This article is the first of a two part series on using Hiperwall-enabled video walls in secure rooms or highly sensitive environments. The following articles will be linked here when they are released:
Network Configuration (this article)
Sources in a Secure Environment
Hiperwall-enabled video wall systems are used throughout the world to provide a platform for decision makers to make the best decisions as quickly as possible. Uses include public safety, fusion centers, surveillance control rooms, and many more. In almost all our installations, data security and network integrity are a primary concern. In highly secure environments, particularly those dealing with classified data, protecting that data is of utmost importance.
If a Hiperwall video wall is installed in such an environment, it is likely to be used to display sensitive or classified data, so this article will cover the approaches used in our existing installations to make sure Hiperwall coexists nicely with our customers’ secure data networks. Hiperwall is a software LED video wall control solution that uses a gigabit Ethernet network as its infrastructure, sending data feeds from sources to display computers via that network. Hiperwall doesn’t use proprietary hardware, so the PCs that meet a customer’s needs in the secure environment will most likely work just fine with Hiperwall. Hiperwall systems do not currently need any sort of network check-in for licensing, so many Hiperwall systems are never connected to the Internet or any outside network. Each of the major Hiperwall components and their security implications will be covered in this series of articles.
Hiperwall software uses standard protocols (TCP/IP and various UDP/IP mechanisms) on the network, but, because video and data feeds often require high throughput, Hiperwall uses a lot of network traffic. For that reason, we strongly recommend putting the Hiperwall system on its own LAN. Many of our customers use a dedicated commodity switch for the Hiperwall network, though some configure a VLAN for the Hiperwall network, and that works just as well. The advantage of a dedicated switch is that it is physically separated from any sensitive networks, and, once it is configured correctly, it never needs to change. VLANs provide logical separation and work fine once configured, but we have seen cases where accidental configuration changes to that shared switch can have unintended consequences to the Hiperwall VLAN. In either case, the Hiperwall network does not need access to other networks or the Internet, unless you want certain types of data feeds via a remote network (more in the Sources article to follow).
A Hiperwall system has three main component types/functions: input, control, and output. The inputs are the sources that will be discussed in the next article. Control consists of one or two controller PCs that manage positioning of content on the wall, as well as any number of PCs running HiperOperator software, which provides easy-to-use graphical control with a bandwidth-adaptive connection. The controller PCs must be connected to the Hiperwall LAN, while the HiperOperator software can connect from outside networks, if allowed (probably not in a secure environment, but a good VPN could be used, depending on the sensitivity of your network (contact Hiperwall support if you want to configure a VPN for HiperOperator, because it probably should not connect to the Hiperwall LAN unless it is configured very precisely). The controller PCs should have their network firewall software enabled, but the Hiperwall Video Wall Controller software needs to be allowed through the firewall. HiperOperator works on Linux or MacOS as well as Windows, so it can support whatever is most suited to your secure environment.
The output components are the computers that drive the displays and run HiperView software. Hiperwall treats these computers as appliances, so they should not have user logins and keyboards or mice attached. They are simply appliances that subscribe to the data on the Hiperwall LAN and show it on the displays. They don’t run your applications and they don’t try to talk to anything other than Hiperwall software. The local firewall software should be enabled and the HiperView software needs to be allowed through the firewall. Static content items (imported images and movies) are distributed to the output computers as needed, so if they are sensitive, then the drives on those PCs will need to be controlled.
As long as the Hiperwall LAN is physically or logically separated from your secure networks, then no data will leak between the two. If you need data sources from your secure network to be shown on the Hiperwall system, that will be covered in the Sources article. Hiperwall software does not store the content of live feeds, not even thumbnail views of your sources, so if you shut down the Hiperwall software, the visual record of your source feeds goes away. Hiperwall does allow logging that will show the names you gave your sources, but if those names are sensitive, the log can set to not save to disk. Hiperwall software does save settings to files and to the Registry (in the User’s private area, so even locked-down systems tend to work fine).
Hiperwall software is written to be a good network citizen. When the network is configured correctly, the Hiperwall network traffic is significant, but well-managed. Several Hiperwall team members worked in secure facilities for many years, so that experience has led to software designed to work within restricted environments and to respect the confidentiality and privacy of our customers’ data that they display using a Hiperwall system.