Network security: fear of the unknown15 April 2016
Previously, we looked at the impact AV/IT convergence has had on network security and how integrators and manufacturers in this space now have to make security a priority. Here we look at the issues IT departments fear most from the presence of AV equipment on the network, writes Ian McMurray.
What exactly are the security issues that make the corporate IT team nervous?
“What keeps them awake at night is the possibility of transitioning a firewall and leaving a ‘backdoor’ into the network,” says Pete Symes, senior product and solutions architect at AVMI. “The biggest fear of all corporates is intrusion into their networks. Coming from an IT background, I see the corporate network as the crown jewels as it allows access to everything; it’s regarded as such, and rightly so. Access to it has got to be earned rather than given. This is always the default position and it’s the sensible position. But: if you understand the requirements you can meet them.”
“There are recurring questions that the security team ask of any device that’s being attached to the network,” adds Toine C Leerentveld, technology manager, control solutions at Crestron. “Can someone put a virus on this device, or run unauthorised code? How do I make sure only trusted employees have management access to these devices? Is there a way for someone to gain unauthorised access to the network by connecting to the many innies and outies that AV equipment has? And – how do I make sure that the latest patches are on these devices, to ensure they are up-to-date?”
There is also something akin to fear of the unknown when it comes to AV technology, as Symes notes.
“They’re concerned that the AV devices are appliances, rather than traditional IT equipment – servers, PCs, printers and so on,” he says. “The lack of in-depth configuration of these appliances frightens most IT staff, as they don’t know exactly what these devices are doing to their infrastructure. It’s understanding what these appliances do and the ability to put in the correct controls and parameters within the devices so that they can be protected and they can’t be hijacked and used in a nefarious way. It’s just like putting a PC on the network really; IT people understand what they can do with IT equipment, but with AV they haven’t got the experience or the visibility, so it’s up to companies like ours to be able to translate AV into a language that they understand.”
According to Paul Zielie, manager of enterprise solutions for Harman Professional, it’s the typical spaces and applications for which AV technology is installed that gives cause for concern.
“AV systems are often installed in meeting spaces,” he points out. “This means these are shared devices, often with no authentication required for use on the network and very limited AAA [authentication, authorization and accounting] features. AMX has actually been working hard in this area. We offer LDAP integration with our NX controllers, which gives the potential to have a system that requires users to enter corporate login credentials before operation.”
“And,” he goes on, “AV systems are often installed in unprotected spaces. Often, the only place you leave an unaccompanied outsider in your organisation is in a conference room.”
“It’s important to remember, though, that AV is not unique,” he concludes. “There are systems with similar problems – such as building management systems and IoT devices – but the problems these systems have are different from the IT security challenges of general-purpose computers. IT departments that try to manage AV/IT systems like their computer networks often have problems.”
Toni Barnett, MD of integrator CDEC, is in agreement. “There aren’t many AV-specific security threats,” she believes. “The threats are general and can relate to integrating any device onto a network – not just AV devices.”
“And,” adds Barnett, “BYOD is more of a threat/challenge than any AV equipment could pose, as BYOD sees external technology sources joining the network on a daily basis.”
So: what are the security measures that IT organisations are looking to take?
“The priorities depend on the risk management framework of the organisation, explains Zielie. “The first is usually increased scrutiny of authentication, authorisation and accounting – AAA. Enterprises want the systems to support password policies like complexity and forced password changes after a set period; multiple roles with different privileges appropriately assigned to individual users; and security logs to support the organisation’s audit requirements. Increasingly, they want to offload these tasks to their centralised management system like Active Directory.”
“Second,” he continues, “they want the ability to disable deprecated and unused services. It is important to be able to disable non-secure protocols like Telnet. And third, they want to be able to use encryption. Devices like the Cisco Codecs no longer have RS-232 ports, so the ability for controllers to use secure network protocols such as SSH to control the device is critical.”