Welcome to another Tech Talk, where we speak with the experts at HARMAN about the ways technology solutions can solve customer problems. In today’s edition, we’re speaking with Doug Hall, Product Manager, Device Control for HARMAN Professional Solutions.

I reached out to Doug to get his perspective on a very important topic that should not be ignored: network security. Employing proper security is key to a successful network deployment. However, even with the many benefits of networked AV, it still proves to be a difficult subject to master (and one that many AV techs have a history of avoiding). Doug helps us understand the reasoning.

[SKD]: Network security is a subject that many AV techs I’ve spoken with would just as soon avoid. Why is security a subject that people tend to shy away from whenever possible?

[DH]: There are actually a number of reasons that people avoid this topic:

  • Security is one of those things that people may not even be aware that they need. Or, they don’t want to fix the issue, since they don’t want to draw attention to the fact that it is inadequate.
  • AV is an industry that started out separate from IT, and then it went through something that we, perhaps infamously, called “AV/IT convergence.” We spoke it about it for years, and it was this idea that AV and IT technologies were converging. Everyone knew it was going to happen eventually. Now, it has happened. We’re converged. However, despite that, network security is a topic that many AV people are still not well versed in, and professional IT people instantly recognize that lack of knowledge in discussions. Nobody wants to deal with an issue that they don’t understand, so the natural tendency is to avoid the subject altogether.
  • AV security is challenging because many devices lack the most basic security capabilities for an IT infrastructure. There are workarounds, like virtual local area networks (VLANs), but the AV guys must request it from the IT administrators. That results in extra work and management of the network switches, making the whole thing a lot more complex and time intensive.
  • Sometimes it’s hard to explain the value that good network security brings, because it is such an esoteric concept. Since the new system may have equal functionality to an existing AV system that lacks security, but comes at a higher price, it can sometimes be difficult to get a replacement project funded. Decision makers want to see a tangible ROI. 

[SKD]: Then what value does having network security capabilities bring?

[DH]: While security itself does bring some capabilities to the table (Active Directory being a good example), the biggest value of security is in what it prevents. There are many examples we could point to where having insecure technology on the network has caused a lot of damage. Any device that sits on the network is like a door to that network. If the door doesn’t have a good enough lock on it, someone can walk through that door and gain access to something they shouldn’t. Having products with good security features keeps the whole network safe. In fact, if the IT department isn’t assured that the devices have sufficient security, they typically won’t let the device on the network at all.

[SKD]: So why put the AV technology on the enterprise network in the first place? In the past, AV technicians would simply create their own separate network. Why should AV managers learn the technologies required to place them on the enterprise network?

[DH]: There are a lot of capabilities that the enterprise network provides AV. That said, using them not only requires devices that have the right network features, but it also requires technicians that are able to communicate those capabilities to the IT department. For example, sound engineers want to pick up audio sources from diverse locations, and through networked audio technologies like AES67, they can. Similarly, video resources can also be distributed anywhere across the network, using JPEG2000 or H.264. In addition, when control systems sit on corporate networks, centralized management is possible. All of these capabilities give AV integrators great incentive to understand the capabilities, limitations and restrictions of their devices. If they can effectively communicate with network administrators about the network capabilities of their devices, the administrators are more likely to authorize them to place their devices on the network, allowing AV technicians to use these powerful AV services.

[SKD]: You mentioned VLANs a moment ago. One of the comments I often hear when talking about security is “just VLAN everything.” Why isn’t that a sufficient response for the modern enterprise?

[DH]: Certainly, you could setup a static VLAN, but that requires an administrator to assign individual ports on the network switch to a virtual network. Static is just that: static. It’s fixed, and if you change anything, you need to go change the way the VLAN is setup. It’s a very manual process that the IT department would have to agree to manage. Scale that up to hundreds or thousands of AV devices, and you can understand why this isn’t an ideal solution. There are dynamic VLANs as well, but those aren’t acceptable to all network administrators. Ultimately, the best scenario is to use as many compliant network devices as possible. This simplifies the job for everyone involved.

[SKD]: Another thing you mentioned is Active Directory. Can you explain what that is and why it’s so important for AV applications?

[DH]: Without getting too technical, Active Directory is an example of a directory service—a network technology that allows users to access any supported service or device, using their network login. Active Directory is built upon Lightweight Directory Access Protocol (LDAP). If an AV device supports LDAP—as AMX NetLinx NX Series Central Controllers do—the administrator can access its management and configuration settings remotely, using their network login. For any device that doesn’t support LDAP, you need to setup a username and password specific to that device (otherwise, the device can be accessed by anyone). The problem with separate logins is that, like VLANs, the approach doesn’t scale when you have a large number of AV devices on the IT network.

Imagine an environment where the network administrator requires every networked device to have a unique user with authentication and having thousands of these devices to manage. Take it a step further, and imagine the administrator requires periodic password changes for each device, and each person who must access that device. You are talking about a non-scalable and unmanageable network of devices. LDAP allows users and roles to be created using credentials that are centrally maintained, so any device that you access uses your network user name and password.

[SKD]: So LDAP manages how technicians access configuration software on the AV hardware. What about the AV hardware accessing the network? How is that managed?

[DH]: The technology that manages this is IEEE 802.1X, a standard for what’s called “port-based Network Access Control.” This manages whether the device can access the secure corporate network. 802.1X is important, because it lets administrators grant or deny network access based on credentials tied to the device, rather than to a user. What this means is that the device—in this case, an NX Series Controller—can access the protected side of the network after the device’s identity has been validated and authorized by using either a username and password or a X.509 digital certificate. This gives the network administrator flexibility in how they want to validate the device, so the AV device can access the secure network directly.

[SKD]: You said that AV devices typically must meet a certain standard for the network administrator to allow them on the network. What about AV devices that don’t have these security features, but still need to talk to each other over the network? Is there a way to still manage these devices and allow them to communicate with each other without putting them on the network, using a VLAN or creating a separate network that doesn’t connect to centralized management?

The Dual NIC on the AMX NetLinx NX Series Central Controller offers both a "LAN" port to connect to the enterprise network as well as an "ICSLAN" port to connect and manage AV devices.

The Dual NIC on the AMX NetLinx NX Series Central Controller offers both a “LAN” port to connect to the enterprise network as well as an “ICSLAN” port to connect and manage AV devices.

[DH]: A great solution for this is to use a dual-NIC AV management device, like the AMX NX Series central controllers. NX Series controllers have two 10/100Base-T Ethernet connections that are completely isolated. One port—designated as “LAN”—is intended for connection to the enterprise network for external network communications, such as database access, scheduling or central management. The second port—labeled “ICSLAN”—is intended for communication with AV devices.

This allows the AV technician to still isolate the AV devices, using a separate network, while also providing centralized management capabilities. Network communication can’t “cross the wall” between the two ports, but the NX controller can serve as a go-between, managing the devices connected to the ICSLAN port and passing information on to centralized management (or commands from it on to the AV devices). ICSLAN otherwise functions as a completely separate network, meaning the IT department only needs to provide an IP address for the central controller. The ICSLAN port has a built-in Dynamic Host Configuration Protocol (DHCP) server that is enabled by default and serves IP addresses to any connected devices set to DHCP mode. This really simplifies integration and makes both the AV technician’s and the network administrator’s lives much easier.

I’d like to offer a big thanks to Doug for helping clarify why network security is so important for AV. If you would like to learn more about networked AV security, here are a few resources you can review:

Do you have advice on secure networked AV deployments? Share your insights in the comments.

Leave a Reply