Avp Hardening Guideline: Mediakind Internal User Guide 1 (9) David Blythman 1553-2020-02-20 E

MediaKind Internal
USER GUIDE 1 (9)

Prepared (Subject resp) No.
David Blythman 1553-

Approved (Document resp) Checked Date Rev Reference
2020-02-20 E
AVP Hardening Guideline
v9.41
Revision History:
Rev Date Sign. Comment

A 2017-10-24 eblydav New document. The template is based
on the instructions document LME-
07:001499 Uen, Hardening
Documentation Instructions and
Templates.
B 2017-12-06 Eblydav Updated after review.
C 2018-08-14 Edomshe Updated to refer to v9.35
D 2018-10-08 Edomshe Updated to refer to v9.36
E 2020-02-20 F Ward Updated to refer to v9.41
Copyright
© MediaKind 2020. All rights reserved. No part of this document may be

reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to
continued progress in methodology, design and manufacturing. MediaKind
shall have no liability for any error or damage of any kind resulting from the
use of this document.
Trademarks
All trademarks mentioned herein are the property of their respective owners.
These are shown in the document Trademark Information.
MediaKind Internal
USER GUIDE 2 (9)

2020-02-20 E
Contents
1 Introduction .............................................................................................2
1.1 Scope ..........................................................................................2
1.2 Target group................................................................................3
1.3 Prerequisites ...............................................................................3
1.3.1 Documents ..................................................................................3
1.3.2 Tools............................................................................................3
1.3.3 Conditions ...................................................................................3
2 Hardening Guidelines .............................................................................3
2.1 General information about product hardening............................3
2.2 Hardening during product development (pre-hardening report) 4
2.2.1 Operating system hardening ......................................................5
2.3 Hardening during service delivery ..............................................6
2.3.1 Accept hardware configuration ...................................................6
2.4 Operating system hardening ......................................................7
2.5 Application software hardening ..................................................7
2.6 Operation & Maintenance ...........................................................7
2.6.1 System and software updates ....................................................7
2.6.2 System access control, authentication, authorization ................7
2.6.3 Intrusion Detection / Protection ..................................................7
2.7 Network and IP traffic related hardening ....................................8
2.7.1 Securing services........................................................................8
2.8 Logging .......................................................................................8
2.8.1 Logging configuration .................................................................8
2.8.2 Time synchronization ..................................................................8
2.9 Post-work ....................................................................................8
3 Terminology and Abbreviations ............................................................9
4 References ...............................................................................................9
1 Introduction
1.1 Scope
This user guide describes the hardening procedure of AVP. This includes:
• General information about hardening of the product. This is useful for

understanding the purpose of product hardening as well as the scope
of product hardening
• A list of the hardening activities performed during the product

development phase (pre-hardening report)
• Instructions how to perform the remaining hardening activities during

service delivery integration phase
MediaKind Internal
USER GUIDE 3 (9)

2020-02-20 E
Local policy requirements for hardening are out of scope of this document.
1.2 Target group
This user guide is intended for
• Service delivery integration engineers
• System and security administrators
1.3 Prerequisites
1.3.1 Documents
This User Guide references the following documents:
• Security Used Guide
• AVP Family (AVP 4000) Reference Guide
1.3.2 Tools
1.3.3 Conditions
2 Hardening Guidelines
2.1 General information about product hardening
Definition: ‘Hardening means increasing product security by reducing its

attack surface’.
An attack surface is any aspect of the product through which an attacker can
modify the operation of the product with malicious intent.
Disruptions to AVP operation include:
• Disabling one or more transport stream outputs.
• Circumventing copyrighted material protection so that it can be viewed

without payment.
• Substitution of scheduled output material with something completely

different e.g. political or activist content.
• Using the AVP as a gateway into the rest of the operation and
maintenance network or data networks.
MediaKind Internal
USER GUIDE 4 (9)

2020-02-20 E
• Generating a Denial of Service attack by generating high bitrate empty

transport streams which saturate the data network.
• Generating a Denial of Service attack by creating a transport stream

using the same multicast address as another thereby generating a
‘dual presentation’ scenario resulting in severe decode problems in
receivers and set top boxes. i.e. the attacked transport stream is
effectively ‘Off Air’.
The entry points for controlling AVP operation are:
• Control network port. This provides access for:
o An external control system such as nCompass Control.
o The web based GUI.
o Digital Programme Insertion (Splicing)
o Placement Opportunity Information System (POIS)
o Treveni – Table generation.
o Reflex messages from mux – control encode bit rates.
o Service engineer internal access.
o Unit upgrade.
• Data network ports 3 and 4. This provides access for:
o Multicast Guard Protocol messages.
o When Inband control is enabled:
▪ Web based GUI.
• Front Panel. This provides control of:
o Output – ‘On Air’ / ‘Off Air’
o Transport Stream creation, edit, delete.
o Configuration load. Also store / load from USB key.
2.2 Hardening during product development (pre-hardening report)
The following hardening took place during product development:

MediaKind Internal
USER GUIDE 5 (9)

2020-02-20 E
2.2.1 Operating system hardening
2.2.1.1 Operating system installation
• Unnecessary system components have not been installed.
2.2.1.2 Operating system configuration
• Only required processes are started.
• Only required services are started.
• Only required listening ports are opened.
• Only required cron jobs are scheduled.
2.2.1.3 System access control, authentication, and authorization
• Only the ‘root’ user can log in to the system.
• Users ‘ftp’ and ‘nobody’ have been defined but have no login capability
and the password has been given an undecodable value.
• The useradd executable is not installed in the system so new users

cannot be added.
2.2.1.4 Installation integrity
The integrity of the AVP installation consisting of:
• Operating system image
• FPGA binaries
• Application packages
• Application initial configuration files
• Web server contents
• System hardware configuration
• System component versions
is assured by:
• Manifest files.
MediaKind Internal
USER GUIDE 6 (9)

2020-02-20 E
• Checksums for binary files, application configuration files and web

server contents.
• Expected versions for software applications.
• A startup check which triggers an alarm when the detected hardware

configuration is not the same as the original configuration.
• A version check at startup which triggers an alarm when one or more

items in a hardware component have a version mismatch.
• A version check at startup which triggers an alarm when one more

components (host card or option card) has a version mismatch with
the system manifest file.
Software updates can only be installed via the AVP upgrade tool.
The Linux update framework – ‘apt’ – is not installed.
2.2.1.5 Logging
System logging is set up as follows:
• Auto rotate is enabled on the host card. In addition to the current log
file the previous eight files are kept. When the current log file is
replaced the oldest log file is deleted from the system.
• The maximum log size is set at 512k.
• System logs from option cards are automatically forwarded to the

system log on the host card.
• All system log files can be fetched in a single zip file from the unit via
the GUI.
2.3 Hardening during service delivery
2.3.1 Accept hardware configuration
If the AVP dashboard is displaying the “HW Configuration Mismatch in slot”

alarm and the option slot summary is showing the correct list of installed
option cards, accept the current hardware configuration. This will clear the
alarm. An example is shown in the screen capture below:
MediaKind Internal
USER GUIDE 7 (9)

2020-02-20 E
2.4 Operating system hardening
The operating system of the AVP is delivered as a system component by the

upgrade utility and has already been configured to meet the initial system
requirements.
2.5 Application software hardening
The application software of the AVP is delivered as a component by the

upgrade utility. Further system hardening is accomplished via user
configuration settings as detailed in the Security User Guide.
2.6 Operation & Maintenance
2.6.1 System and software updates
All AVP system and software updates are performed using the upgrade utility.
This ensures the integrity of the system.
2.6.2 System access control, authentication, authorization
System access is controlled via the authentication options listed in the

Security User Guide.
2.6.3 Intrusion Detection / Protection
Modifications to fixed system settings or installed software are detected via

the version control system and reported via alarms on the unit. These alarms
should be monitored and any change in status should be investigated.
MediaKind Internal
USER GUIDE 8 (9)

2020-02-20 E
2.7 Network and IP traffic related hardening
2.7.1 Securing services
The following user selectable security options are detailed in the Security
User Guide:
• Disable HTTP to enforce the use of HTTPS only.
• Force the use of TLS for LDAP authentication.
2.8 Logging
2.8.1 Logging configuration
Messages signaling that a change in configuration has taken place are

recorded in the system log by default.
Remote logging of four message categories, including detailed configuration

data, is a user selectable option as detailed in the Security User Guide.
2.8.2 Time synchronization
An SNTP server can be set up by following the instructions in section 3.7.4

How to Configure Advanced Video Processor Settings in the AVP Family
(AVP 4000) Reference Guide.
2.9 Post-work
Upon completion of hardening tasks, finish with the following steps:
• Reboot the unit.
• When the unit has rebooted check that there are no unexpected
alarms such as:
o HW Configuration Mismatch in slot
o Host Build Version Mismatch
o Uncontrolled release
o Unsupported software on Option Card

MediaKind Internal
USER GUIDE 9 (9)

2020-02-20 E
3 Terminology and Abbreviations
4 References
[1] AVP Security User Guide v9.41

Avp Hardening Guideline: Mediakind Internal User Guide 1 (9) David Blythman 1553-2020-02-20 E

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Avp Hardening Guideline: Mediakind Internal User Guide 1 (9) David Blythman 1553-2020-02-20 E

Uploaded by

Copyright:

Available Formats

MediaKind Internal

USER GUIDE 1 (9)

David Blythman 1553-