StrandVision Digital Signs and Firewalls

We get a lot of questions from customers about how to configure their digital signs so they don't compromise security. This article discusses firewalls and how to configure your system…

Large companies (really, all companies) generally have firewalls that monitor and inspect incoming Internet traffic. As the name suggests, this puts up a wall between the internal communications system (generally called a Local Area Network - LAN or Intranet) and the Internet. Web pages, email, attached files -- everything that moves to servers and personal computers on the corporate network, even StrandVision Digital Signage -- must pass through the firewall following the rules that the IT department has defined.

StrandVision takes great care with our servers to make sure that they are free of what's called malware. Even so, it is understandable that many corporate IT departments are wary about traffic that passes through their firewalls. They want to manage or eliminate perceived threats.  Some organizations even have government regulations to follow regarding the information stored and transmitted within their LAN.

There are a few ways to merge StrandVision digital signs into a corporate network. First is to put the StrandVision client (it can be a server or a standard personal computer) inside the firewall. This way all of the traffic from the StrandVision server that comes in over the Internet would be inspected by the corporate firewall before it is distributed over the network.  Since the StrandVision system utilizes standard web browser connectivity, it is just as safe as an employee browsing the web (and even safer because only the trusted StrandVision site is accessed).

A second method to add an additional layer of data security is to put the StrandVision playback server inside of its own firewall but outside the main corporate firewall. The diagram below shows the setup.

This arrangement provides a separate firewall specifically for the StrandVision Digital Signage system. This ensures that even if the signage gets compromised, your corporate network is still protected from hackers and malware. 

This approach makes it difficult to remotely manage the signage computers.  Since the StrandVision system automatically updates the playback server and monitors its operation, there is little reason to need that capability.

Others use a slightly more sophisticated approach that takes advantage of some of the normal features on many network switches. Using port identifier features, they designate that the digital signage content be directed to specific Internet protocol (IP) addressed on their corporate networks. This essentially creates a virtual network so that the digital signage traffic is sent to only the digital signage display units. This provides another level of protection by making sure that the appropriate Internet traffic is routed to the proper computers on the network.

Another method is to keep the digital signage traffic off of the corporate network entirely. The diagram below illustrates two separate networks which are split at the Internet source using a standard network hub or switch.

Using this approach, the two networks - the corporate network and the digital signage networks never come in contact with each other.

This can be accomplished by using a video distribution network (such as a cable television wiring). Many businesses and most schools and colleges have cable television wiring throughout their facilities so this is a logical way to go.
The other method uses a separate Ethernet network. For relatively small installations - retail stores, or employee break rooms - where only a few display units are being driven.  With the wireless Ethernet capability, it’s easy and inexpensive to run a separate Internet connection and wired or wireless Ethernet network (LAN) to exclusively carry the digital signage information. If using wireless Ethernet options, be sure to enable the security features and ensure that the signal strength is good to prevent reliability, interference and other performance inhibiting problems.  With separate networks there is literally no threat because there is no physical connection between the two networks.

Regardless of your choice of networking technology, be sure that password protection is enabled.