Improving AV Device Security on Converged IP Networks

Say “AV” in the same breath as “network security” among AV/IT professionals and you’re bound for a lively conversation. Securing AV devices on the network for AV over IP transmission is arguably one of the last major sticking points to true AV/IT convergence, and one that presents a number of challenges to tech managers striving to adhere to their organizations’ security policies. Is it because today’s AV gear doesn’t live up to IT security mandates? Is it because IT professionals don’t always understand the quirks of AV? Yes, and yes ... and a few maybes.

Segmenting Traffic

Jim Smith, CTS-D, director of technical and application development at Sound Control Technologies, a voice and video technology solutions provider headquartered in Norwalk, CT, noted that one significant issue is that port-scanning software is often configured to recognize devices such as computers, which run on operating systems like Windows or iOS, without taking AV devices into account. 

“The typical AV device does not have an operating system [and] doesn’t have any access vulnerability, but the active scanner will report that there’s a flaw in that device because it sees a port active that isn’t on the white list,” he explained. Predictably, the enterprise security team’s reaction is to either close or block that port, or remove the device from the network, necessitating an isolated network for AV devices, which “leads to other problems [related] to data sharing and content access.”

Jim Smith

Jim Smith (Image credit: Jim Smith)

It also presents a chicken-or-the-egg-type scenario, according to Paul Zielie, an IT and AV systems engineer and consultant based in Dallas, TX. “I personally believe in isolated networks and segmenting off AV networks as a best practice, but it is not the responsibility of an isolated network to provide device-level security,” he said. “It’s the responsibility of the device to provide device-level security, and it is very rare for that to happen.”

AV over IP convergence: What you need to know

The Cloud and Passwords

Then there’s the cloud: while it provides organizations with a convenient, and in many cases, more cost-effective approach to enterprise IT, cloud-based AV solutions don’t always make following security policies easy. “Some of the more recent devices don’t even try to integrate with anything on the local-area network—they will communicate directly out to the cloud—and that has caused me some interesting discussions here,” said Stuart Mitchell, senior analyst in the IT/AV department at ECMWF—European Centre for Medium-Range Weather Forecasts, a meteorological research and reporting institution based in Reading, England. Generally, enterprise networks require traffic to flow through firewalls and proxies before connecting to the internet, “and a lot of the equipment I’ve been playing with recently doesn’t work well in that environment. They assume connectivity directly out to their cloud configuration service, and so getting them connected to an appropriate location on a network in an appropriate way, in some cases, has been quite a struggle.” 

Stuart Mitchell

Stuart Mitchell (Image credit: Stuart Mitchell)

Passwords continue to be another challenge for AV/IT managers, since, as Smith points out, some AV equipment still won’t accommodate strong passwords or pass phrases. He also notes that some AV control and management solutions don’t make it easy for tech managers in environments where the security policy mandates frequent password changes: when someone changes a password, the interaction between the controller and target devices is often compromised. 

Keeping your converged IP network secure

Encrypting Traffic

All this said, AV tech developers are working toward improving the security of their solutions, according to Mathew Slack, enterprise AV service owner at CIBC, a global financial services institution headquartered in Toronto, Ontario, Canada. “A lot more manufacturers are embracing things like 802.1X encryption, and secure ways of communicating with devices like TLS and SSH,” he said. (However, he added that he’d like to see more documentation on how to implement the certificates required for 802.1x, as well as information on how to effectively manage large fleets of AV devices using this protocol.) Slack added that an increasing number of devices support Active Directory and remote monitoring, and SNMP and syslog are becoming more widely available. “That’s definitely helping a lot with improving the security posture of AV.”

Turning AV over IP challenges into opportunities

Mathew Slack

Mathew Slack (Image credit: Mathew Slack)

One area that requires some rethinking, Slack believes, is related to traffic flows; with a network-centric model, he argues that traditional AV system line drawings are becoming less important than Vision diagrams showing network traffic flows. “Essentially, every device is connecting with the network ports—we’re moving away from needing a lot of HDMI cables and SDI connections,” he said. With this in mind, he said it would help tech managers if system designers and integrators could provide drawings that illustrate all of the network-connected devices, and how they interact with one another. “[They should] show protocols and traffic flows so that the AV/IT teams on the enterprise side can use that to more easily implement these solutions.” 

Plan and Coordinate

Smith argues that improving AV device security on the network is very possible, but that it’s an exercise that requires a holistic approach. “There are network access tools that provide isolation and protection, but those have to be designed into the network,” he said. “If somebody wanted to put in an active firewall, or a border controller, or some other device that did network isolation and firewall mitigation, those can be put in.” It’s necessary, however, to account for this in the overall architecture, rather than patching in these features later on. “It’s this notion of taking an active role and making sure that the IT managers are aware of the limitations and intent.”

AV and IT must collaborate for successful IP network convergence

Paul Zielie

Paul Zielie (Image credit: Paul Zielie)

This requires solid communication with all AV/IT stakeholders in the earliest planning phases before a deployment. “Your solution portfolio, enterprise, and security architects should be involved before you even go to an integrator or a consultant to design a system,” Slack said. “Get them involved early and work with them to document how these systems are connected on the network. I’ve seen a lot of cases where the security and network architects get brought in very late, and it’s very difficult for them to get up to speed and provide an effective network solution that works for the AV system.

AV, IT and Security: What Can You Do?

With the AV industry slow to adopt an IT-centric approach to security, tech managers are left to strike the balance between providing their users with the technology required to move business forward while adhering to their organizations’ security policies. But when the tech in question doesn’t live up to these policies, what is a tech manager to do?

IP network convergence requires that AV pros gain IT networking skills

“The biggest ‘what you can do’ is to move the security discussion into the tender or the design phase,” said Paul Zielie, IT and AV systems engineer and consultant. “There is language that [you can apply in tender documents] that says that there will not be a sign-off to start building the system until the security criteria is agreed upon. Because what happens is nobody has that discussion: the customer assumes that the integrator and consultant have [built the system] to IT standards, it gets deployed, and they do a functional test for sign-off. Then six months later when an audit comes through, [there are problems] all over the place and the customer has to bear it. If there’s anything tech managers can do, it’s to front-load that security discussion, and to lay out into absolute measurable deliverables that can be confirmed as part of the sign-off and payment process.”

Carolyn Heinze is a freelance writer/editor. 

Carolyn Heinze has covered everything from AV/IT and business to cowboys and cowgirls ... and the horses they love. She was the Paris contributing editor for the pan-European site Running in Heels, providing news and views on fashion, culture, and the arts for her column, “France in Your Pants.” She has also contributed critiques of foreign cinema and French politics for the politico-literary site, The New Vulgate.