Securely Streaming: Enhancing Media Transport in IP Networks with Trust Boundary

So, you’re transitioning from traditional legacy media interfaces like ASI and SDI to the world of IP workflows. Congratulations on embracing IP networks’ power and flexibility for media transport!

As you’ve undoubtedly experienced, mastering the art of building and optimising IP networks for media transport is no small feat. The benefits are undeniable, but along the way, you may have encountered a few challenges, mainly when dealing with the transmission of flows from your local in-house environment to other remote locations or entities. Unlike the more straightforward point-to-point coaxial or fibre connections of ASI and SDI, IP workflows introduce a new layer of complexity.

SDI and ASI transport was simpler to manage as they provided a distinct handoff point. You must carefully plan and design the entire network from content source to destination. This involves meticulous physical network planning, establishing a logically segregated network for media, and grappling with IP address planning and complexities. Moreover, the importance of network security cannot be overstated, especially in today’s ever-evolving threat landscape.

In this article, I’ll address some common challenges related to sending linear transport streams from a source entity to a destination entity via a 3rd party WAN connection, whether a private or shared network.

Let’s dive right in and explore the exciting yet intricate world of IP-based media transport.

Why Should You Be Concerned?

To better grasp some of the issues that I’m about to explain, let’s envision a scenario where you must transmit an IP video transport stream, as an example operating at around 40Mbps, from a production studio over an IP network provided by a third-party link provider to a distribution head-end or uplink site.

1. Network Segregation: In the old days of ASI, demarcation points were clear-cut. The link provider transported the ASI feeds, and we received them on demarcation BNC connectors and passed them on without too much hassle. However, with IP transport streams, things have changed. We now receive transport streams over IP packets and must manage switching, routing, bandwidth allocations and source and destination addresses in the logical network layers. On top of that, we must consider information security.

To maintain a secure environment, the distribution site, which is receiving IP flows from many customers, should have a closed, segregated, and trusted network with robust security controls, ensuring the outside network cannot access its trusted network. But how can they securely receive and process the IP transport stream sent by other customers?

The solution lies in establishing an outside-facing demarcation point with an “air gap” between the untrusted outside network and a trusted internal system. This allows the service provider to receive customer IP feeds and forward the incoming media content (not the IP flow) to the appropriate IP unicast or multicast address within their trusted network. It is crucial to monitor the received content and verify that it aligns with expected baselines.

2. Misconfiguration: Picture this scenario: a skilled broadcast engineer accidentally misconfigures the encoding parameters for a video feed within the IP transport stream we mentioned earlier. Instead of the expected 40Mbps, the satellite uplink provider receives a 90Mbps flow. While this might not create significant congestion in the ASI world, in the IP world, this error can lead to higher network utilisation inside the network. This, in turn, may result in network congestion, increase and add variable latency (jitter), or even complete disruption of the transport stream flow.

The demarcation point on the receiving side should be content-aware to address this issue. It must carefully monitor the incoming stream content, comparing it to expected baselines before permitting it to pass from the untrusted network into the trusted network segment.

3. Cyber Attacks on Networks: To better understand the tactics and techniques of malicious hackers, I delved into Ethical Hacking, seeking insights to protect our systems effectively. One method that deserves attention is “pivoting,” where attackers attempt to jump from one network segment to another, chaining them together to penetrate networks. This underscores the importance of preventing unexpected traffic from entering your trusted network. Constantly monitoring all traffic and content in IP links against baselines becomes crucial to halt any unauthorised entry into the trusted network.

By being mindful of these challenges and implementing the recommended solutions, you can ensure a more secure and robust IP-based media transport workflow.

Media-Specific Firewall: Enhancing Network Security

In IT, security concepts have evolved significantly, offering various solutions that can be repurposed to bolster media networks and broadcast systems. One such component we can draw from is the firewall — an essential first line of defence for networks. While a firewall alone cannot address all security challenges, it plays a crucial role in resolving many of the issues we discussed earlier.

However, can you use any standard corporate firewall for media networks? The answer, in most cases, is a resounding “no.” The market is flooded with software and hardware-based firewalls, all primarily designed for general IT environments.

What sets media networks apart from traditional IT domains?

Media networks require specific considerations due to their unique characteristics. Unlike typical bursty IT traffic, media transport involves steady, real-time streams, demanding seamless and uninterrupted delivery. Superficial layer 3 firewalls might only be capable of blocking and denying ports. In contrast, more advanced application-aware firewalls delve into monitoring various IT-related traffic flows, which might not be directly relevant to media networks. Inadvertently, these firewalls could introduce buffering, increased jitter, or worse, cause disruptions in the continuity of media stream flows — an intolerable consequence.

So, what’s the solution?

Enter media-specific firewalls, purpose-built to cater to the intricacies of media networks. These dedicated firewalls offer the following essential features:

– Total Isolation of IP Traffic: They ensure a stringent separation of IP traffic between the trusted and untrusted sides of the firewall, explicitly denying all unwanted traffic.

– Wire-Speed Throughput with 100% QoS: Media-specific firewalls deliver wire-speed throughput with 100% Quality of Service (QoS) and constant monitoring, maintaining a jitter-free environment.

– Stateful Connections: They support stateful connections for IP streams, a crucial aspect of seamless media transport.

– Application Layer Monitoring: These specialised firewalls perform application layer monitoring for RTP (Real-time Transport Protocol), ST2022, or ST2110, tailored explicitly for media transport.

– NAT Support: Media-specific firewalls facilitate Network Address Translation (NAT), allowing private IP ranges in IPv4 and IPv6 environments.

– Dynamic IP Address Handling: They can modify the IP addresses of incoming and outgoing flows to ensure seamless media delivery. This handy tool allows the re-mapping of unicast or multicast IP addresses.

– Multicast and Unicast IP Support: These firewalls must be equipped to handle multicast and unicast IP traffic efficiently.

By deploying media-specific firewalls, you fortify your media network’s security, ensuring a streamlined and secure flow of IP transport streams. Remember, while the firewall is just one piece of the puzzle, it is indispensable for safeguarding your valuable media content. So, invest in the right tools to build a robust and secure IP-based media transport infrastructure.

SMPTE Trust Boundary RP2129

The Society of Motion Picture and Television Engineers (SMPTE) is working on standardising the concept of Trust Boundaries concerning media content delivery over IP networks. The work is still in the recommendation phase Public CD of SMPTE RP 2129. SMPTE is formulating the proposed standard, laying out its core elements, guidelines, and potential use cases to establish a solid foundation for the Trust Boundary concept.

SMPTE’s initiative is crucial because it allows for the more efficient and secure transportation of high-bandwidth, media-specific payload traffic, which is, as mentioned earlier, not adequately supported by traditional IT firewalls. Furthermore, with the rise of IP-based media flows, implementing Trust Boundaries prevents unwanted traffic, enhancing the overall network’s integrity.

This standardisation effort also highlights the importance of adequate security testing to comply with internal guidelines, emphasising the operational significance of encryption, authentication, and monitoring. Thus, SMPTE’s work is laying down the foundation for secure, reliable, and efficient media content delivery over IP networks in the future.

Conclusion

Transitioning from legacy media interfaces to IP workflows presents opportunities and challenges for media professionals. While IP networks offer unparalleled power and flexibility for media transport, they require meticulous planning and execution to ensure seamless and secure content transmission.

Throughout this article, we delved into three critical challenges when sending linear transport streams over IP networks, particularly when reaching out to remote locations. We explored the importance of network segregation, the risks of misconfiguration, and the necessity of guarding against cyber attacks. To overcome these hurdles, we discovered the value of implementing media-specific firewalls tailored to handle media networks’ unique demands, ensuring wire-speed throughput, stateful connections, and constant monitoring without jitter.

Furthermore, we highlighted the groundbreaking work of SMPTE in standardising Trust Boundaries for media content delivery over IP. This initiative addresses the limitations of traditional IT firewalls. It paves the way for secure, efficient, and reliable media transport in the digital age.

As the industry evolves, embracing these innovative solutions and standards will be crucial for safeguarding valuable media content and maintaining the integrity of IP-based workflows. Together, we can leverage the power of IP networks while upholding the highest security and performance standards. Let’s embark on this transformative journey, supporting one another and learning from our shared experiences as we shape the future of media transport in the ever-changing landscape of technology and creativity.