Lock and Key

As more networked devices join the AV space, many network administrators in all industries are expressing concerns about the efficiency of the network. And while those concerns are valid, the more pressing concern should be about keeping that network secure.

“Networked AV brings in a whole slew of new potential devices and software that reside on the network and can have potential security issues for the network administrators,” said Ron Berty, business development manager at Matrox. “Network IT administrators are justifiably asking for information regarding the security of the devices and software they are being offered for use on their network.”

For systems integrators working with network admins on AV projects, the key is communication. Integrators must understand the security needs and requirements before the project begins. Once these are clearly identified, it will be easier to know what their associated functional and usability needs are, explained Toine Leerentveld, senior manager of product management platform solutions at Crestron.

[Free Download: The Integration Guide to AVoIP 2020]

“When it comes to security, it is a balance between security, functionality, and convenience. Increasing security can either lower convenience (e.g. needing to type a password is less convenient) or functionality (e.g. turning off the web server to meet a security standard set by the customer),” Leerentveld said.

Steve Metzger, co-founder and vice president of hardware and operations at ZeeVee, agreed. “There’s always a tradeoff in convenience versus security: the more convenient and easy it is to access, generally the less secure it is,” he said. “Our challenge is to balance all that and make sure it’s very usable and the security is not too onerous, but that it’s present and it’s always in operation underneath the hood.”

Leerentveld recommended that integrators understand what standards exist regarding network security, such as 802.1x, SSH, or TLS, and how they’re leveraged by a device so they can correctly specify the best security solutions for a particular customer. “When control moved to the network, it used the exact same protocols over unencrypted connections, such as telnet,” he said. “Now many devices no longer support those unencrypted connections, but rather SSH or HTTPS.”

[Playing IT Safe: The State of Networked AV Security]

Ensuring there are no weak protocols in the overall security system of a network is key, agreed Metzger. “Anyone who understands security, and is making sure that a system is not accessible to rogue or malicious users, is going to want to hear that there’s SSH, there’s HTTPS. They want to be sure more advanced management tools and methods are being applied, that it’s not a 1970s telnet solution being used to manage things.”

To address these needs, ZeeVee offers the ZyPer Management Platform, a video distribution control system available in three versions—enterprise rack mount and small Intel NUC versions that run on ZeeVee hardware, and Virtual Machine (VMware) software that runs on the customers’ hardware. It features a video preview function that makes it easier to identify content before it is routed to any endpoint in the system, and also offers the ability to add ZyPer encoders and decoders not located on the VLAN to an AV system, and to enable or disable telnet access, as desired, for added security.

ZeeVee ZyPer Management Platform

ZeeVee’s ZyPer Management Platform is a video distribution control system that features a video preview function that makes it easier to identify content before it is routed to any endpoint in the system. (Image credit: ZeeVee)

Once the standards in the system are outlined, Leerentveld advises integrators to “understand the ways a device allows you to manage the security settings. As the scale of the deployment grows, this becomes more and more important,” he said.

The size of a project, and its potential for growth, is a big challenge when it comes to managing all that securely. Leerentveld said integrators and end users often ask, when issues of securing their networked AV arise, about “how to deploy and manage the security for thousands of AV devices across the enterprise,” he said. “This ranges from basic security policies, such as password rules, to certificates for TLS and 802.1x.” He noted that Crestron provides several ways to manage this, whether through its cloud management portal, XiO Cloud, or tools specifically designed for bulk deployments.

Just as you might prepare for scalability, you also have to consider product updates over time. Communicating the importance of system updates is a large part of long-term system security, said Berty.

“System integrators need to make sure that the products that they are providing have vulnerability update programs associated with them,” he said. “Managing vulnerability is an ongoing process for any network product, and there needs to be a specific program put in place by manufacturers to update and maintain vulnerability resistance on an ongoing basis throughout a product’s lifetime. In the same way that bug fixes and improvements in reliability are made to products, vulnerability updates need to be proactively addressed to ensure that data and content, and the delivery of that data and content over the network, is kept as secure and reliable as possible over the lifetime of the product.”

For its part, Berty explained that Matrox ensures vulnerability testing and program updates as part of its regular software, hardware, and firmware development programs. That means that products like Matrox Maevex 6100 Series encoders and decoders—which feature the Maevex PowerStream Plus  AV-over-IP software management tool for complete reach and control over the entire Maevex network from a single or multiple location—are part of an overall strategy program that is “integrated within the entire development program and is not external or secondary to the product’s development,” he said. “This way, we can plan vulnerability mitigation in conjunction with new feature and architectural development so that everything remains in sync. No effort in development gets less priority than another because our commitment to vulnerability reduction is as high as the rest of our development efforts.”

Matrox Maevex Series

The Matrox Maevex Series includes encoders and decoders that are able to simultaneously capture, stream, and/or record multiple full HD and/or 4K channels of video and audio over standard gigabit Ethernet connections at low, user-defined bit rates.  (Image credit: Matrox)

When it comes to security options at the start, Leerentveld noted that Crestron’s philosophy is “security by default, rather than by choice.

“This means that devices coming out of the factory will no longer support any unencrypted connections and require authentication, etc.,” he said, adding that updates are also an important part of the equation. “Our systems engineering department does continuous reviews of CVEs, NIST standards, and version updates for all our standards-based modules to make sure we are not exposing our customers to vulnerabilities or security-related issues. This also allows us to react quickly to new findings and offer mitigations when necessary.”

The 4-Series is one such control system configured to meet Crestron’s security standards out of the box. The CP4N ships with authentication enabled and requires that an administrator account be created before access is granted to device configuration and control interfaces. It can be deployed across hundreds of spaces and set up easily using a web browser, Crestron Toolbox software, or Crestron XiO Cloud. It employs standard network security protocols, including 802.1X network access control, Active Directory service authentication, SSH, TLS, and HTTPS, to ensure reliability and compliance with an organization’s IT policies.

Crestron 4-Series Control System

The Crestron 4-Series control system includes Crestron Control Subnet, a gigabit Ethernet network dedicated to Crestron devices, while a separate LAN port provides a single-point connection to the local network, requiring only one IP address for the entire control system.  (Image credit: Crestron)

Despite the overall understanding of the importance of network security, it’s often not until after that network has been breached in some way that an organization or industry begins to take security seriously, ZeeVee’s Metzger explained.

Extron says that "security is never an afterthought."

According to Extron's website, "We think about how to maximize product security every day. We actively monitor our products for security defects. We have internal procedures and policies for anticipating security issues and quickly responding to all known threats."

In fact, the company has many products that are JITC-certified, including its XTP II integrated switching and distribution systems.

Extron XTP II CrossPoint 3200 Modular Digital Matrix Switcher

Extron's XTP II CrossPoint 3200 modular digital matrix switcher provides high performance switching of video and audio plus extension of bidirectional control and Ethernet in a future-ready integrated solution. The product successfully completed interoperability and information assurance testing for use in government applications and other mission-critical environments via its JICT certification. (Image credit: Extron)

“In most installations that we go into, they’re first and foremost concerned that the data can get there intact and in a good quality. Security is generally a secondary concern,” Metzger said. “It’s only the more sophisticated customers who realize that security’s got to be right up there at the tip top.”

AV integrators play a large role in communicating potential security issues to end users, and explaining why putting security at the top of the list now is a much better alternative to dealing with problems later.

“The costs of not managing or mismanaging the potential vulnerabilities of networked AV is even greater and very obvious across the organization with potential downtime, loss of service or, even worse, loss of data/content,” Matrox’s Berty said. “Clearly the old adage of ‘an ounce of prevention is worth a pound of cure’ applies here.”  

Mary Bakija is a writer and editor with more than 15 years of storytelling experience. Bakija is currently pursuing a Master's degree in Library and Information Science to help others find and tell important stories that might otherwise be lost, and to ensure those stories are preserved for future generations to see.