System security in SageVue
Biamp SageVue is a central monitoring and management platform for Biamp devices, but it also includes some unique security features that can be used on systems when the security of your Tesira systems and devices is a primary concern. This article discusses some of the different way to secure your Tesira system using SageVue.
Additionally, it may be helpful to review some of the other generic security articles on Cornerstone, including:
- Network Security - A primer on network security and AV
- Tesira security best practices - A guide on how to secure your Tesira equipment over the network
SageVue System Control
SageVue includes a unique security feature called System Control. This is a feature that can be enabled on a Tesira system to lock down the system and make it accessible only via SageVue.
When System Control is activated, it locks the Tesira system's admin account to SageVue. The admin account is no longer accessible by any user with Tesira software. Additionally, all device maintenance functions, firmware updates and DSP configuration changes are only allowed via SageVue. The admin account credentials are stored on the SageVue host machine file system but are otherwise not visible to any user. If access to the SageVue system is lost, control over the devices in that Tesira system can only be recovered by factory resetting the Tesira devices.
After System Control is enabled, a Tesira user with "Controller" privilege level may be created. The controller privilege level only allows read and write operations on DSP block objects, such as level controls and mixer crosspoints. The controller account is required for Biamp Canvas connection or any third-party control automation system.
Caution: Enabling System Control will also password protect the TTP (Tesira Text Protcol) interface used by third-party control automation systems. Any existing control system will be denied access at this point. A controller user must be created and the third-party control programmer must configure this user. Consult with the third-party control programmer before enabling System Control.
Enabling System Control
- In the SageVue web interface, navigate to Systems and select the desired system to manage.
- Click the "S" icon on the manage system toolbar. If the "S" icon is not available, unprotect the system first via the lock icon.
- Acknowledge the operation by clicking "Yes, Continue"
- SageVue now locks the Tesira admin account. The interface will report success when complete. All device management functions must now happen through SageVue. Biamp Canvas control or any third-party control automation system is now locked out at this point. The SageVue system and device views will reflect the "S" icon for devices controlled by SageVue.
- Reload the page to create a controller user. The manage system toolbar will show a plus icon for adding a user.
- Create the control user.
- Provide the controller privilege account to Biamp Canvas users or the third-party control automation system programmer. The controller account cannot send DSP signal flow layout changes. Any DSP configuration changes must be sent from SageVue.
To release control of the Tesira system, navigate back to the manage system page and click the "S" icon again. SageVue will confirm it has released the system and will return Tesira to an unprotected state.
System protection
SageVue System Control may not be appropriate for every environment. An alternative is to enable Tesira system security from within SageVue, which will cause SageVue to create only the admin user. Any other Tesira user privilege levels can still be created with Tesira software. SageVue does not store the admin credentials for each system. Each Tesira system may have unique users and passwords. Any changes to the system via SageVue will require the user to enter the Tesira admin credentials.
A lock icon is displayed on the Systems and Devices views when Tesira system protection is enabled.
Device Profiles
SageVue device profiles provide a mechanism to mass deploy settings and monitor devices for compliance. Device profiles may be used to monitor that Telnet and SSH are disabled or that 802.1X is enabled. If the device deviates from the profile settings, SageVue will send a device out of compliance alert.
Example of a device profile to disable Telnet and SSH:
- This profile assumes no third-party control systems are connecting via Telnet or SSH.
- Navigate to Device Profiles and click the "+" plus icon to add a new profile.
- Enter a name and description.
- Set the Network tab to active and check the Telnet and SSH properties only.
- Save the profile.
- Click the Assign profile button on the profile line.
- Select the Tesira devices to receive the profile and click save.
- Click the Apply profile button to send the profile to the assigned devices.
- Enable Monitor Profile Compliance to receive alerts about out of compliance devices.