Avid MediaCentral Version 2.0 ® Security Architecture and Analysis Purpose of This Document This document provides the MediaCentral administrator with an overview of the security architecture for the MediaCentral environment and recommended best practices for a secure operation. The document also provides an analysis of the MediaCentral UX application against the most common security flaws for Web-based applications.
Overview of MediaCentral Contents Overview of MediaCentral . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Overview of MediaCentral Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 MediaCentral Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Strategies and Best Practices . . . . . . . . . . .
Overview of MediaCentral Security • Data Privacy MediaCentral provides the client with access to existing Interplay Production assets and iNEWS story/rundown information. As part of the login to MediaCentral, the user is also logged into associated Interplay Production and iNEWS sessions using their existing Interplay Production and iNEWS credentials. Access to these assets is controlled by the underlying applications themselves, based on the user’s existing account privileges.
Overview of MediaCentral Security Example: Jan 7 14:39:59 localhost sshd[3781]: Accepted password for root from 172.24.41.133 port 43239 ssh2 • Disaster Recovery and Business Continuity - The MediaCentral application can operate within a clustered server configuration, providing Active/Passive failover for continuity of services.
MediaCentral Security Architecture MediaCentral Security Architecture The diagram below provides an overview of the MediaCentral architecture with specific references to application and data security. This diagram shows a clustered MediaCentral server configuration.
MediaCentral Security Architecture A MediaCentral client requires user login credentials in order to gain access to the underlying functionality. All data transfer to and from the MediaCentral client (user credentials, session information, user configuration settings, media images and files, text, and machine instructions) are transported in a secure manner to the MediaCentral server using HTTPS protocol.
MediaCentral Security Architecture n Outbound ACLs should be used to allow packets from the MediaCentral server to the MediaCentral client over “established” TCP sessions only. The “established” keyword indicates that packets belong to an existing connection if the TCP datagram has the Acknowledgment (ACK) or Reset (RST) bit set. Note that the MediaCentral Web service and MediaCentral application services operate on the same server so there are no proxies or firewalls between these components.
MediaCentral Security Architecture MediaCentral queries the User Management Service to determine which MediaCentral layouts are to be made available to the user upon login. MediaCentral provides two access levels (Basic and Advance, labeled Browse Media and Edit Media in the Users layout), which determine access to underlying application functionality. Access to all assets (media, metadata, rundowns, stories) is managed by the backend systems themselves (Interplay Production, iNEWS).
MediaCentral Security Architecture MediaCentral uses default HTTPS transfer from the Web client to the MediaCentral server and all underlying MediaCentral services (for example, User Management). HTTPS calls are sent over port 443; see Table 1 on page 6 on for a complete list of ports. Note that a network firewall is recommended for all configurations. Communication between MediaCentral and Interplay Production and iNEWS is sent over the house network in an unsecured fashion.
MediaCentral Security Architecture MediaCentral v2.0 allows search and delivery of assets through a multi-zone configuration. By default, a MediaCentral system is configured as a single zone. Large organizations can combine two or more single-zone systems into a multi-zone environment. Multi-zone functionality is designed for deployment across an internal secure network (“corporate network”) with all traffic occurring behind the firewall.
MediaCentral Security Architecture Table 3: Security Implications for Certificate Types No Certificate Self-Signed Commercially Issued User experience User is prompted with “This site is untrusted” with options to back out or “Proceed Anyway.” User is prompted with Login is transparent. “This site is untrusted” with options to back out or “Proceed Anyway.” Login is transparent.
Strategies and Best Practices Strategies and Best Practices Administrator Accounts As part of the MediaCentral installation process, default administrator accounts are created. After a successful installation, these account passwords must be updated. • A default operating system account is created on the MediaCentral server using the following credentials: user: root password: Avid123 Note that each cluster node will have a similar account.
Strategies and Best Practices Port Settings The following table lists the ports that are required by the MediaCentral server. Check with your Avid representative for the exact configuration.
Security Risk Assessment Security Risk Assessment The following table describes how MediaCentral addresses security risks as described in the Open Web Application Security Project (OWASP). Each threat is a link to the corresponding section of the project Web site, available at https://www.owasp.org/index.php/Top_10_2010-Main.
Security Risk Assessment Table 5: Security Risk Assessment Threat Risk Typical Security Measures MediaCentral Environment Cross Site Request Legitimizes forged Unique session or Forgery browser requests request tokens Impact MediaCentral uses unique user session Low tokens. All tokens are deleted upon session exit. Session IDs are mapped to specific machines.
Security Risk Assessment Table 5: Security Risk Assessment Threat Risk Insufficient Transport Layer Protection Unprotected network traffic Typical Security Measures MediaCentral Environment SSL authentications MediaCentral configuration utilizes SSL transport protocol and VPN VPN network access. Backend SSL All access requests to the transport MediaCentral database requires a Secure database suitable username and password.
Where to Find More Information Where to Find More Information MediaCentral documentation can be found on the Avid Customer Support Knowledge Base. Version 2.0 documentation is located here: http://avid.force.com/pkb/articles/en_US/readme/Avid-MediaCentral-Version-2-0-Documentati on Legal Notices Copyright © 2014 Avid Technology, Inc. and its licensors. All rights reserved. Attn. Government User(s). Restricted Rights Legend U.S. GOVERNMENT RESTRICTED RIGHTS.