Network Security Overview

Disguise is a media platform focused on video playback and real-time rendering applications. This page covers the use of Disguise in a secure IT environment, such as a corporate network, and provides recommended practices and mitigation strategies to ensure the goals of both systems are met.

Introduction

Disguise provides high performance media platforms optimised for a specific performance level based on the factory shipping configuration. Any alterations to the factory shipping configuration can cause the system to deviate from its designed characteristics, and could result in the system not meeting the performance levels it was designed for. In the course of normal operations, our support team may request you to restore the machine to its factory shipping configuration as part of troubleshooting a performance issue.

Disguise and Network Security

A media playback tool like Disguise is designed to provide graphics on-screen in real-time, with minimal latency and a focus on system performance. On the other hand, a secure IT environment, such as a corporate network, is intended to provide a closed, safe environment for the exchange and storage of sensitive information. These two goals can be seen as being in opposition to each other. Security strategies typically applied to secure IT environments include the use of AntiVirus software, regular patching of system components, and highly restrictive network behaviors. However, real-time media playback systems like Disguise actively discourage the use of these strategies due to the significant performance reduction they cause, which negates the real-time aspects of the media system. Below, we explain the specifics which should be taken into account when deploying Disguise into a secure IT environment.

Recommended Practices

Air-Gapped Networks

Disguise strongly recommends that real-time media playback systems should always be installed on a dedicated LAN network that is air-gapped from the main IT network. This isolation is crucial to maintain the performance and integrity of the Disguise system while preventing potential security risks to the main network. For any necessary data interchange between the dedicated LAN network and the main IT network, we recommend using a DMZ network as an intermediary. This approach provides a balance between maintaining system performance and adhering to security protocols.

AntiVirus

Disguise does not recommend the installation or deployment of any sort of persistent antivirus software onto the media platforms we provide. The installation of such software can cause inconsistent and unpredictable performance impacts, significantly hindering our ability to deliver on the performance characteristics the system is designed around. However, we understand the importance of security and can recommend that virus scans be conducted during system maintenance windows. These scans should be run without being installed onto the media platforms, or if installation is necessary, the software should be immediately uninstalled once the scan is completed. This approach allows for periodic security checks without compromising the system’s performance during operation.

Windows Updates

Disguise servers ship with long term supported Windows builds, such as Windows 10 SAC or Windows 11 IoT Enterprise GAC editions, on our servers. Updates via Windows Update or other patching mechanisms are disabled by default. The OS image which Disguise supplies should be thought of as firmware, with a complete set of patches, drivers, and OS updates tested as a complete unit. While Disguise does issue intermittent updates to the OS, it’s important to note that the OS version selected is chosen for performance, and so may not be the latest available set of patches. We strongly advise against deviating from our distributed OS images in any way, as doing so can cause unknown performance impacts on the system’s designed and sold characteristics. This approach ensures consistent performance across all Disguise systems.

Driver Updates

Disguise does not recommend or support the installation or update of any component drivers found within the system. Our development team meticulously tests drivers alongside one another and issues them as part of a complete OS image, with interoperable versions from various vendors used within the systems. We don’t always select the latest driver version, as sometimes newer drivers can disable or break functionality we rely on. You should not manually install or update any driver on the Disguise systems unless explicitly instructed by Disguise to do so. This policy helps maintain system stability and ensures that all components work together as intended, preserving the performance characteristics the system is designed and sold with.

Network Topology

Disguise media servers are optimized for high-performance media playback and real-time rendering, which requires a specific network environment to function at their best. For optimal performance and security, we recommend operating these systems on dedicated, isolated networks. This approach ensures that the Disguise systems can deliver their full capabilities without potential conflicts with corporate network security measures. Our systems are designed to operate effectively offline, focusing on their core media playback and rendering functions. When internet connectivity is necessary, we advise using a separate, controlled network environment rather than connecting directly to a main corporate network. This strategy helps maintain the integrity and performance of both your Disguise systems and your secure corporate networks.

Firewalls

While Disguise systems are designed to operate in isolated environments, understanding the network activity and required ports is crucial for proper system configuration and troubleshooting. Firewalls can play a role in securing your Disguise network, but they must be configured correctly to avoid impacting system performance.

For a detailed breakdown of the ports used by Disguise and the expected network activity, please refer to our Network Ports and Activity page. This resource provides essential information for network administrators and IT professionals working with Disguise systems, helping to ensure smooth operation while maintaining appropriate security measures.

Remember that any firewall implementations should be thoroughly tested in a non-production environment before being applied to live systems, as improper configuration could significantly impact the real-time performance of your Disguise setup.

Domains

As Disguise is not intended to be connected to a corporate network, we do not expect you to perform any domain joins or install Disguise as part of a wider group IT policy. Our Windows image has specific features disabled and enabled to ensure performance benchmarks of the systems are achievable in our environment. Altering these configurations via domain policies or manual adjustment can cause unknown performance impacts on the system’s designed characteristics. By keeping Disguise systems separate from domain policies, we can ensure consistent performance and behavior across all installations.

User Authentication

Disguise systems are shipped with a default configuration that includes a single active user on the machines - the root user (called ‘d3’) with administrator privileges. For air-gapped systems that are completely isolated from external networks, this default setup can be maintained to facilitate smooth operation and quick troubleshooting, especially in multi-machine setups and live event scenarios where rapid system access is crucial.

However, we strongly recommend adopting zero trust security best practices where possible for any system that isn’t completely air-gapped or where physical access to the system is not restricted and monitored. Consider implementing security measures such as:

1. Changing the default ‘d3’ user password to a strong, unique password.
2. Implementing multi-factor authentication where possible.
3. Regularly auditing and rotating credentials.

Remember, the most robust security for your Disguise system is achieved through network isolation. When connectivity is required, always implement stringent security measures while maintaining operational efficiency. This approach ensures optimal protection without compromising the high-performance capabilities that Disguise systems are renowned for.

Encryption

The Disguise application uses a secure license system which encrypts our executable and DLL files, decrypted by a license key found inside the servers. However, Disguise systems are designed for performance and as such must not be used with encryption of the media involved in our playout. We strongly advise against enabling any additional form of encryption on the systems, as this will impact performance and prevent the machine from meeting its designed performance characteristics. This approach ensures that the system can deliver the real-time performance it was designed for.

Remote Access

Disguise occasionally offers remote assistance via third-party remote access tools (such as TeamViewer, SimpleHelp, Parsec, etc.) when requested by customers for support and troubleshooting scenarios. While participation in this is optional, it can help streamline diagnosis and support in certain cases. Wherever possible, we recommend the use of portable clients for these remote sessions, rather than permanently opening the system to remote access. This approach allows for necessary support while minimizing potential security risks.

Conclusion

As outlined above, please do not connect Disguise media servers to a network unless it is a dedicated LAN network that has been air-gapped from the main IT network. If any data interchange needs to take place between the dedicated LAN network and the main IT network, then this should be completed via a DMZ network. This approach balances the performance needs of Disguise systems with the security requirements of corporate environments.

Warning

Disguise will not provide support for, nor be liable for, any security issues arising from exposing these machines to public networks. Proceed with caution and at your own risk.