IP Trust Boundary

Puts critical tools at the interconnection points in your network

Join us at NAB Show 2024 on 14-17 April at booth W2421!

What is an IP Trust Boundary?

An IP trust boundary delineates the secure perimeters within IP networks, crucial for safeguarding data as it transitions between various domains and network types. This concept is foundational in the realm of IP-based media workflows, ensuring that only authorized content crosses into protected areas, thereby maintaining the integrity and resilience of media traffic.

Trust is the Currency of the IP World

In the shift to IP-based operations, navigating between internal and external networks involves complex risk management considerations. The integrity of data, audio, and video across these domains hinges on meticulous control over IP media traffic. It’s not merely about warding off apparent threats but also managing and monitoring traffic flows to prevent misconfiguration and network congestion, which can lead to significant quality issues like packet loss and delays. Achieving this requires a granular approach to content filtering, ensuring media organizations can maintain the quality and security of their services.

Traditional security measures, such as general-purpose firewalls and Network Address Translation (NAT), have fallen short in adequately addressing these challenges. As the adoption of IP technology accelerates, the need for agile and efficient solutions to drive robustness into IP media networks without sacrificing performance becomes more acute.

Why a Trust Boundary matters

The resiliency of IP media workflows stands at the forefront of concerns for broadcasters and media companies transitioning to IP-based operations. Traditional IT-centric security measures often fail to address the needs of media-centric networks with tool-sets that are not appropriate. Enter the IP trust boundary, a revolutionary approach to creating resilient and agile IP networks. This solution transcends previous limitations by offering a scalable, reliable, and cost-effective mechanism for high-bandwidth, low-latency content exchange across media networks – both within an operator’s network and between different operator networks. It ensures that only approved traffic navigates through the network, marking a significant leap towards seamless IP media workflows.

SDI Predictability Is No Longer Fit for Purpose

Once pivotal in broadcasting’s shift from analog to digital, SDI’s physical connectivity and applicability to only uncompressed video and hardware based switching is being outpaced by consumer demands for anytime, anywhere content. The industry is moving towards flexible, scalable IP technology for content production that can accommodate many different video formats and resolutions. This evolution to a IP trust boundary necessitates a transition to secure, scalable IP workflows, surpassing SDI’s capabilities.

New Challenges Require New Solutions

The shift to IP introduces complexities in creating resilient connectivity across varying networks and domains. With the benefits of the flexibility that IP provides also comes the challenge of misconfiguration and correct end-to-end flow management that  general-purpose IT firewalls and NAT are not designed to address. With the advent of 4K and other high-bandwidth formats, ensuring low-latency, high-efficiency security in IP workflows becomes critical, underscoring the need for innovative security solutions such as an IP trust boundary.

Addressing security, IP domain management, and flow control

As media workflows transition to the cloud, managing security across diverse IP domains is crucial. Traditional security measures fall short in addressing the nuances of IP media traffic, highlighting the necessity for comprehensive control and visibility over content filtering. The IP media trust boundary emerges as a solution, offering automated traffic filtering, and efficiency for ST 2022 and ST 2110 workflows, ensuring seamless and secure IP media transport.

Advantages of an IP Trust Boundary

The IP media trust boundary offers unparalleled control over media traffic, allowing more automated stream routing across networks. IP media trust boundaries provide the ability to monitor streams entering and moving across the network, to detect for under or over-rate streams and validate IP packet sequencing to give stream health status guidance. IP streams can be secured across network connections to reduce packet loss with multiple levels of protection. And, data flows can be adapted across network boundaries – internal or external to the core network to ensure that IP addresses and ports remain constant irrespective of changes up-stream.

The Future of Media Security

The IP media trust boundary addresses the core challenges of IP media security in a cost-effective, reliable, and scalable manner. By enabling the micro-segmentation of networks, content can be actively managed between network sections ensuring that only validated content is passed. In creating an active “air-gap” of network boundaries – both internally within a core network and in bridging traffic between different organizations – a media organization can have trust and confidence that their core network will remain robust and resilient from accident, incorrect or inadvertent configuration of streams. The automated toolset in an IP media trust boundary reduces the need for manual checks and streamlines process to enable media networks to be used to their full extent – to deliver flexibility and realize operational efficiency.

Looking to the future, the IP trust boundary is not just a solution but a transformative force in broadcasting, enabling secure, efficient, and innovative IP media workflows. As the industry continues to evolve, Net Insight’s pioneering work ensures that broadcasters can confidently embrace the possibilities of IP technology, with security and efficiency at the forefront.

How to Implement an IP Trust Boundary

To implement an IP trust boundary effectively, organizations need a structured approach that ensures robust security while accommodating the unique requirements of IP-based media workflows. Here’s a guide to setting up an IP trust boundary.

1. Assess Your Network Architecture

Begin by thoroughly reviewing your existing network architecture. Understand the flow of media traffic across different domains and identify critical points where data transitions between internal and external networks. This assessment will help you embrace the concept of micro-segmentation and pinpoint where to establish trust boundaries.

2. Define Security Policies

Develop comprehensive security policies that address the specific needs and potential vulnerabilities of your network that you can use to configure your trust boundary. Many operators start from the position of zero trust – where no streams are trusted until validated, not even streams generated from within the network.

3. Choose the Right Tools and Technologies

Select technologies that support the ST 2022-2, ST 2022-6, and ST 2110 standards for professional media transport over IP networks. Your solution should offer features like RTP Media Proxy for trusted addressing, Flow Replication for content distribution, and diverse connectivity paths to span across facilities. Additionally, ensure the solution can integrate seamlessly with your existing infrastructure through REST APIs.

4. Automate Traffic Filtering

To maintain the integrity of your trust boundary, implement automated traffic filtering mechanisms. These should be capable of controlling which streams are allowed to pass based on incoming and outgoing IP addresses and ports per stream. Automation ensures consistency in applying your security policies and reduces the potential for human error.

5. Deploy NAT Functionality

NAT functionality within your trust boundary can enhance security by creating a tamper-proof seal and allowing for the efficient reuse of IP addresses. This is particularly valuable in managing the complexities of multicast and unicast networks and IP media devices, ensuring secure and efficient media traffic flow.

6. Establish Continuous Monitoring and Response

Implement in-line monitoring for each media flow to detect faults and assure quality. This continuous monitoring should be complemented by a responsive security mechanism capable of mitigating potential threats in real-time. Media Protection features, such as FEC, A/B failover, or ST2022-7 hitless, should be included to maintain service continuity.

7. Train Your Team

Ensure your IT and video departments are well-versed in the operation and management of the IP trust boundary. Training should cover the implementation of security policies, the use of the trust boundary’s tools and technologies, and response strategies for potential security incidents.

The New IP Media Trust Boundary with NetInsight

Developed in close collaboration with strategic IP media customers, including a partnership with Red Bee Media to launch the world’s first 100GbE IP media trust boundary, Net Insight’s solution addresses the limitations of traditional firewalls. These conventional methods often introduce latency and can significantly inflate costs in high-bandwidth, zero-latency environments. The IP media pro application, an integral part of this boundary, serves as a fully programmable, adaptable, and scalable foundation for managing high data volumes without delay, marking a significant advancement in IP-based content production.

Why it matters

Manage the edge between different network domains, such as studio and operator, to secure IP media operations. We have gathered all needed IP Media address translation, monitoring, traffic control, and security functions into one product simplifying IP media operation using technologies such as ST 2022-2 and ST 2022-6

Our solution is designed to solve common challenges in IP media networks, such as firewall jitter, network overloads, and quality issues.

RTP Media Proxy: Ensures trusted addressing and prevents address spoofing, while monitoring packet delay variation. Enables end-to-end hitless protection.

Flow Replication: Enables content distribution to many receivers in a non-multicast environment. Facilitates easy hand-off to multiple cloud environments.

Media Traffic Control: Constrains feeds to pre-determined flow sizes, prevents multicast and broadcast flooding, and limits media disruption.

Media Specific Firewall: Provides in-line monitoring of each media flow for fault detection and quality assurance. Mitigates against Denial-of-Service Attacks.

REST API: Allows easy and complete integration of Trust Boundary security features into your orchestration and operation systems.

Media Protection: Provides various protective measures depending on media content interruption. Supports any protection combination of FEC, A/B failover, or ST2022-7 hitless.

Media Monitoring: Offers in-line monitoring of each media flow for fault detection and quality assurance. Allows easy diagnosis of network issues.

TRUST BOUNDARY APPLIANCES

This is how our customers are using it

Our trust boundary appliances is solving the merging challenges for IT and Video departments when handling multiple streams in the same IP networks

1
2
3
4
1

Broadcaster needs to protect their network and adapt to their addressing. Also, convert the video specific to their internal operation.
•Band with control per stream with admission control
•Blocking unwanted traffic
•Adapt addresses to the internal structure
•Video format/encapsulation adaption
•Alignment and buffering
•Error processing such as handling speed differences and lost data

2

MSP needs to protect their network and adapt to their addressing.
Video specific adaptation
•Band with control
•Monitor per stream
•Adapt addresses to Service provider network

3

Potentially address adaptation

4

Broadcaster needs to protect their network and adapt to their addressing. Also, convert the video specific to their internal operation.
•Bandwidth control per stream with admission control
•Blocking unwanted traffic
•Adapt addresses to the internal structure
•Video format/encapsulation adaption
•Alignment and buffering
•Error processing such as handling speed differences and lost data

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

Which Trust Boundary do you need?

Trust Boundary on Appliance Trust Boundary on Nimbra IP Gateway
Trust Boundary functions All functions All functions
Other IP media and data functions (Media Pro App) Core functions (data services) Up to all functions (encoding-decoding, data services, IP conversion)
Video quality
Compressed
Uncompressed
Traffic type ST2022-2/6/7 ST 2022-2/6/7, ST 2110
Integration Plug-and-play Highly customizable app configuration
Volume Up to 40GB Up to 6x200GB
Packaging Appliance with pre-loaded software, flexible and easy to use Available as highly customizable app configurations, combined with multiple services for adapted and specialized workflows
GET IN TOUCH GET IN TOUCH

In need of smarter ways to move forward?

Get ready to start.

Related resources

WHITE PAPER

Cloud Ingest of Live Video

As cloud production becomes an integral part of broadcasters’ live workflows, the corresponding cloud infrastructure becomes an integral part of the media transport network.

BLOG

Open Insight #2

Welcome to the second edition of Open Insight, where I will share thoughts and updates with our shareholders, other stakeholders and anyone with a general interest in the company.