SRX

I have a problem a number of people must have found a way to resolve.

How to set up zones which are also interlinked by non TCP/IP connections.

In general terms, from a security zone point of view, I classify devices as

• Trusted - workstations and ethernet printers. Workstations use biometric 2FA, and, subject to practicalities and real world benefits, will be controlled by an Azure AD server. Approved wireless devices have access to a controlled wireless network.
• Careful - smart devices that are part of the main workflow and are physically and functionally connected to Trusted devices. These include Smart TVs running BI displays, audio sub systems that have IP and HDMI capability (IP is both wired, and wireless/bluetooth) and some convenience devices.
• Dodgy blackbox playout equipment, typically handling encrypted streaming media. I have no idea about potential vulnerabilites, but am suspicious that security is not high on the supplier's list of priorities

The problem is that there is a duplicate HDMI network linking most of the equipment as well as the IP network. And then there is the convenience being able to cast from a trusted device to a non-trusted device.

It makes me wonder if all the devices should be classified Dodgy, which would be seriously inconvenient. Telcos and production houses must face this dilemma all the time. Is there any guidance?

Seems like you have it set up pretty good. however, can you expand a little bit on what you are noticing or observing that is giving you pause? If the traffic is non IP, are you referring to Layer 2? if no, then what non IP traffic that goes through the SRX are you referring to, that is not already covered by UTM functions? I suspect you are looking at HDMI Ethernet and Audio Return Channel (HEAC). If it is with HDMI-2-Ethernet, then you have control over that. So if that is in relation to Smart TVs Web enabled that is IP, but that is not your concern. I am wondering if you are worried that an attacker could send some code to compromise a smart TV etc. and then possibly further escalate and take over control and thereby access the Eth network which you would still have protection. If the non IP traffic is not passing through the SRX, then can you explain what function of the SRX could be unlocked to provide that protection.

Thanks for your interest.

My background is application development rather than network engineering, so make no assumptions about what I know, normally a explain to a networks person what functionality I need, and they implement it. Now I must do this for myself.

Several issues concern me.

• 
  More than just A/V is being passed through the HDMI 2 network. Quite a lot of kit is from Sony and the devices pass control signals between themselves, transparently, using mostly HDMI, but not exclusively.
• I did some WireSharking and was surprised by how much originated from A/V HDMI devices which also have ethernet connections.
• Smart TVs are very convenient, but they are Android devices, they can handle video decryption, execute apps, control other devices, have wired and wireless Ethernet, Bluetooth, and USB capability and participate in “casting”. Think of them as 4K Android tablets on steroids. But, behaviour-wise, in current street parlance they are THOTs.

I have deliberately not used HEAC, preferring to avoid unexpected complications. Although what I am experiencing has some reminiscent echoes of HEAC.

All the devices are connected to the SRX either through Meraki switches or directly into a ge port on the SRX300.

From time to time I attract attention from people who are generally best avoided.

I suppose I could look at getting application level control working on either the switch or the SRX and getting a handle on what the Android devices are up to.

For anybody else considering using smart TVs as monitors, I’d say test the TV first. Most make lousy 4K monitors, and not all display drivers are up to the job as far as scaling is concerned. It is worth spending some time to get it right as the large dumb monitor option is twice the price for a screen no larger than 32/33”.

OK. Then what you need to do is get AppSecure and integrate SkyATP and Spotlight Secure. Do some logging on the zones where those devices are connected and examine the traffic. Then you can get lots of protection. Regular traceoptions and basic-datapath debugging. The most important thing in your case is to look at all the existing vulnerabilities and know exploits. Check if there is some protection available from the Juniper (I am pretty sure) and you can configure AppSecureSkyATP and Spotlight to protect your network.

Thanks for your helpful and informative response.

I had been thinking of upgrading the Juniper licences, so I'll bite the bullet.

There are also a few things I am looking at automating (coding is as good as a holiday ;-[] ). As soon as Exchange, Office, Azure etc are involved, "a lot" of addresses need updating on a monthly basis, fortunately MS has a RSS feed that has this information.