Barco NCN-100 User manual

Brand: Barco

Model: NCN-100

Type: User manual

Barco NCN-100 is a multi-platform digital media player that supports web and HTML5 applications and connects to WePresent, weConnect, XMS Cloud and CMS via IP. The user interface of the player can be customized to the company’s branding. Barco NCN-100 supports the playback of a wide range of media formats, including video, audio, and images. It can also be used to display live streams and web pages. The player has a built-in web server that allows users to access and manage content remotely.

Security Document weConnect R5910248 – 00

P 1 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

DRAFT

Revision History

Revision

Release Date

Issuer

Description

00.00

27-04-2018

Karel Buijsse

Initial version

weConnect Security

Security Document weConnect R5910248 – 00

P 2 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

Table of Contents

Revision History ............................................................................................................................... 1

Table of Contents ............................................................................................................................. 2

1 Introduction ............................................................................................................................... 3

2 weConnect components ............................................................................................................... 3

3 Users and BYOD ......................................................................................................................... 4

4 Display Nodes............................................................................................................................. 4

4.1 Network connectivity and services ............................................................................................. 4

4.2 Physical security and access ...................................................................................................... 4

5 Local Area Network ..................................................................................................................... 5

6 weConnect Cloud Service ............................................................................................................. 5

7 weConnect upgrade cloud ............................................................................................................ 6

8 Remote maintenance ................................................................................................................... 6

9 Barco Security Policy ................................................................................................................... 7

Security Document weConnect R5910248 – 00

P 3 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

1 Introduction

weConnect is a subscription service designed to foster increased interaction and engagement during real-

time lectures in classrooms, between classrooms and between classrooms and individual users. The goal is

to support novel teaching styles designed to improve student outcomes while allowing the teacher to stay in

full control at all times. The solution has been carefully designed to be secure and highly available

according to the Service Level Agreements (SLA) laid out in our offering. The solution focuses on ease of

use and lowering the cognitive load technology brings into the teacher’s lecture. It has not been designed

for formal assessment taking or proctoring.

weConnect deals with personal data of individuals participating in the lectures and therefore has been

designed with the EU GDPR (EU 2016/679) regulation in mind.

2 weConnect components

Teachers, students and facility managers have access to weConnect. All users access the system via a

Google Chrome browser, which should be kept up to date for the users’ own security. Facility managers

may have an encapsulated browser application, called the Barco Pairing Tool, for initial setup purposes.

This application allows them to pair all local display nodes with their account in the weConnect cloud.

Display nodes are connected to the displays and are the core of the visualization features of the solution.

Users can share content from their own devices (BYOD) to the display nodes via the devices embedded

screen sharing capabilities, for instance Airplay for Apple devices, or via a 3rd party application called

MirrorOP.

The user interfaces and control of Display nodes is handled by a cloud service.

Below is a simplified connection diagram showing the different components and typical secure network

configuration.

Security Document weConnect R5910248 – 00

P 4 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

3 Users and BYOD

Users connect via a recent Chrome browser to the system. The connection is established over TLS 1.2 and

makes use of secure websockets for the control plane data. Browser content preview comes in directly from

the display nodes on the local area network over a http connection, a session ID key prevents other users

from getting this content through simple URL hacking. The session ID key is delivered after authentication

and access to the user interface over the TLS connection.

In general all media only gets transported over the university network for local participants. Exceptions to

this rule are the screenshot downloads for the whiteboards which come through the secure cloud

connection. For connections over the internet weConnect uses webRTC and relies on the webRTC security

implementation provided by Chrome. Barco advises users to always use the most recent Chrome version

available.

Content sharing makes use of MirrorOP, Airplay or Chromecast on the local network. For remote

learning, sharing scenarios where users are not on the local network webRTC connections are being used

for content sharing.

4 Display Nodes

4.1 Network connectivity and services

Display nodes share media streams between nodes to allow for the weConnect features like share to all,

viewing student pods on main displays and remote learning connectivity. Streams which stay on the local

network use the RTSP protocol with unencrypted unicast RTP streams. There are no specific security

measures on the RTSP server. A layer of defense to improve security is the local network design by

organizing all display nodes in a separate VLAN, which prevents users accessing the RTP streams.

Display Nodes upload a screenshot of what is on screen over the secure TLS connection to the cloud for

annotation purposes.

Display Nodes provide a low framerate preview of the content on the main classroom display as a JPEG

stream using a URL with a unique user session ID until the session terminates to minimize potential URL

hacking.

Display nodes each run a firewall to block access for all but the essential communication services. A

Fail2ban service automatically bans IP addresses when too many access attempts have been made to the

secure shell port 22 (SSH).

Authenticated direct local access to the device via a maintenance web server over HTTPS is available up to

Display Node version NRCv1.6 and will be removed from version NRCv1.7 onwards.

A secure shell service is active on the device, but requires port knocking before allowing users to attempt

connection to the device.

Refer to the Administration Manual weConnect to see the full list of ports used for proper functioning of

Display Nodes in weConnnect.

4.2 Physical security and access

The Display node NCN-100 has a Kensington lock to deter physical theft. The NCN-210 is rack mountable,

preferably physical access is prevented by securing the equipment rack.

On the NCN-210 it is possible to remove the SSD storage without the need for tools. On the NCN-100 tools

are required to open the device.

The BIOS is not password protected and can be altered when keyboard is attached to the display node. It

is best to prevent physical access to avoid that users tamper with the BIOS settings.

The Display Nodes have storage modules which hold configuration data. This data is not encrypted except

for passwords, which are hashed before storing as a standard security measure.

Security Document weConnect R5910248 – 00

P 5 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

By attaching a USB keyboard it is possible to access a terminal and attempt to log into the device. The

service account name and password required for this login are only known by Level 3 escalation

engineers and R&D/Product Management.

Root access has been disabled by default; the service account can elevate to root privilege for the purpose

of accessing log files and restarting services on the device.

5 Local Area Network

The system is designed to work with VLANs where access to each VLAN is restricted, which creates a first

layer of defense compared to deploying it on a flat network. Simple VLAN routing can be used to make sure

the necessary protocols are supported to allow for service discovery (mDNS/Bonjour). As an additional

security measure a proxy server (e.g. SQUID) can be used as the only way for Display Nodes to have

internet access to the cloud services. This allows for monitoring the incoming and outgoing traffic as well.

Please take into account that for remote learning webRTC streams can be used and as such the proxy

server must be able to handle the traffic.

In order create a silo between the users BYOD and the Display Nodes, weConnect supports the automatic

generation of a HA Proxy configuration file. This setup allows creating virtual IPs which have a

corresponding DNS entry for the designated Display Nodes. All sharing content will go through the HA

Proxy which will then forward to the actual Display Nodes on the other VLAN.

6 weConnect Cloud Service

The weConnect cloud runs on Amazon Web Services (AWS). Barco has chosen to implement a cloud

native architecture with packaged containers and which is dynamically managed as well as micro services

oriented.

The cloud serves the user interfaces to all users and is connected with all display nodes. All control data

connections are encrypted : the connections are encrypted and server side authenticated using TLS 1.2 (a

strong protocol using SHA-256 hash function, see RFC 5246), ECDHE_RSA with P-256 (a strong key

exchange), and AES_128_GCM (a strong cipher). The cloud server certificate is provided by Amazon US,

signed by a sha256RSA signature, the public key is RSA (2048 bits) based and yearly renewed. To access a

lecture, users need to provide their credentials for client authentication and the display nodes use an

identity token which has been assigned during the initial pairing procedure to authenticate at application

level.

Key components selected for the cloud platform:

 DC/OS as cluster manager with Marathon container management, this will be replaced with

Kubernetes in the course of 2018

 MongoDB as document database

 Redis as memory cache/non-persistent database

Security Document weConnect R5910248 – 00

P 6 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

 PostgreSQL as SQL database

 ELK for logging

 Datadog for infrastructure monitoring

 New Relic for application performance & uptime monitoring

 ElasticSearch for anonymized usage statistics

The Cloud is protected by two firewalls. Connections to the compute cluster are distributed via a load

balancer whereupon individual weConnect business logic instances make individual connections to the

databases, object storage (AWS S3) and the logging, monitoring and alerting services. All connections to

backend support services are running over encrypted connections and all actions towards the cloud system

are logged for audit purposes.

To provide high availability the system runs in one AWS region (EU Ireland) in a facility with 3 separated

zones, each with its own connectivity and power supply.

A DevOps team is responsible to monitor and manage these services on a 24/7 basis. DevOps maintains

several completely separated cloud instances for development, testing, user acceptance testing (UAT) and

production.

For security and privacy reasons only a designated subgroup of the DevOps team has access to the

database. R&D and management do not have access to the UAT and production database.

7 weConnect upgrade cloud

When instructed by the cloud service, the display nodes will connect to a Barco Debian update services.

This will download the firmware packaged as Debian packages and install them locally on the display nodes.

Connections to the repository are over port 80 and are not encrypted. The packages are checked for MD5

hashes before installing to avoid wrong or tampered packages to be installed.

8 Remote maintenance

You can allow a designated person from the Barco escalation service group to access a Display Node to

perform remote service actions from outside the local network.

This service is based on a service by Gravitational called Teleport.

To enable the service for an individual Display Node for a limited time a facility manager can enable remote

access from within the weConnect admin interface. Over the secure websockets link this node will get a

Security Document weConnect R5910248 – 00

P 7 / 7

Barco nv | Beneluxpark 21 | B-8500 Kortrijk | Belgium

Registered office: President Kennedypark 35 | B-8500 Kortrijk | Belgium

IBAN BE49 3850 5234 2071 BBRUBEBB | VAT BE 0473.191.041 | RPR Gent, Section Kortrijk

www.barco.com

temporary token to make a secure shell tunnel to the Barco Teleport Cloud. The implementation creates a

trusted cluster per Display Node to prevent potential attack vectors through a single compromised node.

Once the service has been enabled, the service person will have to access the Barco Teleport Cloud and log

in via a two-factor authentication protocol. We keep full visual audit logs for every intervention. These logs

can be obtained upon a simple request to your Barco contact.

After performing the service actions, access to the device can be disabled by the facility manager. After 24

hours connectivity will automatically be disabled if the service wasn’t properly closed.

9 Barco Security Policy

No single security measure can be considered 100% secure for the foreseeable future. Therefore security is

a continuous process where Barco takes the commitment to keep improving the security of the products

and services which are offered to our customers and their end users. To guarantee these improvements

Barco is embracing the secure development lifecycle during the design, development, testing and

deployment of our products and their features. When security improvements are added to weConnect, this

document will be updated accordingly.

Barco NCN-100 User manual

Barco NCN-100 User manual

Related papers

Other documents