipresent threat of ‘dead air’ to ‘loss of trust’ which is particularly motivating in recent years as we have seen state actors move to influence, not disrupt the normal course of life, in low-key, long-burn persistent attacks.

The talk hinges around the ‘AIC’ triad, comprising confidentiality, integrity and availability which are the three core aspects of data to protect. Integrity involves ensuring that the data are not altered either in transit or, indeed, in storage. Confidentiality revolves around ensuring that access control is maintained at all levels including physical, network-level and application live. Finally availability encompasses the fact that if the data isn’t available to the people who need it, the whole thing is pointless. Therefore supporting the availability side of the triangle includes thinking about redundancy and disaster recovery procedures.

Wayne, who is also the president of the Society of Broadcast Engineers, explains some of the attributes of a secure system which starts with security policies. These are the outer layer of any secure environment detailing how the many other layers of security will be managed and applied. Other aspects of a secure environment are appropriately layered and segmented network design, to limit what is available to anyone who does penetrate part of a system, access controls and logging.

After looking at the IETF and IEEE standards bodies, we see how the standard network models overlay neatly on the ATSC layered model with networking in the centre of them all. This leads in to a brief introduction to ‘IP’ in the sense of the the IP protocol on which are based TCP/IP and UDP/IP, between them central to most network communications around the world.

As we see how a small hole in defences can be slowly changed and enlarged allowing the attacker to move forward and create another hole in the next layer, Wayne talks about the types of security threats such malware, denial of service attacks and, of course, inside threats such as your employees themselves being complicit.

As the talk draws to a close we look at how this plays out in the real world talking through diagrams of broadcasters’ systems and how mitigations might play out on premise before talking cloud security. As the threat model in the cloud is different, Wayne explains the best practices to ensure safety and how these and the other security technologies used on the internet keep ATSC 3.0 secure including TLS secure certificate and the use of DNSSEC

The talk finishes with a look at security in the home whether that be with the myriad of consumer media consumption devices or items from the ‘internet of things’.

Watch now!

Wayne Pecena Wayne Pecena
Director of Engineering, KAMU TV/FM at Texas A&M University
President, Society of Broadcast Engineers AKA SBE