Q-SYS Security Best Practices

The unique needs of each Q-SYS installation are different, and the level of security required on your system may vary accordingly.

So for those with a security-centric mindset when implementing networked AV, we’ve compiled a list of best practices to follow when you’re configuring your Q-SYS design.

Some might seem fairly obvious to the seasoned integrator or IT admin, but there’s others that you may have never considered before.

The latest versions of Q-SYS Designer software has, as you might expect, the latest security features, patches, and updates for the Q-SYS OS.

In order to take advantage of those upgrades, you’ll want to update the firmware of your entire system.

Simply open your running design in the latest version of the software and Save to the Core and Run.

The Core will notify you that it needs to update its firmware to run this version of your design, which may take a few minutes.

Once the Core processor is running the latest version of the Q-SYS OS, it passes that version to all of its connected native Q-SYS products,

which will take at least a few more minutes, so it goes without saying to only do this when your system has planned down-time,

and not five minutes before it needs to be up and running.

There are several places in the software that allow you to set up a password to restrict access.

First and foremost is access to your Core processor.

You can enable a variety of user access roles by going to the Core Manager, selecting Access Management, and then Users.

Each user can have their own password and customizable access to key Core features, and the Event Log will keep track of when different users have logged in.

Without enabling User Access, anyone on your network with the Core’s IP address can get access to your system.

For peripherals, you can visit their Peripheral Manager page and set a password on their “Device Password” tab, to prevent anyone from changing their settings.

You can also customize user access to your UCIs, to make sure that only authorized users are able to access your interface.

This is done within Core Manager, under “User Control Interfaces.”

Click on the “Edit PINS” button in the top right, and then create your desired user name and PIN.

If you’re deploying your UCI on a Q-SYS touch screen, you might also want to enable the “Private” option for your UCI,

which will restrict this UCI from the list of available UCIs visible from the UCI Viewer app or Control app.

There’s one more place to leverage PINs, and that’s on Page Stations.

If your system is using Virtual Page Stations you can use your UCI PINs to restrict access to controls, but a physical page station in a public space might need a password of its own.

In the Administrator under “Page Stations”, you can edit the Security of each physical hardware device to require a User Logon,

and then choose which users, as established from the Users tab, are allowed to log in to this device.

Certain installations may require an external control system to control or monitor your Q-SYS system.

This access should be protected by configuring a User PIN for the external control system.

In the Q-SYS Administrator, you can establish different Users with their own unique PINs.

These users, it should be noted, have no association with the user permission roles you establish in the Core Manager.

Once you’ve created these, any External Control Protocol communication session will have to begin with a proper login with the User PIN associated with the external control system.

Next, let’s talk about physical precautions you can take.

Mounting your Q-SYS Core (whenever possible) onto the precarious hair-trigger of a cartoonishly oversized industrial bear trap

will greatly decrease the likeliness of any theft attempts by nefarious cat burglars.

QSC also recommends laser spikes and/or alligator sharks.

Far more importantly, there are a number of settings in Core Manager that you can configure to limit possible points of entry from untrusted sources,

particularly based on different services that you may or may not be using in your design.

Whenever possible, synchronize your Core to a trusted NTP server by going to the Core Manager, selecting Network, Date & Time, and then enable NTP Time Synchronization.

How is that a security risk, you ask?

Well security certificates often use time and date in their certificate exchange, so an inaccurate clock might result in security certificate negotiation failures.

Your network may require 802.1X, which is a port-based device authentication, which essentially authenticates every device in order to gain access to the network.

If this is in use on the network, it needs to be enabled and configured on the Core and all Q-SYS products individually.

For the Core, visit Core Manager > Network > 802.1X, and then select a LAN and edit the properties to enable it.

You’ll then need to configure your settings based on your network’s requirements and credentials.

For peripherals, visit their Peripheral Manager and the 802.1X tab to perform these same operations.

For systems using VoIP, that softphone is a potential point of entry to your system.

We recommend only using encrypted Softphone communications with secure ciphers when selecting a VoIP provider.

Then, within the Core Manager, visit the Telephony tab and edit your softphone’s settings:

specifically, disable the use of Insecure Ciphers, enable Secure Real-time Transport Protocol (or SRTP) and use Transport Layer Security (or TLS) rather than UDP or TCP.

Note that some older, legacy VoIP systems may require the use of older, insecure ciphers which is why those are still available for use.

FTP is often seen as a security risk since it’s been designed for basic, unencrypted file transfer.

If you have version 9.3 or higher installed, this FTP server has already been deprecated so feel free to tune out.

On older versions of the software it was available, disabled by default, but you should double-check that it is still disabled.

If you enter your Core’s IP address followed by /storage_config.html, it will take you to a technician’s screen for the FTP Server.

Give this a check to make sure your FTP Server, if you’re not using it, is not enabled.

Similar to FTP, SNMP is a protocol that could be abused to give access to unauthorized users.

And, like FTP, it is disabled by default on Q-SYS Cores.

You can check its status by going to the Core Manager > Network > SNMP, and ensuring that Access is disabled.

If your system requires the monitoring of your Core and peripherals with SNMP,

we recommend only using SNMP Version 3, and to follow the guidance of your client network’s InfoSec team.

Your network administrator may be using a certificate authority to identify trusted devices on the network,

which can be used to provide unique certificates for each Q-SYS Core and Q-SYS Product.

Once again, you can go to your Core Manager or Peripheral Manager, select the “Certificates” tab,

and follow the instructions to create a Certificate Signing Request (or CSR),

and installing the unique certificate that you receive back from the IT department,

which will confirm to your network resources that this Q-SYS product is authorized to be on the network.

DNS allows your network devices to connect to external URLs using a Fully Qualified Domain Name (or FQDN) rather than an IP address,

which is necessary if you’re connecting your system to Q-SYS Reflect Enterprise Manager, or remotely activating software licenses from Core Manager.

You can configure your DNS server in Core Manager under Network > Basic, and edit the server here along with your IT configuration.

Potential attackers could use a DNS redirect to compromise network resources, which is why it’s critical to only use trusted DNS servers provided by your IT team.

If you go to the Core Manager and look under Network > Services, you’ll see a list of active network protocols.

This might take some coordination with your IT department and AV system designer,

but there are a number of Q-SYS services enabled on the Core that may not be needed in your system, and can therefore be disabled on the Core.

For instance, if you’re not controlling your system from an external control device via External Control Protocol, like we mentioned earlier,

then there’s no reason to keep Port 1702 open for this type of traffic.

Go to Management and select Edit, and you can disable whichever services are not needed.

You could also search each protocol individually to see if any of its uses are active in your design.

If you don’t need Network Cameras, then why keep that service active?

The more you can close your system off by disabling unnecessary ports and protocols, the happier your IT team is going to be.

Last but not least, the best way to know about any issues on your system is to actively monitor and manage that system, using Q-SYS Reflect Enterprise Manager.

Granting Enterprise Manager “Administrator” access to your Core gives you the visibility you need to the health and activity of your Q-SYS Core, peripherals, and third-party devices.

Q-SYS Reflect is built on a robust, secure infrastructure and has been tested by external cybersecurity professionals. For more information, go to qsc.com/security.

Implementing these best practices in security, with the help of your IT team, is the best way to keep your Q-SYS system safe and secure.

Thanks for watching, and we’ll see you next time.