Q-SYS Security Best Practices

Video Transcript

00:08
The unique needs of each Q-SYS installation are different, and the level of security required on your system may vary accordingly.
00:15
So for those with a security-centric mindset when implementing networked AV, we’ve compiled a list of best practices to follow when you’re configuring your Q-SYS design.
00:24
Some might seem fairly obvious to the seasoned integrator or IT admin, but there’s others that you may have never considered before.
00:32
The latest versions of Q-SYS Designer software has, as you might expect, the latest security features, patches, and updates for the Q-SYS OS.
00:41
In order to take advantage of those upgrades, you’ll want to update the firmware of your entire system.
00:46
Simply open your running design in the latest version of the software and Save to the Core and Run.
00:53
The Core will notify you that it needs to update its firmware to run this version of your design, which may take a few minutes.
00:59
Once the Core processor is running the latest version of the Q-SYS OS, it passes that version to all of its connected native Q-SYS products,
01:08
which will take at least a few more minutes, so it goes without saying to only do this when your system has planned down-time,
01:15
and not five minutes before it needs to be up and running.
01:19
There are several places in the software that allow you to set up a password to restrict access.
01:25
First and foremost is access to your Core processor.
01:29
You can enable a variety of user access roles by going to the Core Manager, selecting Access Management, and then Users.
01:38
Each user can have their own password and customizable access to key Core features, and the Event Log will keep track of when different users have logged in.
01:47
Without enabling User Access, anyone on your network with the Core’s IP address can get access to your system.
01:54
For peripherals, you can visit their Peripheral Manager page and set a password on their “Device Password” tab, to prevent anyone from changing their settings.
02:06
You can also customize user access to your UCIs, to make sure that only authorized users are able to access your interface.
02:14
This is done within Core Manager, under “User Control Interfaces.”
02:19
Click on the “Edit PINS” button in the top right, and then create your desired user name and PIN.
02:25
If you’re deploying your UCI on a Q-SYS touch screen, you might also want to enable the “Private” option for your UCI,
02:32
which will restrict this UCI from the list of available UCIs visible from the UCI Viewer app or Control app.
02:41
There’s one more place to leverage PINs, and that’s on Page Stations.
02:46
If your system is using Virtual Page Stations you can use your UCI PINs to restrict access to controls, but a physical page station in a public space might need a password of its own.
02:56
In the Administrator under “Page Stations”, you can edit the Security of each physical hardware device to require a User Logon,
03:05
and then choose which users, as established from the Users tab, are allowed to log in to this device.
03:12
Certain installations may require an external control system to control or monitor your Q-SYS system.
03:19
This access should be protected by configuring a User PIN for the external control system.
03:25
In the Q-SYS Administrator, you can establish different Users with their own unique PINs.
03:30
These users, it should be noted, have no association with the user permission roles you establish in the Core Manager.
03:37
Once you’ve created these, any External Control Protocol communication session will have to begin with a proper login with the User PIN associated with the external control system.
03:48
Next, let’s talk about physical precautions you can take.
03:52
Mounting your Q-SYS Core (whenever possible) onto the precarious hair-trigger of a cartoonishly oversized industrial bear trap
03:59
will greatly decrease the likeliness of any theft attempts by nefarious cat burglars.
04:04
QSC also recommends laser spikes and/or alligator sharks.
04:09
Far more importantly, there are a number of settings in Core Manager that you can configure to limit possible points of entry from untrusted sources,
04:18
particularly based on different services that you may or may not be using in your design.
04:25
Whenever possible, synchronize your Core to a trusted NTP server by going to the Core Manager, selecting Network, Date & Time, and then enable NTP Time Synchronization.
04:38
How is that a security risk, you ask?
04:40
Well security certificates often use time and date in their certificate exchange, so an inaccurate clock might result in security certificate negotiation failures.
04:52
Your network may require 802.1X, which is a port-based device authentication, which essentially authenticates every device in order to gain access to the network.
05:02
If this is in use on the network, it needs to be enabled and configured on the Core and all Q-SYS products individually.
05:10
For the Core, visit Core Manager > Network > 802.1X, and then select a LAN and edit the properties to enable it.
05:20
You’ll then need to configure your settings based on your network’s requirements and credentials.
05:25
For peripherals, visit their Peripheral Manager and the 802.1X tab to perform these same operations.
05:33
For systems using VoIP, that softphone is a potential point of entry to your system.
05:37
We recommend only using encrypted Softphone communications with secure ciphers when selecting a VoIP provider.
05:44
Then, within the Core Manager, visit the Telephony tab and edit your softphone’s settings:
05:50
specifically, disable the use of Insecure Ciphers, enable Secure Real-time Transport Protocol (or SRTP) and use Transport Layer Security (or TLS) rather than UDP or TCP.
06:04
Note that some older, legacy VoIP systems may require the use of older, insecure ciphers which is why those are still available for use.
06:13
FTP is often seen as a security risk since it’s been designed for basic, unencrypted file transfer.
06:21
If you have version 9.3 or higher installed, this FTP server has already been deprecated so feel free to tune out.
06:29
On older versions of the software it was available, disabled by default, but you should double-check that it is still disabled.
06:37
If you enter your Core’s IP address followed by /storage_config.html, it will take you to a technician’s screen for the FTP Server.
06:48
Give this a check to make sure your FTP Server, if you’re not using it, is not enabled.
06:55
Similar to FTP, SNMP is a protocol that could be abused to give access to unauthorized users.
07:02
And, like FTP, it is disabled by default on Q-SYS Cores.
07:07
You can check its status by going to the Core Manager > Network > SNMP, and ensuring that Access is disabled.
07:16
If your system requires the monitoring of your Core and peripherals with SNMP,
07:20
we recommend only using SNMP Version 3, and to follow the guidance of your client network’s InfoSec team.
07:29
Your network administrator may be using a certificate authority to identify trusted devices on the network,
07:35
which can be used to provide unique certificates for each Q-SYS Core and Q-SYS Product.
07:41
Once again, you can go to your Core Manager or Peripheral Manager, select the “Certificates” tab,
07:47
and follow the instructions to create a Certificate Signing Request (or CSR),
07:53
and installing the unique certificate that you receive back from the IT department,
07:58
which will confirm to your network resources that this Q-SYS product is authorized to be on the network.
08:05
DNS allows your network devices to connect to external URLs using a Fully Qualified Domain Name (or FQDN) rather than an IP address,
08:15
which is necessary if you’re connecting your system to Q-SYS Reflect Enterprise Manager, or remotely activating software licenses from Core Manager.
08:23
You can configure your DNS server in Core Manager under Network > Basic, and edit the server here along with your IT configuration.
08:33
Potential attackers could use a DNS redirect to compromise network resources, which is why it’s critical to only use trusted DNS servers provided by your IT team.
08:46
If you go to the Core Manager and look under Network > Services, you’ll see a list of active network protocols.
08:54
This might take some coordination with your IT department and AV system designer,
08:58
but there are a number of Q-SYS services enabled on the Core that may not be needed in your system, and can therefore be disabled on the Core.
09:08
For instance, if you’re not controlling your system from an external control device via External Control Protocol, like we mentioned earlier,
09:15
then there’s no reason to keep Port 1702 open for this type of traffic.
09:20
Go to Management and select Edit, and you can disable whichever services are not needed.
09:26
You could also search each protocol individually to see if any of its uses are active in your design.
09:32
If you don’t need Network Cameras, then why keep that service active?
09:37
The more you can close your system off by disabling unnecessary ports and protocols, the happier your IT team is going to be.
09:45
Last but not least, the best way to know about any issues on your system is to actively monitor and manage that system, using Q-SYS Reflect Enterprise Manager.
09:56
Granting Enterprise Manager “Administrator” access to your Core gives you the visibility you need to the health and activity of your Q-SYS Core, peripherals, and third-party devices.
10:07
Q-SYS Reflect is built on a robust, secure infrastructure and has been tested by external cybersecurity professionals. For more information, go to qsc.com/security.
10:18
Implementing these best practices in security, with the help of your IT team, is the best way to keep your Q-SYS system safe and secure.
10:26
Thanks for watching, and we’ll see you next time.