Tech Tips from Tieline’s U.S. Codec Expert Jacob Daniluck
IP Codec Security
With the recent social media hacks at Twitter, I thought it would be an excellent time to discuss internet security as it relates to audio codecs. Regardless of what type of codec solution in use, you will want to secure your network based on your IT policies. Codec hack attempts can be something as simple as unwanted audio, to taking control through the Web Management portal (WebGUI). In this month’s Jake’s Take, I will explore some of the things that you should do to help increase overall IP codec security at your network.
The first bit of security that we should look at is the WebGUI. Regardless if you are going to expose the codec’s WebGUI to the public internet, you will want to consider changing the password. Tieline’s default password is “password” for easy set up access. To change the password in a codec press the SETTINGS button, navigate to WebGUI and press the OK button, then select Password and press the OK button. Use the keypad to enter a new password and press OK to save the new setting.
Our Toolbox WebGUI has a wide range of tools that can quickly assist operators with the data and tools required to make and monitor connections. Regardless, if you are going to allow your team access to this codec remotely, change your WebGUI password (or turn it off all together).
There is a flip side to having the WebGUI exposed over the internet. Even with a unique and strong password, you are still sending that data in an unencrypted format. To add a layer of security, you will want to explore adding a Domain Name as well as an SSL certificate to your codec. In a corporate domain, your IT department will most likely already have a Domain and an SSL certificate. All you need to do is install the SSL certificate setup for your codec. If you do not have access to a domain name and an SSL certificate, then you can always set up one through several providers on the internet, or you can create your own (not recommended for long term use). However, this is still not the most secure method for accessing Tieline’s WebGUI interface.
For the best security practice for the WebGUI, I would suggest looking at Tieline’s Cloud Codec Controller application. This application provides a path to control the audio codec through an SSL link and Tieline’s Cloud Servers; in other words, there is no need to worry about SSL and port forwarding. Cloud Codec Controller can allow your team to manage the fleet of your Tieline hardware all from their couch at home. This app can prevent unwanted users from accessing your codecs and disconnecting or adjusting the audio.
When it comes to the audio, there are a couple of things that we can investigate. The first thing to consider is a VPN router, which can provide a secure connection between two endpoints, the studio and the remote. A VPN can add additional layers of security that are outside the codec’s function. Plus, you can extend your LAN capabilities and access other devices remotely. The VPN’s most significant addition to this method is that you don’t have to port forward your firewall.
Another option for those not wanting to use an external device would be an LTE connection with a public static IP address. With Tieline’s LTE Module for the ViA, you can add your carrier’s static IP directly on the remote unit. With a static IP, you can then lock down your studio’s firewall to only allow audio traffic from this specific endpoint. You still have to expose ports on your firewall, but now the firewall restricts access from ALL other IP addresses.
Lastly, I would suggest looking at SIP for some additional security. SIP servers can authorize specific devices to connect to other devices. Once you have a SIP server setup with all of your codecs, you can set up Tieline’s Allow List to look at what are known as a URI (Uniform Resource Identifier) and block unwanted traffic. SIP is excellent for interconnectivity but is limited in what type of functionality is available. For those who want extra security, but do not want to go through the hoops of getting a VPN, or Static IP, this is another avenue to consider.
If you’re looking at management data or audio data, security is still vital for ALL entry points into your station’s IP network. As Radio Stations across the world are slowly turning into data centers, stations must have an IP Security policy for all types of devices. Some network security issues have been discussed in more detail in Tieline’s article on IP Security for Radio Broadcasters at https://tieline.com/ip-security-for-radio-broadcasters/
For those who are interested in learning more about security policies, or if you have suggestions for a future ‘Jake’s Take’, email me at Jake@tieline.com.
For more information about Tieline codecs, or any of the features mentioned in “IP Codec Security”, visit http://www.tieline.com