AVP release 9.

41

Security User Guide

A
Copyright

© MediaKind 2020. All rights reserved. No part of this document may

be reproduced in any form without the written permission of the
copyright owner.

Disclaimer

The contents of this document are subject to revision without notice

due to continued progress in methodology, design and manufacturing.
MediaKind shall have no liability for any error or damage of any kind
resulting from the use of this document.

Trademarks

All trademarks mentioned herein are the property of their respective

owners. These are shown in the document Trademark Information.
Table of Contents

1 Introduction ..................................................................................... 4
1.1 Prerequisites ................................................................................... 4
1.1.1 Conditions ........................................................................................ 4

2 Environment ................................................................................... 6
2.1.1 Security Model and Zoning .......................................................... 7

3 Product Security Functionality ................................................... 8

4 Security Configuration .................................................................. 9

4.1 Procedures ...................................................................................... 9
4.1.1 Enable Basic Authentication ......................................................... 9
4.1.2 Enable LDAP Authentication over TLS ...................................... 9
4.1.3 Force the use of secured HTTP ............................................... 10
4.1.4 Use an external firewall to close access to internal
UDP/TCP ports ............................................................................. 10
4.1.5 Set SNMP version of trap messages ...................................... 11
4.1.6 Set SNMP community string value ........................................... 11
4.1.7 Enable In-band Control ............................................................... 11
4.2 Recommended Periodic Operations .......................................... 12
4.3 Handling of patches .................................................................... 12
4.3.1 Upgrade utility............................................................................... 12
4.3.2 Viper files ...................................................................................... 13

5 Default Parameter Values ......................................................... 14

6 Services, Ports, and Protocols ................................................ 17

 AVP release 9.41

1 Introduction
This document describes the security functions implemented by the
AVP. It also describes the security-related procedures that can be
performed by the system administrators.

The information in this document covers the following AVP release

versions

9.41.

1.1 Prerequisites

This section describes the prerequisites; conditions and information

required for performing security management on the AVP.

1.1.1 Conditions

Before performing the procedures in section 3.1 ensure that the

following conditions are met.

• Required software upgrade has been completed.

• All software licenses have been installed.

• Unit has been rebooted since upgrade and license

installation.

• There are no active “Uncontrolled Release” or “Version

mismatch” alarms.

• Authentication parameters are known:

o Basic: username / password

2020-02-20 © MediaKind 2020 4 (20)

Public
 AVP release 9.41

o LDAP: A thorough understanding of setting up

LDAP is required to reduce the chances of
entering values which result in a permanent lock
out from the unit. Practice with the LDAP Test
mode is strongly recommended.

o LDAP: Values for Server address, Bind Dn, Bind

Password, Base Dn and Entry Filter are known.

o LDAP: Need for TLS and positive/negative

authentication is known.

• IP addresses and ports used by the system are known

• SNMP trap version and community string values are

known.

2020-02-20 © MediaKind 2020 5 (20)

Public
 AVP release 9.41

2 Environment
This section describes the environment requirements for product
operations.

The system is to be deployed behind a firewall which offers protection

from external attacks. The operation and maintenance network should
be separated from the data network(s).

The network topology for an AVP unit in a system is shown below.

2020-02-20 © MediaKind 2020 6 (20)

Public
 AVP release 9.41

2.1.1 Security Model and Zoning

In the industry security zoning is commonly categorized in four zone

types, and a brief summary of each zone is outlined below.

• Untrusted zone is a public zone entirely open and

includes public network such as the public Internet.
Restrictions and requirements are difficult or impossible
to place or enforce in this zone because it is generally
outside the control of the customer. The untrusted zone
is considered to be extremely hostile.

• Semi-trusted zone is public access zone that mediates

between the customer’s trusted zone and the untrusted
zone. Typically, this zone implements corporate
Web/Proxy servers, Domain Name Service, external Mail
servers, remote access, and extranet gateways. It is
often referred to as a demilitarized zone (DMZ). The
semi- trusted zone is considered to be hostile.

• Trusted zone is an operational zone, a standard

environment for routine customer operations, and where
most corporate user systems and workgroup servers are
installed. In general, with appropriate security controls,
this zone may be suitable for processing some sensitive
data; however, this zone is customarily unsuitable for
large repositories of sensitive data or critical applications
without adequate strong trustworthy security controls.

• Restricted zone is a controlled zone suitable for

business-critical services or large repositories of
sensitive data. It supports access from systems in the
semi-trusted zone

The AVP is always installed in the trusted zone. Any equipment which
communicates with the AVP without authentication or data encryption
should also be installed in the trusted zone.

2020-02-20 © MediaKind 2020 7 (20)

Public
 AVP release 9.41

3 Product Security Functionality

The following security functionality is supported in the product:

Protection of signalling interfaces with TLS when using HTTPS.

Two mechanisms for user authentication – basic and LDAP.

Protection of LDAP user authentication with TLS.

SNMP version v2c and community string values can be set.

2020-02-20 © MediaKind 2020 8 (20)

Public
 AVP release 9.41

4 Security Configuration
This section describes how to operate the security functionality of the
product.

4.1 Procedures

This section provides the instructions for operating the security

functionality of the product.

4.1.1 Enable Basic Authentication

This procedure enables basic authentication. For detailed instructions

on how to enable basic authentication see section 3.7.3 of the AVP
4000 Reference Guide.

To enable basic authentication:

1. Navigate to the Device Configuration > Advanced Setup

page and select Base Unit > Remote Authentication and
HTTP server options

2. Set Authentication on the Properties widget to Basic and

enter a username and password.

3. Select Apply All to enforce authentication for the current

session.

4.1.2 Enable LDAP Authentication over TLS

This procedure enables user authentication against an external

directory of users using LDAP over a connection secured by TLS. For
detailed instructions on how to enable basic authentication see section
3.7.3 of the AVP 4000 Reference Guide.

2020-02-20 © MediaKind 2020 9 (20)

Public
 AVP release 9.41

4.1.3 Force the use of secured HTTP

This procedure enforces the exclusive use of HTTPS. For detailed

instructions on how to enforce the use of HTTPS see section 3.7.2 of
the AVP 4000 Reference Guide.

To enforce the use of HTTPS:

1. Navigate to the Device Configuration > Advanced Setup

page and select Base Unit > Remote Authentication and
HTTP server options.

2. Change the control Disable HTTP Access (HTTPS is

always On) to ON in order to disable HTTP access,
thereby enforcing the use of HTTPS.

3. Select Apply All to effect the change.

4.1.4 Use an external firewall to close access to internal

UDP/TCP ports

This procedure disables access from external sources to UDP/TCP

ports which are for internal operation only.

1. Disable access to the following ports for all protocols in the

firewall which controls access to the control interface (Ctrl1,
Ctrl2) and/or the output data interface (Data3, Data4) if the
In-band Control feature is being used.

a. 30000

b. 30010

c. 30015

d. 32001

e. 40011

f. 55432

2020-02-20 © MediaKind 2020 10 (20)

Public
 AVP release 9.41

2. Disable access to other service ports if they are not

required in the unit’s configuration.

a. Port used by DPI (Default 5167).

b. Port used by Internal Reflex (6000).

4.1.5 Set SNMP version of trap messages

This procedure sets the SNMP version of trap messages.

To set the SNMP version of trap messages:

1. Navigate to the Device Configuration > Advanced Setup

page and select SNMP > SNMP Trap Server.

2. Change the control SNMP Version to the version of SNMP

required in the traps.

3. Select Apply All to effect the change

4.1.6 Set SNMP community string value

This procedure sets the value of the SNMP community string:

1. Navigate to the Device Configuration > Advanced Setup

page and select SNMP > SNMP Trap Server.

2. Change the contents of the Community control to the

required value.

3. Select Apply All to effect the change.

4.1.7 Enable In-band Control

This procedure enables control of the unit over the Data3 / Data4
connection pair. This facility is provided for installations where the
provision of separate control and data networks is impractical. From a
security standpoint, it mixes the operation and maintenance network
with the data network which reduces the security of the system.

2020-02-20 © MediaKind 2020 11 (20)

Public
 AVP release 9.41

To use Data Interface Group 3-4 for control:

1. Navigate to the Device Configuration > Advanced Setup

page and select Network Configuration.

2. Change the control User Data Interface Group 3-4 for

Control to true.

3. Select Apply All to effect the change. This will reboot the
unit.

4. Select Yes to confirm the change and wait for the unit to
reboot.

4.2 Recommended Periodic Operations

This section describes recommended periodic operations.

Take regular backups of standalone units’ system configuration as

described in section 8.9.2 of the AVP 4000 Reference Guide.

Monitor the system for “Uncontrolled Release” and “Version Mismatch”

alarms as these indicate that the installed software has been modified
since installation.

Ensure that the selected remote logging settings are still selected and
that events are still being exported.

4.3 Handling of patches

This section describes handling of patches.

4.3.1 Upgrade utility

Patches are delivered in the form of upgrade utilities. The process to

run upgrade utilities is described in [Ref].

2020-02-20 © MediaKind 2020 12 (20)

Public
 AVP release 9.41

Note: To retain current security settings the “Upgrade the unit

configuration at the end of the process” option must be selected or all
security options will return to their factory default settings.

4.3.2 Viper files

The upload viper file facility provided via the Support/Upgrade Encoder
facility is for extraordinary maintenance procedures. Using this facility
may result in an “Uncontrolled Release” and “Version mismatch” alarms
on the affected cards.

2020-02-20 © MediaKind 2020 13 (20)

Public
 AVP release 9.41

5 Default Parameter Values

The default values for the security parameters are listed in table 1.

Table 1. Default Parameter Values

Parameter Default Value

Use Data Interface Group 3-4 false

for Control (Inband Control)

SNTP Server 0.0.0.0

POIS1 Server URL <empty>

DPI2 TCP port (SCTE-104) 5167

Authentication Off

User Name engineer

Password password

LDAP Host Address 0.0.0.0

LDAP Bind DN <empty>

LDAP Bind Password <empty>

LDAP Base DN Dc=my-domain,dc=com

LDAP Entry Filter (uid=$)

Start TLS Off

Disable HTTP Access Off

Remote Server IP Address 0.0.0.0

1 POIS – Placement Opportunity Information System

2 DPI – Digital Programme Insertion

2020-02-20 © MediaKind 2020 14 (20)

Public
 AVP release 9.41

Remote Server Logging – Off

Alarms

Remote Server Logging – Off

7
ESAM

Remote Server Logging – Off

SCTE-35

Remote Server Logging – Off

User Config

Reflex PCR Port 6868

Reflex Command Port 6869

Reflex Status Port 6869

MGP3 Destination Port 6867

SNMP version v1

SNMP community public

SNMP trap server 1..5 0.0.0.0

DSM4 Address 0.0.0.0

DSM4 Port 6871

CSM5 Address (Control 6872

Status Monitoring)

Triveni PSIP table insertion Off

for ATSC.

3 MGP - Multicast Guard Protocol

4 DSM – Device Status Monitoring
5 CSM - Control Status Monitoring

2020-02-20 © MediaKind 2020 15 (20)

Public
 AVP release 9.41

Requires AVP/SWO/PSIP
license

Triveni TCP Port 1250

2020-02-20 © MediaKind 2020 16 (20)

Public
 AVP release 9.41

6 Services, Ports, and Protocols

The services, ports, and protocols that are used by the product are
listed in table 2. The table entries are ordered by port number.

Table 2. Services, Ports, and Protocols used by the product

Service or Protocol IP Port Transpo IP

Interface Address rt Versio
Name Type Protocol n

Ping ICMP Ctrl1 / N/A N/A ICMP

Ctrl2
Data1 /
Data2
Data3 /
Data4

Transport IGMP Data1 / N/A N/A IGMP

stream Data2
subscription Data3 /
Data4

CLI SSH Ctrl1 / 22 TCP IPv4

Ctrl2
Data36 /
Data4

Time NTP Ctrl1 / 37 TCP IPv4

Service Ctrl2
Data36 /
Data4

2020-02-20 © MediaKind 2020 17 (20)

Public
 AVP release 9.41

User HTTP Ctrl1 / 80 TCP IPv4

Interface Ctrl2
Data36 /
Data4

ESAM7 / HTTP Ctrl1 / 80 TCP IPv4

1
POIS Ctrl2
Data36 /
Data4

SNMP SNMP Ctrl1 / 161 UDP IPv4

Ctrl2
Data36 /
Data4

User LDAP Ctrl1 / 389 UDP/TC IPv4

authenticati Ctrl2 P
6
on Data3 /
Data4

User HTTPS / Ctrl1 / 443 TCP IPv4

Interface TLS Ctrl2
Data36 /
Data4

Remote Rsyslog Ctrl1 / 514 UDP IPv4

logging Ctrl2
Data36 /
Data4

User LDAP/TL Ctrl1 / 636 TCP IPv4

authenticati S Ctrl2
on Data36 /
Data4

6 These interfaces are used when Inband Control is enabled.

7 ESAM – Event Signalling And Management

2020-02-20 © MediaKind 2020 18 (20)

Public
 AVP release 9.41

Triveni8 SOAP Ctrl1 / 12509, TCP IPv4

PSIP table Ctrl2 1251,
insertion 1252,
1253,
1254,
1255

Port Internal Ctrl1 / 1820, TCP IPv4

Responders Ctrl2 1821,
1822,
1823,
1824,
1825

DPI2 SCTE- Ctrl1 / 5167 TCP IPv4

10
104 Ctrl2

Device Internal Ctrl1 / 5998 UDP IPv4

11
Discovery Ctrl2 ,
(Upgrade) 5999

Internal Internal Ctrl1 / 6000 UDP IPv4

Reflex Ctrl2

DSM4,12 Internal Ctrl1 / 68711 UDP IPv4

0
Ctrl2
Data36 /
Data4

CSM5,12 Internal Ctrl1 / 68721 UDP IPv4

0
Ctrl2
Data36 /
Data4

8 The ports are only created when this feature is licensed and enabled.
9 Default shown. User may set base port value in the range 1..65535.
10 Default shown. User may select value in the range 0..65535
11 This is the transmit port.
12 The port is only created when the feature is enabled.

2020-02-20 © MediaKind 2020 19 (20)

Public
 AVP release 9.41

MGP12 Internal Data3 / 68671 UDP IPv4

0
Data4

Reflex12 Internal Ctrl1 / 68681 UDP IPv4

0
Ctrl2 ,
Data36 / 6869
Data4

Parameter Internal Localho 30000 UDP IPv4

Store st

Option Card Internal Localho 30010 TCP IPv4

Monitor st

SNMP Internal Localho 30015 TCP IPv4

st

ESAM7 / Internal Localho 32001 TCP IPv4

1
POIS st

Watchdog Internal Localho 40011 TCP IPv4

st

Persistent Internal Localho 55432 TCP IPv4

Storage st

2020-02-20 © MediaKind 2020 20 (20)

Public