Distributed IP production workflows are opening opportunities for new flexible production models and applications and ways to deliver media, but at the same time widening the security gap.
Far from insurmountable, the security challenge with IP can be met with a new approach that automates granular control of the network while enabling media companies to reap all the benefits of IP-based delivery.
We call it the IP Media Trust Boundary.
The SDI to the all-IP security challenge
The industry has transported SDI over IP networks for a decade. By adding an adaptation layer to and from IP when handing over SDI signals to the studio LAN, we could create a very clear demarcation point between the IP WAN and the studio. Security became a lightweight and scalable process for media streams.
When all data, audio, and video streams are switched between local and public IP networks and different IP domains, these fundamental principles no longer apply, giving rise to a complex and difficult IP security challenge.
Controlling the type and volume of IP media traffic that traverse these networks and domains is essential. Security needs careful consideration since it is not just ‘harmful’ IP traffic we should be worried about.
For instance, if the content isn’t configured properly, it can flood the network and cause packet loss, jitter, and delay. This is why media organizations should have complete visibility and control of the content filtering in their IP media networks and services.
To date, the industry has been leveraging a combination of existing security capabilities, including general-purpose, media-unaware firewalls and to a certain degree Network Address Translation (NAT). These security ‘fixes’ didn’t have all of the functions and performance required to handle the sheer amount of streams and data that large IP media networks entail.
What’s more, traditional firewalls can slow down zero-latency uncompressed IP media traffic. If the non-media aware firewall introduces delays this can seriously harm live media workflows. Scaling a non-media-aware firewall can also be prohibitively expensive, raising the cost of remote and distributed production of IP-based content significantly.
The IP Media Trust Boundary resolves the fundamental IP media security challenge.
World’s first with Red Bee Media
The IP Media Trust Boundary strictly controls which stream traffic is allowed to pass in which domains. User-selectable metrics allow for fine-grained control to define which data and streams to transit or block. This covers the transfer of content in mixed IP environments and between trusted and untrusted IP domains.
We are beyond proof of concept. Working together with Red Bee Media, Net Insight is revolutionizing IP media delivery, where we helped create the world’s first 100GbE IP Media Trust Boundary, supporting both ST 2022 and ST 2110 workflows.
This is not just about security. The IP Media Trust Boundary also ensures flexibility and scalability. The implemented NAT functionality creates a tamper-proof seal to prevent potential IP media trust boundary violation and also allows for full reuse of IP addresses and dramatically simplifies the move between multicast and unicast networks and IP media devices. All with interactive and ultra-low latency workflows in mind.
With security no longer a roadblock, the transition to IP media workflows will further take off, shifting the dynamics of the broadcasting industry and enabling the power of 100GbE based content production.
Q: What is NAT, and what types of NAT are there?
A: NAT stands for Network Address Translation and refers to the process of enabling private IP networks using unregistered IP addresses to connect to the internet.
A NAT allows a single device, for example, a router, to act as an agent between the internet (public network) and a local network (private network), effectively connecting the networks and translating the private addresses in the internal network into legal addresses. This means that it requires a single unique IP address to represent a group of computers outside of the internal network.
There are three types of NAT:
- Static NAT
Static NAT refers to the process of mapping a single Private IP address to a single Public IP address. It is useful for web hosting and is also used when a single network device in a private network needs to be accessible from the internet.
- Dynamic NAT
Dynamic NAT refers to the process of mapping multiple Private IP addresses to a pool of Public IP addresses, a so-called “NAT pool”. It’s used when a fixed number of users want to access the internet at a given point in time. The Public IP addresses are given to the users randomly, making it difficult to reach any internal user from the outside.
- Port Adress Translation (PAT)
PAT, or NAT overload, is another type of dynamic NAT that describes the process of mapping multiple Private IP addresses to a single Public IP address. The traffic is distinguished by port numbers, i.e., which traffic belongs to which IP address. This is the most commonly used NAT type as it is very cost-effective, allowing thousands of users to connect to the internet using only one real global (Public) IP address.
Q: What is 100 Gigabit Ethernet (100GbE)?
A: 100 Gigabit Ethernet refers to a series of ethernet technologies that enable the transfer of data at a speed of 100 gigabits per second. The technology was first defined by the IEEE 802.3ba-2010 standard, and later on by the following standards: 802.3bg-2011, 802.3bj-2014, 802.3bm-2015, and 802.3cd-2018.
100 GbE is primarily designed for direct communication between switches as it provides the highest achievable data transmission speeds available, and maintains support and integration with existing Ethernet technologies and interfaces.