Protecting Your Facility Against Cyber Attacks

Transporting TS over IP is popular and convenient, especially over the Internet. However, to receive Ethernet packets into your facility, you need to open firewall ports which exposes public IP addresses and can create security challenges.

The traditional way of securing the incoming video is to use routers and an Ethernet firewall to isolate the outside world from the internal network. In an IT environment, this is used every day and is effective even if many facilities have been hacked. Vendors have tended to downplay or ignore the security threats, perhaps because they assume these will all be dealt with by IP firewalls.

Yet experience in the enterprise data center domain tells us that while firewalls do provide some protection they are vulnerable to attacks that exploit bugs in the software. Such bugs will always exist and while they can be fixed when they show up new vulnerabilities are then uncovered, leading to a perpetual arms race. The advent of IP networks in the broadcast transmission chain inevitably therefore brings with it growing threats from malicious attacks or malware. As a result, the need to protect the network becomes more urgent than ever.

DTE-Series Converters to the Rescue

Sometimes a technology or product designed for a specific purpose can yield unexpected benefits in a different application domain. This is turning out to be the case for DekTec converters between IP and good old fashioned ASI. Nobody ever got hacked over SDI or ASI. No attack can infiltrate the ASI domain because there inherently is no way to exploit it: it is a simple one-way video interface. Therefore using an intermediate DVB-ASI connection can be used to insulate critical systems and infrastructure from malware and other forms of cyber attacks.

The ultimate 'ASI video firewall' can be built off-the-shelf by combining DekTec's DTE-3100 and DTE-3120 back-to-back. The DTE-3100 receives TS-over-IP on a public IP address directly from the Internet. However, even though this unit hosted inside the receiving premises, it has no connection to the internal network (not even control).

The ASI output of the DTE-3100 is directly connected to a DTE-3120, which converts the ASI signal back to IP and feeds it to your internal network. The two devices operate completely independent from each other and are not connected at the Ethernet level. Each unit uses independent address, port, and settings. There is absolutely no connectivity between the outside Internet network and the inside network, making it 100% secure.

Although new innovative solutions will get created to address increased security in the future as ASI inevitably ceases to exist, for right now, DekTec provides a low cost, simple solution to isolate networks carrying high value A/V content. Broadcasters can avoid the anxiety of exposing themselves to attack during the transition phase, while focusing on other priorities such as quality assurance and continuity of service, and simultaneously exploiting the benefits that IP brings.