AV systems manufacturers have been offering networking capabilities for years, but in a somewhat limited manner: the devices are on a network, but one separate from the core infrastructure. While this approach lays the groundwork for ensuring both security and performance, it often requires tech managers to invest the time and money in building and managing, well, another network. As the line between AV and IT vanishes—prefer to operate that audio system with your iPad, anyone?—the need to have AV sitting on the primary network is, in many cases, mandatory. The question is: how do you keep your network safe while delivering the AV performance your organization requires?
A look at the equipment racks of The Han Show in Wuhan, China. The extensive technology system of video, audio, IPTV, and intercom is, in part, supported by a Meyer Sound system. For Wes Irish, the first step is determining what your organization’s philosophy on security actually is. Currently senior network scientist at Meyer Sound Laboratories Inc., an audio systems developer based in Berkeley, Calif., Irish has also served as a tech manager, and says that he has worked with organizations that were stringent about security, and others that were less so, depending on the industry or sector. Then there are performance issues: a performance hall, for example, may base its reputation on how well the sound system operates. “Their model is: we don’t want one glitch in the audio for this two-hour show,” Irish illustrated. “On that end, you have to be very draconian to run the network appropriately for that organization. In those cases, I advocate physically locking things down as much as you can: don’t make ports available unless you need them to be available. Audit and monitor, at the 48-bit MAC ID level. Make sure you account for every device on the network; know what it is, where it is, who’s responsible for it, and what it’s doing.” If you can get away with it, don’t have Wi-Fi connectivity . . . but then, he concedes, you may need Wi-Fi connectivity for the control network, which, once again, requires a degree of vigilance. “I have a lot of different advice for different managers, but it’s always couched in: what’s your environment like? What’s the security model? What’s the performance model? What’s truly important to the organization here?”
Toine Leerentveld, technology manager for control solutions at Crestron Electronics Inc., a control and collaboration systems manufacturer based in Rockleigh, N.J., acknowledges that good security practices begin with knowing what devices are on your network. If, for example, the organization is using DHCP, tech managers can identify all of the devices that have received an IP address. “Then, using the manufacturer’s MAC address, you can at least identify all products from a single manufacturer and starting figuring out where on the network they are,” he said.
The Han Show’s system utilizes 359 Meyer Sound self-powered loudspeakers that are processed, distributed, & matrixed by the D-Mitri digital audio platform (comprising 53 frames). Used for surrounds and localized upstage sources are nine CAL loudspeakers by Meyer Sound. “There are several discovery functions available for networked devices and services,” noted Domenico Gambino, vice president of sales engineering at Barix, an IP communications and control systems developer headquartered in Zurich, Switzerland, highlighting SNMP and Zeroconf. “Also, proprietary implementation exists to fulfill specific vendor system requires.” In this case, he says that tech managers must weigh the benefits of standard implementation against system needs and compatibility.
What gets trickier is authentication: who has access to what? And, how much can they mess around with a device once they’ve accessed it? “In the enterprise and educational market, Active Directory is probably the method that the IT department uses for assigning user names and passwords, so requesting that your vendor provides integration into Active Directory would be a great place to start,” Leerentveld said.
Bill O’Donnell, AV network design engineer at William Patterson University in Wayne, N.J., urges his counterparts at other organizations to take the time to change manufacturer-issued default passwords, especially since some companies use the same default password for all of their devices. “I know that’s an easy-across-the-board thing, but you have no idea how many folks don’t ever change the password,” he said. “If I was on a network and found a device, all I have to do is look up the manufacturer, find the user manual, and—boom!—I’m in,” he illustrated. “That’s something that the integrator as well as the client really need to be aware of. If it’s the integrator who’s installing it, they should change the password right off the bat, and they should tell the client, ‘here’s the [new] password because if we use defaults, then anyone can just hop on the device and off they go.”
These days, the most popular way to keep things together, yet somewhat separate, is through V-LANs. Leerentveld points out that in addition to security, V-LANs offer the benefit of improved performance because, for example, your control system is longer competing with other network traffic. He sums it up this way: while most people can accept email taking a few minutes to arrive, they’re less likely to put up with a three-second delay when they push a button on a touch panel to activate the mute function on a microphone—which is not only a performance issue, but also a security issue in confidential meeting environments.
However, Irish warns that V-LANs require a certain amount of vigilance: “You have to be careful of how the V-LANS are managed from your switch, and ultimately switch security is the big thing,” he said. After all, once a switch is compromised, an intruder can gain access to your system. “So even though you have traffic separated by V-LANs, you still have this very sensitive point, which, of course, has to be tightly managed and controlled to keep everything secure.” Once again, it all comes down to being on top of things: “Part of running networks is eternal vigilance. It just takes continual effort to monitor, manage, stay on top of trends, stay on top of equipment, [and] stay on top of users.”
Carolyn Heinze is a regular AV Technology contributor.