Network security in FAB Subtitler BCAST/XCD

FAB Subtitler BCAST/XCD accepts network connections from any IP address. This page describes how to configure FAB Subtitler BCAST/XCD to restrict network access so that unauthorized network connections will be refused.

General rules that must be respected to secure the network access

  • Prepare a list of services which shall be available over network (Remote Desktop, Ping, live subtitling, commands sent to control FAB Subtitler BCAST/XCD, webserver).
  • Prepare a list of users/persons who are allowed to access the system over network and which services every user/person is allowed to use.
  • Prepare a list of IP addresses of computers which are allowed to access the services.
  • Make sure that you do not use any insecure network protocols like FTP which transfer the username and password as clear text.
  • Make sure to use complex passwords with at least 12 characters which contain lower case, upper case characters, numbers and special characters like $!?.

After having all above information first configure the Windows Firewall so that only the services which you have identified above are accessible from the network. You can configure the IP addresses which are allowed to use certain services already in the Windows Firewall settings for every service.

In most cases you will not be able to limit the access to FAB Subtitler BCAST/XCD to a list of IP addresses because there will always be some dynamic IP addresses which need to communicate with FAB Subtitler BCAST/XCD.

Make sure that critical services like Remote Desktop are correctly configured in the Windows Firewall.

Connections from remote clients providing live subtitles over network

There are two possibilities to restrict access to unauthorized remote network clients which provide live subtitles:

  • By only using the ESUB-XF subtitle protocol with username/password login
  • By providing a list of IP addresses of computers which are allowed to provide live subtitles

To restrict network connections for incoming live subtitles to ESUB-XF protocol with login make sure to configure in options that only the ESUB-XF protocol is permitted and that login with username/password is obligatory. Then all other connections to the configured TCP port will be refused and unauthorized users will not be able to transmit live subtitles:

To restrict network connections for incoming live subtitles to a list of IP addresses please configure the following in options:

Connections from playout systems

Playout systems generally have fixed IP addresses. Therefore in FAB Subtitler Options configure the list of IP addresses which are allowed to send commands to FAB Subtitler BCAST/XCD over IP. All other connections to the configured TCP port will be refused:

Connections to the web server

Currently the easiest way to restrict access is to limit connections to the webserver to the local subnet:

Checkup

After you have configured everything above you can use a TCP port scanner to check if any other TCP ports are open and find out whether they should be blocked or who are the connected parties that require it to be open.

The following command can be executed with admin right to display all applications that accept TCP connections and the associated TCP ports:

netstat /a /b

This page was last updated on 2024-05-16