AV over IP systems to can eliminate the cost and complexity of electronic video distribution cost, but hackers may try to penetrate IP networks to steal video content or disrupt operations. That means system integrators and planners must properly secure AV over IP implementations to avoid exposure.
In a new whitepaper, “ZeeVee Security Features and Best Practices,” the company looks at how these solutions are “designed to ensure the security and integrity of IP-based video.”
ZeeVee’s ZyPer AV over IP product family “supports an extensive set of standards-based AV over IP security mechanisms,” according to the ZeeVee whitepaper, including access controls, media and management stream encryption and high-bandwidth digital content protection “to help companies safeguard content and mitigate risks.”
Mitigating AV over IP Security Risks
More businesses today are introducing IP-based AV distribution solutions “to improve performance, reduce expenses and simplify operations,” according to the ZeeVee whitepaper. AV over IP systems use standards-based Ethernet switches to increase flexibility and save money over traditional AV matrix switches.
AV over IP encryption “prevents eavesdropping and hijacking in the highly unlikely event an intruder is able to gain access to a dedicated IP network or an isolated VLAN segment”
Switches also “simplify system management, reduce latency and eliminate the distance limitations and connectivity constraints imposed by conventional circuit-switched AV systems,” according to the ZeeVee whitepaper.
And, while flexibility and cost savings are appealing, system designers must consider some of the security implications of AV over IP solutions.
Some businesses may transmit AV traffic alongside other data on a converged IP network, while others may connect AV over IP systems to a corporate network or the public internet for remote management.
If you remember nothing else from the ZeeVee whitepaper, remember this: designers must segregate AV over IP traffic and restrict access to AV over IP implementations to safeguard digital content and prevent abuse. If not properly isolated and secured, IP-based AV systems can expose businesses to potential legal and financial risks.
It’s the responsibility of system designers to institute appropriate AV over IP security measures to ensure the integrity of AV over IP communications.
ZeeVee’s products include AV over IP data encryption to protect confidential video content, stringent user authentication mechanisms, management stream encryption to ensure data privacy and digital content protection mechanisms and media stream encryption.
The U.S. National Security Agency promotes a layered “defense-in-depth” approach to IP security to protect against a wide range of threats. Strong security controls across a network can help organizations mitigate risks.
ZeeVee supports an extended set of AV over IP security capabilities, including IP video stream encryption, management communications stream encryption, management system access controls and end-to-end digital rights protection.
Some ZeeVee customers construct independent networks to transport AV over IP traffic. Other customers have engineered their primary networks to support video and transport AV traffic alongside other application traffic over a shared IP network.
ZeeVee recommends using VLANs to segregate shared networks and reduce vulnerabilities.
Its ZyPer4K family of encoders and decoders support standards-based encryption for increased security across both dedicated and shared IP networks using the AES128 algorithm, which is approved by the U.S. government to protect secret-level classified information.
AV over IP encryption “prevents eavesdropping and hijacking in the highly unlikely event an intruder is able to gain access to a dedicated IP network or an isolated VLAN segment,” according to the ZeeVee whitepaper.
AV over IP Security Best Practice Guidelines
For ultimate security, system integrators and implementers should:
- Deploy the system on a dedicated IP network or distinct VLAN segment to isolate traffic and restrict network access.
- In shared network environments force VLAN tagging on AV switch ports to prevent rogue devices and unauthorized users from accessing other network segments.
- Disable USB and Ethernet utility ports on encoders and decoders deployed in public spaces to prevent rogue devices from connecting to the network.
- Ensure encoders and decoders are always running the latest firmware releases.
- Protect the integrity of Ethernet switching equipment. Install Ethernet switches in a physically secure location. Implement strong user authentication and authorization controls for the Ethernet switch management console. Lock down unused UDP/TCP ports. Disable unused network services. Ensure the switch is always running the latest firmware/software updates. Follow any additional security guidelines recommended by the Ethernet switch manufacturer.
- Work closely with the corporate IT or networking organization if connecting devices to the corporate IP network or the public internet. The corporate IT team can ensure the management platform is deployed and secured in accordance with company policies.