Well, the party is over.
For years, lots of people in the broadcast industry have relied on “security through obscurity” when dealing with things like audio codecs and web enabled remote control. After all, most “black-hat” hackers seemed to have little interest in seeing what that “Audio codec” login does. After all, an audio codec doesn’t seem very interesting.
Until they started realizing that those codecs sometimes control the programming on a radio station. Wouldn’t it be fun to point that codec to something funny? Then it became a challenge.
Engineers these days are busy. Who has time to deal with configuring security options on codecs? After all, who cares enough to try and hack in? Well, we now know the answer.
For better or worse, security is no longer an option, it’s required. Fortunately it’s not nearly as daunting a task as you’d think. There are some basic things you can do to better secure your network immediately, while planning on better security in the future.
There are two types of hackers: The ones who like to wreak havoc on random, weakly secured sites (and will move on if they meet any sort of security in favor of an “open target”), and those who know exactly what they’re trying to access, and will work hard to get in. Fortunately for us, the former is more common than the latter.
To help protect yourself from “drive-by” hacking, you can do some easy, quick steps. First (and most obvious) is to use a router in front of your device. That is the most basic, simplest form of security. This hides your device from the rest of the world until you choose to allow certain ports to “poke through” the firewall to the device. If the device doesn’t need incoming connections, you’re likely very protected already. Note that dynamically-opened ports, that is, router ports that were opened by a device on the LAN, are not “open” like port-forwarded ports are. Dynamically-opened ports are expecting incoming traffic from a known IP address. Port-forwarded ports will typically accept data from anywhere on the WAN (Internet) side.
Next, use a long, complex password on any device login. It sounds obvious, but many people leave the default password in place. It takes about 30 seconds to find the manual to the equipment, conveniently providing that password!
Then, use non-standard ports. Most people use the default configuration and access ports for their devices. While that only makes you marginally safer, it’s better than nothing. Again, if I know what the standard ports are for the device I’m looking for, I can scan Internet addresses for those ports! Most routers will perform “port translation” as well at “address translation”, so if a device’s port numbers are not configurable, your router can still allow access to it from a weird, high-value port number that’s not as likely to be scanned, then translate that port number to the one required by your device.
Also consider this: Do you really need to have the web configuration page available on the Internet? In the case of an audio codec, is there really a need to look at if after it’s been configured? Only open the ports you really need to the device, and consider (again) using non-standard ports for the connections.
The above tips will keep most garden-variety “black-hats” out of your network. But what if you’re worried about someone who really wants to get into your gear?
The best solution is to create a point-to-point VPN tunnel. In fact, I’d say that it’s a requirement if you’re using a codec for an STL. There is really no reason to do otherwise. With an end-to-end VPN tunnel, you have full access to your device within your LAN, but it is invisible to the Internet. You’re basically securely connecting your two networks together. While creating VPN’s used to be difficult, you can now get routers for under $100 each that have easy to configure VPN networking built in. The traffic between locations is secure, and nobody can get to your devices. While VPN tunneling cannot prevent or mitigate DDOS attacks, they can and will protect most other types of “targeted” attacks, even from hackers who know what they’re looking for.
“Security through obscurity” is no longer an option. While these tips are certainly not exhaustive or complete, there’s enough information here to quickly get some security on your network to give you a little time to look at your options and determine what options are best for you.
-Chris Tarr CSRE, DRB, CBNE is the Director of Engineering for Entercom Wisconsin.