TechDecisions Editor-in-Chief Tom LeBlanc sat down with Mark L. Peterson, Associate Principal at AV consulting firm Shen Milsom & Wilke LLC to learn more about considerations around AV equipment being connected to the network.
TL: What are some examples of AV devices that you’re seeing increasingly connected to networks?
MP: Practically all AV devices that I’m working with now are actually. Let’s go through the list.
You’ve got AV controllers that are on the network. You’ve got the room touch panels which are now separated from those AV-controlling devices on the network. You’ve got, of course, the video conferencing codecs. Those are all typical.
Now, the cameras are on the network. We have remote diagnostic tools that recommend IP-enabled power strips, thermostats, etc. Obviously their microphones are on Dante and that’s going to be running, if not directly over the network, it’s going to be similar network connectivity. The big push now is for speakers similarly with Dante. There are occupancy sensors and room reservation panels.
Now we’re seeing the Bluetooth happening with the wayfinding so you can get to your room. Now we’ve got the whole, it’s not just the wired services on the AV network but also the Wi-Fi services that are running, sometimes in parallel with the guest services.
Even wireless sharing is a big thing now. Coming forward is, how do I take my mobile device, come into a room and share it? That’s going to run over the Wi-Fi network and predicting the capacity requirements there is extremely difficult to do.
Then we’ve got connecting to cloud service providers. Where does your network or the IT network end if you’re doing dialing into virtual meeting rooms? You’ve got products like CISCO Spark and Office 365, which are really cloud-based services themselves. Then you’ve got remote management. Some third party may be providing some services like an AV support group. They need to be able to get into the network, so how they’re doing that.
We’ve got media streaming encoders and IPTV. That’s going to be a big deal because, as we’re seeing in 2020, the Tokyo Olympics are supposed to be in 8K. What does that mean in terms of the bandwidth requirements for IPTV distribution?
You have other services that are, even the brand new ones like Prysm’s technology that’s running on a non-firm standard PC. That’s on the network but shouldn’t be. We’ve got touch control services. We’ve got KBMs. We’ve got intercom, all the stuff that is running on AV over IP.
It’s like, again, what isn’t? It’d probably be a very small number of boxes that are actually not on the network. The question’s really, how do you put those on the network in a way that’s going to run to the IT director’s satisfaction?
TL: Alright, let’s get to that. What are some issues that IT directors ought to discuss and make sure they get the answers that they want from AV consultant or integrators?
MP: I think the point here that I learned in my working in enterprise is that even though the term is “cyber,” people assume that means that the risk is external. IT departments treat their network security risk even internally. An employee who is disappointed with job satisfaction – any action could create a risk. I think that’s something that a lot of AV service providers don’t recognize is that they have to have that level of skepticism about access and support of IT devices on the network.
There are some basic ones. For example, you’re looking at disabling the FTP services, changing the default IDs and passwords and the root access is either going to be shut down or it’s going to be managed by a separate team from the operations team.
Then the questions come up about authentication. Does the device support dual authentication? That’s a lot. We’ve seen that with customers. When you forget your password on your account, you’re going to get a PIN coming back on another authentication method. The other way of doing that is with these externally managed products like Radius.
The IT directors are looking for the authentication of the device to be extracted from the box. We’re not looking to manage a whole lot of unique passwords on the devices. That’s problematic. With the move towards remote monitoring services then, again, we have to look at how access to these external support teams is going to work. Are you going to use dual authentication? Are you going to have a VPN network? Is there going to be a private cloud service setup?
Then the video codecs – are they vulnerable? If we look at CISCO, they had a rash of open-SSL bugs. That’s exactly what was designed to provide security, but because it’s open architecture, by definition, it’s ripe for risk for infiltration from bugs and attacks. That can even shut down some of the product development because the patches have to be prioritized to close those vulnerabilities.
Active directory and LDAP, these are common terms that the IT and AV people now know, which are ways of avoiding putting these unique passwords on the devices. Really, what they want to be able to do is to take all these AV devices and put them inside a secure area like a web portal and that web portal has active directory administration.
If someone leaves the organization or joins the organization, they’re made a part of a group so there’s a process in which that authentication stays alive and healthy. Then the questions come up. Can the devices accept certificates for 802.1 authentication? That seems to be the starting point. That should be something that the AV contractors need to be able to understand and respond to.
Then questions like how someone can circumvent and get into the network come up. There are some devices that are being made by AV manufacturers that support dual network. You can have two networks. You can have an AV network and then you can have the regular LAN network. You can manage the device this way and communicate this way. That can create risk in that the device manufacturers, they’re thinking they’re providing an opportunity when actually they’re creating risk.