Name
Security for Discovery and Connection Management of SMPTE ST 2110 Media Devices
Date & Time
Wednesday, October 23, 2019, 9:00 AM - 9:30 AM
Location Name
San Francisco Room
Speakers
Description
Network security for broadcast IP infrastructures is of vital importance as more and more broadcasters venture into these new workflows. This paper will describe current workflows using the AMWA BCP-003 security best practices.
While the open specifications allow for easy adoption by the broadcast industry, they are fully documented and would easily allow man-in-the-middle attacks to retrieve vital device information, such as IP addresses, for accessing control ports. Usage of those control ports by unauthorized personnel could lead to disruptions in the production chain, or worse.
BCP-003 can be used to encrypt all API traffic with TLS to initially prevent man-in-the-middle attacks. As there are many cipher suites to choose from, this paper describes why the current list of suites was chosen to cover both best security and compatibility with legacy broadcast equipment with small computing performance. After a theoretical introduction, the paper explains how a broadcast facility can practically deploy the needed Public Key Infrastructure and how devices that are installed after initial deployment can be added.
Furthermore, we will focus on AMWA IS-10 as a means of specifying authorization mechanisms to secure access to NMOS APIs such as IS-04, -05, or -08. We will also explain the current concept of an authorization server and how it can issue tokens for controllers and nodes. In this way, we can secure NMOS nodes against unwanted access for starting/stopping/configuring media endpoints. The choice of API for finding the server and retrieving tokens is closely linked to other NMOS APIs in order to allow for fast adoption.
While integrating the Authorization server into an existing IT infrastructure using common User Databases such as Active Directory is outside of the scope of BCP-003, it is a necessary way to reduce the overhead of maintenance. A proof of concept will be presented in support of this.
Keywords
SMPTE ST 2210, NMOS, security, encryption, APIs, BCP-003, AMWA
While the open specifications allow for easy adoption by the broadcast industry, they are fully documented and would easily allow man-in-the-middle attacks to retrieve vital device information, such as IP addresses, for accessing control ports. Usage of those control ports by unauthorized personnel could lead to disruptions in the production chain, or worse.
BCP-003 can be used to encrypt all API traffic with TLS to initially prevent man-in-the-middle attacks. As there are many cipher suites to choose from, this paper describes why the current list of suites was chosen to cover both best security and compatibility with legacy broadcast equipment with small computing performance. After a theoretical introduction, the paper explains how a broadcast facility can practically deploy the needed Public Key Infrastructure and how devices that are installed after initial deployment can be added.
Furthermore, we will focus on AMWA IS-10 as a means of specifying authorization mechanisms to secure access to NMOS APIs such as IS-04, -05, or -08. We will also explain the current concept of an authorization server and how it can issue tokens for controllers and nodes. In this way, we can secure NMOS nodes against unwanted access for starting/stopping/configuring media endpoints. The choice of API for finding the server and retrieving tokens is closely linked to other NMOS APIs in order to allow for fast adoption.
While integrating the Authorization server into an existing IT infrastructure using common User Databases such as Active Directory is outside of the scope of BCP-003, it is a necessary way to reduce the overhead of maintenance. A proof of concept will be presented in support of this.
Keywords
SMPTE ST 2210, NMOS, security, encryption, APIs, BCP-003, AMWA
Technical Depth of Presentation
IP security is extremely relevant and affects all network users from basic to advanced
What Attendees will Benefit Most from this Presentation
Broadcast engineers, technologists, and managers in any stage of their transition from baseband to IP workflows
Take-Aways from this Presentation
1. IP Network security is of utmost importance for broadcast infrastructures. A physical facility can be protected with security checkpoints and ID badges. But, for IP networks, different tools are needed. It is a big challenge but it is solvable! Several entities, including AMWA, are working on best practices but it is up to every user on the network to implement and use security measures at all times.