Q-SYS Security Best Practices
Video Transcript
00:08
         The unique needs of each Q-SYS installation are different, and the level of security required on your system may vary accordingly.
    00:15
         So for those with a security-centric mindset when implementing networked AV, we’ve compiled a list of best practices to follow when you’re configuring your Q-SYS design.
    00:24
         Some might seem fairly obvious to the seasoned integrator or IT admin, but there’s others that you may have never considered before.
    00:32
         The latest versions of Q-SYS Designer software has, as you might expect, the latest security features, patches, and updates for the Q-SYS OS.
    00:41
         In order to take advantage of those upgrades, you’ll want to update the firmware of your entire system. 
    00:46
         Simply open your running design in the latest version of the software and Save to the Core and Run. 
    00:53
         The Core will notify you that it needs to update its firmware to run this version of your design, which may take a few minutes. 
    00:59
         Once the Core processor is running the latest version of the Q-SYS OS, it passes that version to all of its connected native Q-SYS products, 
    01:08
         which will take at least a few more minutes, so it goes without saying to only do this when your system has planned down-time,
    01:15
         and not five minutes before it needs to be up and running.
    01:19
         There are several places in the software that allow you to set up a password to restrict access. 
    01:25
         First and foremost is access to your Core processor.
    01:29
         You can enable a variety of user access roles by going to the Core Manager, selecting Access Management, and then Users. 
    01:38
         Each user can have their own password and customizable access to key Core features, and the Event Log will keep track of when different users have logged in. 
    01:47
         Without enabling User Access, anyone on your network with the Core’s IP address can get access to your system. 
    01:54
         For peripherals, you can visit their Peripheral Manager page and set a password on their “Device Password” tab, to prevent anyone from changing their settings.
    02:06
         You can also customize user access to your UCIs, to make sure that only authorized users are able to access your interface. 
    02:14
         This is done within Core Manager, under “User Control Interfaces.” 
    02:19
         Click on the “Edit PINS” button in the top right, and then create your desired user name and PIN. 
    02:25
         If you’re deploying your UCI on a Q-SYS touch screen, you might also want to enable the “Private” option for your UCI,
    02:32
         which will restrict this UCI from the list of available UCIs visible from the UCI Viewer app or Control app.
    02:41
         There’s one more place to leverage PINs, and that’s on Page Stations. 
    02:46
         If your system is using Virtual Page Stations you can use your UCI PINs to restrict access to controls, but a physical page station in a public space might need a password of its own. 
    02:56
         In the Administrator under “Page Stations”, you can edit the Security of each physical hardware device to require a User Logon,
    03:05
         and then choose which users, as established from the Users tab, are allowed to log in to this device.
    03:12
         Certain installations may require an external control system to control or monitor your Q-SYS system. 
    03:19
         This access should be protected by configuring a User PIN for the external control system. 
    03:25
         In the Q-SYS Administrator, you can establish different Users with their own unique PINs.
    03:30
         These users, it should be noted, have no association with the user permission roles you establish in the Core Manager. 
    03:37
         Once you’ve created these, any External Control Protocol communication session will have to begin with a proper login with the User PIN associated with the external control system.
    03:48
         Next, let’s talk about physical precautions you can take. 
    03:52
         Mounting your Q-SYS Core (whenever possible) onto the precarious hair-trigger of a cartoonishly oversized industrial bear trap 
    03:59
         will greatly decrease the likeliness of any theft attempts by nefarious cat burglars.
    04:04
         QSC also recommends laser spikes and/or alligator sharks.
    04:09
         Far more importantly, there are a number of settings in Core Manager that you can configure to limit possible points of entry from untrusted sources, 
    04:18
         particularly based on different services that you may or may not be using in your design.
    04:25
         Whenever possible, synchronize your Core to a trusted NTP server by going to the Core Manager, selecting Network, Date & Time, and then enable NTP Time Synchronization.
    04:38
         How is that a security risk, you ask? 
    04:40
         Well security certificates often use time and date in their certificate exchange, so an inaccurate clock might result in security certificate negotiation failures.
    04:52
         Your network may require 802.1X, which is a port-based device authentication, which essentially authenticates every device in order to gain access to the network. 
    05:02
         If this is in use on the network, it needs to be enabled and configured on the Core and all Q-SYS products individually. 
    05:10
         For the Core, visit Core Manager > Network > 802.1X, and then select a LAN and edit the properties to enable it. 
    05:20
         You’ll then need to configure your settings based on your network’s requirements and credentials. 
    05:25
         For peripherals, visit their Peripheral Manager and the 802.1X tab to perform these same operations.
    05:33
         For systems using VoIP, that softphone is a potential point of entry to your system. 
    05:37
         We recommend only using encrypted Softphone communications with secure ciphers when selecting a VoIP provider. 
    05:44
         Then, within the Core Manager, visit the Telephony tab and edit your softphone’s settings:
    05:50
         specifically, disable the use of Insecure Ciphers, enable Secure Real-time Transport Protocol (or SRTP) and use Transport Layer Security (or TLS) rather than UDP or TCP. 
    06:04
         Note that some older, legacy VoIP systems may require the use of older, insecure ciphers which is why those are still available for use.
    06:13
         FTP is often seen as a security risk since it’s been designed for basic, unencrypted file transfer. 
    06:21
         If you have version 9.3 or higher installed, this FTP server has already been deprecated so feel free to tune out. 
    06:29
         On older versions of the software it was available, disabled by default, but you should double-check that it is still disabled. 
    06:37
         If you enter your Core’s IP address followed by /storage_config.html, it will take you to a technician’s screen for the FTP Server. 
    06:48
         Give this a check to make sure your FTP Server, if you’re not using it, is not enabled.
    06:55
         Similar to FTP, SNMP is a protocol that could be abused to give access to unauthorized users. 
    07:02
         And, like FTP, it is disabled by default on Q-SYS Cores. 
    07:07
         You can check its status by going to the Core Manager > Network > SNMP, and ensuring that Access is disabled. 
    07:16
         If your system requires the monitoring of your Core and peripherals with SNMP, 
    07:20
         we recommend only using SNMP Version 3, and to follow the guidance of your client network’s InfoSec team.
    07:29
         Your network administrator may be using a certificate authority to identify trusted devices on the network, 
    07:35
         which can be used to provide unique certificates for each Q-SYS Core and Q-SYS Product. 
    07:41
         Once again, you can go to your Core Manager or Peripheral Manager, select the “Certificates” tab, 
    07:47
         and follow the instructions to create a Certificate Signing Request (or CSR),
    07:53
         and installing the unique certificate that you receive back from the IT department, 
    07:58
         which will confirm to your network resources that this Q-SYS product is authorized to be on the network.
    08:05
         DNS allows your network devices to connect to external URLs using a Fully Qualified Domain Name (or FQDN) rather than an IP address, 
    08:15
         which is necessary if you’re connecting your system to Q-SYS Reflect Enterprise Manager, or remotely activating software licenses from Core Manager.
    08:23
         You can configure your DNS server in Core Manager under Network > Basic, and edit the server here along with your IT configuration. 
    08:33
         Potential attackers could use a DNS redirect to compromise network resources, which is why it’s critical to only use trusted DNS servers provided by your IT team.
    08:46
         If you go to the Core Manager and look under Network > Services, you’ll see a list of active network protocols. 
    08:54
         This might take some coordination with your IT department and AV system designer, 
    08:58
         but there are a number of Q-SYS services enabled on the Core that may not be needed in your system, and can therefore be disabled on the Core. 
    09:08
         For instance, if you’re not controlling your system from an external control device via External Control Protocol, like we mentioned earlier, 
    09:15
         then there’s no reason to keep Port 1702 open for this type of traffic. 
    09:20
         Go to Management and select Edit, and you can disable whichever services are not needed. 
    09:26
         You could also search each protocol individually to see if any of its uses are active in your design. 
    09:32
         If you don’t need Network Cameras, then why keep that service active? 
    09:37
         The more you can close your system off by disabling unnecessary ports and protocols, the happier your IT team is going to be.
    09:45
         Last but not least, the best way to know about any issues on your system is to actively monitor and manage that system, using Q-SYS Reflect Enterprise Manager. 
    09:56
         Granting Enterprise Manager “Administrator” access to your Core gives you the visibility you need to the health and activity of your Q-SYS Core, peripherals, and third-party devices. 
    10:07
         Q-SYS Reflect is built on a robust, secure infrastructure and has been tested by external cybersecurity professionals. For more information, go to qsc.com/security.
    10:18
         Implementing these best practices in security, with the help of your IT team, is the best way to keep your Q-SYS system safe and secure.
    10:26
         Thanks for watching, and we’ll see you next time.