Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 25 - Pro Audio & Video Packets on the Wire

Published: 2012-10-25
Last Updated: 2012-10-25 17:36:18 UTC
by Richard Porter (Version: 2)
0 comment(s)

Introduction

 

In previous Diary's niche layer 2 protocols for different network areas have been covered. In keeping with that theme, this diary will cover three in particular. Two that are widely deployed (and may already be in your network) protocols and discuss one emerging protocol.

Ethernet truly is everywhere and most everything is converging, if not already, to an Ethernet transport model. You have Data Center Storage [1] [2], Voice over Internet Protocol (VOIP)[3], Infrastructure Management (e.g. SCADA [4]) all converging over that RJ45 and or Fiber port. You may or may not be aware that professional grade audio converged onto Ethernet for a transport many years ago.

There are several transport protocols but the three that we will discuss today are CobraNet [5] [6], Dante [7] [8] and Audio Video Bridging (AVB) [9] [10] [11] [12].

This article will not attempt to explain the protocols but more increase awareness and potential risks.

Cobranet

Let's talk Cobranet, invented in the 1990's by Cirrius Logic and is pretty much the first Audio transport over Ethernet. It is widely deployed and is a pure Open Systems Interconnect (OSI) [13] Model layer 2 protocol. This immediately sense of my PacketSense Danger Sense *Must know more* about how it is deployed.

Deployments may vary and range from converged to closed networks. Since it is an Ethernet Protocol it can co-exist with other Ethernet Traffic. A quick tcpdump run through network captures could tell you if Cobranet is on your network.

tcpdump -vv -e -nn ether proto 0x8819

Dante

Dante sits at Layer three in the OSI model [13] and is more of a VOIP style play. They recommend and use VOIP style of Quality of Service mechanisms. You can find a great technology overview of Dante @ www.audinate.com/index.php.

Registering to get access to Dante documentation and marketing/white paper material was easy. This protocol however might be harder to find. It can use both Multicast  [14] and Unicast traffic and looks to be customizable. I will admin openly that I have 0 experience in deploying or working with Dante but thought it important to include it's existence.

AVB

Audio Video bridging is the heart of what needed to be discussed today. This protocol is heading to a car near you :) among many other possible solutions. Today AVB is mostly audio but video is quickly ramping up. When first informed about the auto industry play with this protocol, it took me by surprise, but one of the heaviest components in a car is the wire harness. This protocol may change that. Now, beyond the scary "Networking in my CAR?????" it has other applications as well.

Both Dante and Cobranet are proprietary protocols, very well designed but not open. AVB is an open set of protocols managed by the IEEE [15] so the competition is now open. One thing that bothered me about this protocol is no security controls. Having some contacts in the AVNu alliance [10] and with the IEEE working group [15] this has been brought up.

There are several different protocols to snoop for but fortunately you are likely to not have this in your network just yet. The protocol is just ramping up. It is designed to converge with what the Pro Audio Space call "Legacy" traffic :) or email, web, etc. The AVNu team contributed time to the Wireshark group and latest versions of Wireshark parse this protocol. 

The AVNu Alliance has a great list of resources to better understand AVB Itself @ www.avnu.org/resource_library

 

Conclusion

Cyber Security Awareness tip for day 25, EVERYTHING is converging onto Ethernet… And some don't think about the risks of converged networking. Be aware of the nuance protocols and services that may make it into your environment!

 

Web References

 

[1] http://tools.ietf.org/html/rfc3720

[2] http://en.wikipedia.org/wiki/Fibre_Channel_over_Ethernet

[3] http://en.wikipedia.org/wiki/Voice_over_IP

[4] http://en.wikipedia.org/wiki/SCADA

[5] http://en.wikipedia.org/wiki/CobraNet

[6] http://www.cobranet.info

[7] http://en.wikipedia.org/wiki/Dante_(networking)

[8] http://www.audinate.com/index.php?option=com_content&view=article&id=138

[9] http://en.wikipedia.org/wiki/Audio_Video_Bridging

[10] http://www.avnu.org

[11] http://www.ieee802.org/1/pages/avbridges.html

[12] http://www.wireshark.org/lists/wireshark-bugs/201005/msg00292.html

[13] http://en.wikipedia.org/wiki/OSI_model

[14] http://datatracker.ietf.org/wg/magma/charter/

[15] http://www.ieee802.org/1/pages/avbridges.html 

 

 

Richard Porter 

--- ISC Handler on Duty

Twitter: @packetalien

Email: richard at isc dot sans dot edu

0 comment(s)
ISC StormCast for Thursday, October 25th 2012 http://isc.sans.edu/podcastdetail.html?id=2896
Diary Archives