The Art of the IO Network – Segmenting Content Ingestion and Release

One of the problems when shutting down Internet access to production networks is the ability to ingest and release content from/to various sources/destinations. As technology progresses, more and more companies prefer to send content via the Internet rather than sending a physical device with the content on it. One of the requirements of many of the major studios is to establish some kind of segmentation between production networks and ingestion/release networks (Sometimes referred to as the IO Network).
 
To solve this problem, some kind of separation must be done between the two networks. This can be achieved digitally by using firewalls (Firewall Rule/Policy), switches (Access Control Lists) or other solutions permitted by the major studios. The other option is a physical segmentation where every piece of content must be handed over to the production environment by using physical media or other allowed technologies.
 

Production Storage

Most studios will have some kind of a centralized repository where some, or all, content resides on it. This storage will serve the various functions of production/post-production by allowing teams to share content. Depending on the number of users accessing the storage and the type of storage the studio has, performance will vary. Without internet access, content must find its way to this storage so the users are able to work on it.
 

Offline IO

Many companies choose to ingest and release content by either dedicating or using a production machine to connect a drive or set of drives to it and copy content from the drives to the production storage. Depending on the drives and the machine ingesting/releasing the content, copying speed will vary.
 

IO Storage

When creating a separation between production and IO (Content Ingestion/Release), most environments will need some kind of storage to store the content being ingested/released from/to the internet. This is done so that users are able to access it from their production computers (See “Access Rules” below).
 

IO Machine

When dealing with separation of production and IO, most environments will dedicate a machine or two for any kind of IO functions. This will allow users to upload and download content according to their needs. The IO machine will normally have the ability to ingest and release content to/from drives connected to the machine but also to/from the Internet. Any content must be scanned for viruses or malware prior to being ingested or released. If IO storage is in place, the IO machine will also have access to it.
 

Access Rules

Uni-Directional: To make all of this work, the firewall or switch must have what is call a “uni-directional” rule to allow the production network one way access to the IO Network. That is, only traffic initiated from the production computers will be allowed into the IO network. That way the content that was downloaded from the internet can be seen by the production computers. In addition, any content that needs to be uploaded to the Internet can now be copied over to the IO Network (IO storage or IO Machine) and then be sent by the IO Machine to the proper destination. The IO Network MUST NEVER be able to access the production network.
 
Remote Control: To make things a bit easier, you may also configure a KVM (Keyboard Video Mouse) method to remotely access the IO machine from the production network. This is normally done using protocols such as VNC, RDP or even using KVM units dedicated to switching screens. Keep in mind that VNC and RDP out of the box will allow for content copying which is restricted, therefore you must use a commercial version of VNC and configure group policy for RDP (Windows only) to disallow copying of data from one side to the other.
 
Malware/Virus scan: You must always scan files downloaded from internet sources before they are being transferred over to the production network/storage. It is important to do so even when the sources are trusted. This can be done by introducing a virus/malware scanner when files are being downloaded. You may also configure it to do that when files are uploaded, just to be safe. There are several ways to implement such a scanner and any of those methods are valid.
 
Internet Access: The last rule that must be applied is the type of traffic allowed from the IO Network to the internet. Here the definition is somewhat vague. You need to restrict standard internet access and only allow for file transfer. However, many studios will need some kind of email access (or other tools) used within their facility. For example, many shops will send links to email addresses in order to download files. If the IO Machine cannot retrieve the email it becomes very difficult to get the link and retrieve the file.
 
My suggestion would be to create an allow list of URLs that users can use. In addition, the firewall should be able to allow only specific ports used by various file transfer services such as Aspera and Signiant.

The IO workflow as presented here is one way of increasing content security. Keep in mind that doing so will most likely slow down the IO process and the business must understand it. You may increase speed by introducing faster firewalls or switches but obviously downloading content directly to production will always be faster. In addition, getting used to the new IO workflow can be challenging and at times seems impossible. Rest assured that once your users are adjusted to this process, they will certainly be able to adjust their work and be as efficient as possible.
 
Still have questions? Need help getting this done? We are here to help. Contact Zalcore today for a free consultation.