Photo by cottonbro studio.
Look around any room and you’ll see a number of devices that are network-capable, beyond just computers. Thermostats, light fixtures, appliances, TVs, and more are now standard residents of an expanding repertoire of “IOT” (Internet of Things) devices. This is also readily true in the production space as well.
Just a decade ago, just computers and lighting fixtures and consoles were on networks. Now, just about everything is. But while that certainly serves to make the tech world much more flexible, user-friendly, and capable, it also makes it more susceptible to network-related security issues. And that is an aspect of church technology that the modern production manager or tech director has been forced to quickly embrace.
A network is only as good as its management.” – Bill Morrison, Hope Community Church
“The same attention that we give to audio clarity or video quality should also apply to network integrity,” states Sam Anderson, the production systems engineer at Indianapolis-based multisite Traders Point Community Church, “because if the network goes down, the service could grind to a halt. Vigilance in modern AVL network security isn’t just about paranoia; it’s about stewardship. We all have a responsibility to protect our infrastructure and the ministries that they support.”
While most gear, ranging from wireless mic receivers to video cameras, can be networkable for management, access, and control, that doesn’t necessarily mean that those devices need to be on a network that faces the public internet. Knowing the difference between what should or shouldn’t be forward-facing is actually the first major step of maintaining a secure AV network.
“The truth is, most AVL gear has no need to hit the internet,” Anderson continues. “The fewer routes into your system, the lower the risk.”
Shawn Kirsch, the tech director at South Dakota’s Ransom Church, agrees.
“Any network is just a way for different devices to communicate with each other, but not all devices need to talk to the outside world over the internet,” he points out. “While internet connected devices have grown to have a robust set of tools to detect malicious activity and protect against it, AVL networks are less likely to have the same kind of protections.”
After determining which AV devices, whether computers or streaming encoders or something in between, need to hit the public internet, the next step would be to ensure that there’s a level of security built into their management process, and that’s where many tech teams can get tripped up.
Photo courtesy of Hope Community Church.
“This is probably one of the most challenging components [of AV network security]: the people that need access,” says Bill Morrison, the IT Director at Raleigh, NC’s Hope Community Church.
Morrison went on to point out some of the numerous issues that can exist with device security in many ministries.
Teams that rely on volunteers or multiple operators may utilize shared passwords for computers, or they’re so simple to remember that they become easily “hackable.” Computers or tablets may be used for other purposes between Sundays, and the team members using those devices may not be as vigilant in how they keep the devices secure. Two-factor or multi-factor authentication (2FA and MFA) may be tied to the phone number or email address of a person not regularly available, so that security feature may end up being disabled for logins.
Ultimately, as TPCC’s Anderson states, “The big challenge here is balancing convenience with accountability.” Ministries need to keep moving with a variety of users from week-to-week, but that shouldn’t result in guardrails being fully removed. “Convenience should never come at the cost of security,” he goes on. “It just takes a bit of intentional setup to get both.”
This may mean that computers are formatted with different user accounts with varying levels of access or permissions. Perhaps only higher-level or more seasoned volunteers are given passwords to critical pieces of equipment. And maybe a team employs a regular cycle of updating passwords and login details and uses a password manager to navigate them.
The security process also requires intentionality in maintaining and updating device firmware and software. Best practices would dictate that, whenever possible, automatic updates should be disabled, so machines or devices don’t reboot themselves at the most inconvenient time imaginable (which Murphy’s Law dictates they would do, obviously).
Isolating high-risk devices protects the rest of your AV ecosystem.
But an effective maintenance or management practice would involve regular weekly or bi-weekly checks for updates, as early in the week as possible, and include the time to read release notes to see the level of security updates involved and determine any potential compatibility issues with critical software or hardware interfaces. While being prompt with updates to avoid security gaps is important, it’s not helpful if it’s done before those updates are vetted to be cohesive with other parts of the system.
For ministries with numerous devices, it may be incredibly difficult to touch all of them regularly to check for critical updates, and this is where a subscription-based Mobile Device Management (MDM) platform can be helpful, so those things are managed from one central management portal.
Regardless of whether done by an individual or a managed system, having a process of maintenance and updates is a logical step to the next important piece of the security pie: having documentation for the network itself.
Using VLANs helps keep devices separated and prevents network chaos.
Does the tech team know how many devices are on the network and what they all do? Is there a clear system for assigning static IP addresses or VLANs to devices? Does someone know exactly which ports on a network switch are configured to allow certain access? Are there clear SOPs (Standard Operating Procedures) that determine necessary steps to take when updating equipment or configuring and adding new devices to the network?
A network is only as good as its level of management, and it must be managed strategically so that all necessary devices can interact together without harming each other.
“[An AV] network allows signals, whether audio streams, video packets, or DMX lighting packets to flow between devices,” explains Hope’s Morrison. “In addition, there are typically control and configuration packets that allow end devices to be manipulated and modified. And while for a time even the most basic switched network can appear to handle the workload, adding additional devices or types of signaling can quickly introduce instability and incompatibility, disrupting critical and previously 'working' systems.”
Treat your AV network with the same care you give to sound and video quality.
In essence, if there’s not a plan for how to manage all the necessary devices on a network and their associated traffic requirements, then something as simple as adding a new device could be the thing that causes the whole thing to collapse like a house of cards.
This is where creating VLANs (Virtual LANs, or virtual networks) inside of a broader network can help create an internal framework for devices to stay in their lanes and help isolate their potential negative impact on the broader network if something bad does happen.
TPCC’s Anderson helps explain. “VLANs can help create walls, while still being in the same house (physical switch). You can add doors into rooms that have been walled off. Or, you can keep the room isolated, without windows or walls. But it is all still a part of the same house. This separation of networks not only prevents unnecessary visibility between systems, but keeps traffic cleaner. If one room of the house catches fire, you don’t want it to spread through the whole house, [and] VLAN’s can help make sure that it doesn’t.”
"Convenience should never come at the cost of security.” – Sam Anderson, TPCC
If certain devices need to be facing the public internet for login reasons, those devices could be restricted to a certain VLAN so that their traffic, if compromised, doesn’t then affect other devices on that same network switch.
Setting VLANs can be done through a network switch’s management portal, and this is the same place that another critical step can be taken: disabling any unused ports to ensure that rogue devices aren’t plugged in and cause havoc. To do this effectively, though, one must continue to update and maintain a list of devices on the network, again putting emphasis on the backend effort of paper trails and management.
For some techs, or even others whose teams have little to no IT staff or experience, adding network management to an already full plate of production management can seem daunting or overwhelming, especially as quickly as the networking world morphs and the number of accessible devices (and their complexity) increases.
The key, says Anderson, is to tackle it just like any other tech issue.
“In the same way that production learned video routers and audio matrices like the back of our hands, networks and network switches are the modern-day equivalent to this,” he says. “If we can learn gain structure and DMX addressing, we can learn IP addresses too; it’s just another signal flow. Knowing even a basic grasp of networking (like IP addressing, subnetting, VLANs, and the switch topology and hardware itself) empowers tech teams to make smarter decisions. That little bit of IT knowledge turns ‘network problems’ into just another production challenge that you can solve.”
