Configuring Q-SYS with Security in Mind


The modernization of the AV industry is critical, and QSC has been innovating toward that end for decades. But now that we’re seeing wide acceptance of networked AV – and mass realization of its many benefits – education toward how to configure a system with a security-centric mindset becomes increasingly urgent.

QSC is committed to supplying the resources and education necessary to harden Q-SYS systems so that they might reflect our best practices, and align with organizational security environments. Below are fourteen areas to address when working to structure your Q-SYS system.

Upgrade Your Firmware: While this seems simple, Q-SYS OS firmware updates are neglected more often than is ideal. This easy step is the only way to ensure your system receives updated (and very necessary) security patches and features.

Enable Access Control: Don’t give the keys to the kingdom to every user. Q-SYS has a variety of access control options, from user roles to the ability to create custom role permissions. Device passwords are also available to protect certain settings.

Set Your Q-SYS Core Date and Time: You might be scratching your head as to how this factors into a solid security plan, but security certificates use time and date in the certificate exchange. Any errors can result in security certificate negotiation failures.

Enable 802.1X: No, this isn’t your favorite drivetime radio station. IEEE 802.1X is a standard that defines how to provide authentication for connecting devices on local area networks, and is used for both wired and wireless networks. Once enabled, Q-SYS Products can be configured so they can be authenticated and granted network access.

Harden Your Softphone Configuration: VoIP telephony still counts as a potential point of entry, and as such QSC recommends using only encrypted Softphone communications and secure ciphers.

Disable Your FTP Server: FTP servers were not built to be secure – it was originally structured to provide basic, unencrypted file transfer capability for connected users. Now it is widely considered to be a security risk. As such, the FTP server on the Q-SYS Core is disabled by default, and it is recommended that this ‘disabled’ status remains. Double-check your Q-SYS Core to ensure this is still the case.

Harden Your SNMP Server: Simple Network Management Protocol (SNMP) is an easily abused means of gaining unauthorized access to network devices. Because of this (and similar to the FTP Server) the SNMP server on a Q-SYS Core defaults to ‘disabled’. If it is absolutely necessary for the success of your system, QSC recommends implementing only SNMPv3 and following client network InfoSec guidance.

Install a Certificate Authority (CA)-signed Device Certificate: These are trusted entities that issue Secure Sockets Layer (SSL) digital certificates that certify ownership of a public key with a specific entity (your company). This allows network resources to confirm that the Q-SYS Product is authorized to be on your network.

Configure DNS: Domain Name System (DNS) can be used by potential attackers to redirect traffic to compromised network resources. Configuring your Q-SYS Core’s network configuration so that only trusted DNS servers (that were provided by your IT Team) are utilized is a necessary safeguard.

Configure External Control: There are times you might need to leverage some sort of external control system to control or monitor your Q-SYS system. This integration can be a potential point of weakness, so it’s a good idea to structure it mindfully. Two tactics are to leverage Management APIs over HTTPS for encrypted control of your Q-SYS Core. Through APT management you can ensure that your organizational APTs are both consumable and secure. The second tactic is to configure an external control PIN (personal identification number) to manage your access more granularly.  

Configure UCI PIN Protection: And speaking of PINs, UCI (User Control Interface) PINs can also be configured to allow only authorized users access to your Q-SYS UCIs. Additionally, you can also make any of your UCIs private at the click of a button.

Configure Paging User PIN Protection: More PIN stuff! If you have a system utilizing the PA Paging functionality, then you’re able to set up PIN-based user access to the paging stations themselves. This is especially important for stations located in public spaces. (Especially useful in thwarting those teenagers who can’t resist jumping onto PA system and singing a few bars.)

Disable Unused Network Services: This one will take some coordination. You’ll want to have a sit down with your system designer and catalog which network services are not required for the design running on your Core processor, and so can be disabled. The point is to eliminate as many potential points of entry as possible.

Register with Q-SYS Reflect Enterprise Manager: You want visibility? Who want remote monitoring/management that includes third-party devices? By registering for Q-SYS Reflect Enterprise Manager, you gain an immediacy into all your Q-SYS-based AV systems. And when it comes to issues, including security threats, a speedy resolution becomes everyone’s foremost priority.

Now that you have a broad understanding of what ought to be done and why, how do you actually get to the doing? Your next step is click into our security documentation. There you’ll find a streamlined list on the exact topics explained above, complete with links to in-depth instructions and resources.

One response to “Configuring Q-SYS with Security in Mind

Comments are closed.