Skip to main content
Consumer
ProductsApplicationsStoriesLearnSupportAbout us
Consumer

Sennheiser Network Security in UDP, TCP, and Restful API: A Comparative Analysis

In this article we will explore: 

  • An Understanding of UDP/TCP

  • Definition of Restful API

  • Data encryption methods and security

  • Why Sennheiser is moving to Restful API and how it will be beneficial for security and communication

  • Sennheiser’s Sound Control v2 Protocol  
 
Network security is a significant concern in the digital age. To date, Sennheiser has elected to utilize UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) as AV Network communication protocols. For our new and forthcoming network enabled products, we are introducing a new secure control communication via a RESTful (Representational State Transfer) API (Application Program Interface. This article explores the security implications associated with these three communication methods and why Sennheiser is choosing to move forward with the state of the art Restful API that is widely accepted by IT professionals.
 
First a little background of UDP/TCP and Restful API in regard to connectivity and security. What are the differences, advantages, and disadvantages? 
 
 
User Datagram Protocol (UDP) 
 
UDP is a connectionless protocol that does not require a pre-established connection for data transmission. Instead, it sends datagrams to the recipient without verifying their successful delivery. 
 
 
Security of UDP 
 
Since UDP does not manage network congestion or provide retransmission of lost data packets, it may be susceptible to Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks which overwhelm the network infrastructure with traffic. However, these simple and fast characteristics allow it to be used in real-time applications like video conferencing or VoIP, where speed is a preference over reliability. 
 
 
Transmission Control Protocol (TCP) 
 
TCP, on the other hand, is a connection-oriented protocol, meaning that it establishes a connection before transmitting data. This feature ensures reliable data delivery via practices such as data receipt acknowledgment and data retransmission.
 
 
Security of TCP 
 
In terms of security, while TCP's complexity and predictability can expose it to risks like TCP sequence prediction attacks, its design mitigates the risk of data loss or alteration. Consequently, TCP can ensure higher degrees of data integrity compared to UDP. An added layer of security can be provided by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to encrypt TCP communication, making it more difficult for unauthorized persons to intercept or manipulate the data.
 
 
Restful API
 
REST (Representational State Transfer) is not a protocol like UDP or TCP, but an architectural style or language adopted for designing networked applications. It utilizes HTTP (Hypertext Transfer Protocol) or HTTPS (Hypertext Transfer Protocol Secure) for communication, which ultimately rides on the TCP/IP stack. 
 
 
Security of Restful API
 
Even though RESTful API itself does not offer built-in security, it usually capitalizes on the security features of the HTTP/HTTPS protocols.
 
 
These can include:
 
  • Data Encryption: When using HTTPS, data is encrypted with SSL/TLS, which adds a security layer to prevent data breaches during transmission.

  • Authentication and Authorization: Various methods can be used to verify the identity of the users sending and receiving data via RESTful APIs, such as API keys, JWT (JSON Web Tokens), or OAuth.

  • IP Whitelisting: Allows only specific, trusted sources to access the API.

  • Rate Limiting: This strategy prevents DoS attacks by limiting the number of requests a user can send to the API within a specific timeframe. 
 
Nonetheless, because RESTful API is built on top of HTTP/S protocols and is often publicly exposed for data exchange, it can also be vulnerable to security threats such as man-in-the-middle attacks, SQL injection, and Cross-Site Scripting (XSS).
 
In conclusion, the choice between UDP, TCP, and RESTful API depends on the specific requirements of a system regarding speed, reliability, and security. UDP is more suitable for real-time applications where speed is crucial; TCP provides more reliable data delivery, and RESTful API is often used for designing networked application communications or for us, control.  
 
 
Why Sennheiser is moving to Restful API for network security?
 
Sennheiser is moving to Restful API from a network security perspective, this strategic maneuver aligns with many companies' current technology trends in pursuit of improved efficiency, adaptability, and security. It’s not just for network security though, also we want to use state of the art technology and network protocols, easily understood by IT.
 
Here are some reasons about why Sennheiser might transition to Restful API for network security:

  1. Scalability: Restful APIs are stateless, providing a scalable alternative to other protocols that may keep connections open for longer periods. Being stateless also means that even if a connection is interrupted, it doesn't affect the overall system stability.

  2. Interoperability: Restful APIs work seamlessly with HTTP/HTTPS protocols, allowing Sennheiser's systems to interface with various disparate technologies and platforms. Such interoperability enhances compatibility and can benefit Sennheiser in terms of integrating their network systems with external partners or technologies. 

  3. Enhanced Security: REST API allows Sennheiser to leverage the built-in security mechanisms in HTTP/S, such as TLS and SSL encryption, thereby helping to secure data transmission. Moreover, by adopting various strategies (like API keys, OAuth, JWT for Authentication and Authorization), they can further enhance their API's security. 

  4. Easy Integration and Testing: Restful APIs use standard HTTP protocol methods, making it straightforward to test and integrate with development work. An interface like Swagger or Postman can interact with APIs, simplifying their maintenance and testing. 

  5. Flexibility: Restful APIs return data in a format like JSON, which is easy for applications to parse and use, and it's human-readable. This flexibility can streamline the handling of data transmission and encapsulation across Sennheiser's network, enhancing overall efficiency.

    It should be noted that while Restful APIs can enhance security, they are not immune to potential threats such as SQL injection or Cross-Site Scripting (XSS). Security measures should be rigorously implemented and regularly updated to safeguard against possible vulnerabilities. Implementation of additional security layers.  
 
Regarding Sennheiser Interoperability, what does this mean for us?  
 
With claiming to be agnostic, we at Sennheiser Business Communications are taking care of the following:

  • Strategic alliances and partnerships with the top manufacturers in the AV business.

  • Providing proven and tested plug-ins, drivers and modules to allow an easy integration of Sennheiser devices into other manufacturers eco systems (e.g., Crestron, Q-SYS etc.).

  • Testing of partner solutions to secure a common experience for end- users (e.g., Camera Tracking).

  • Providing a well-documented and open API to give everybody the chance to customize interoperability to their needs and on their platforms and hardware. https://www.sennheiser-sites.com/responsive-manuals/en/api-docs/ 
 
You can find an informative video from IBM Cloud explaining Restful API here. 
 
 
Sennheiser Sound Control Protocol v2 
 
With the introduction of the Team Connect Ceiling Medium (TCC M) microphone as well as the new TC-Bar Medium and TC-Bar Small, we also introduced a completely new API called Sennheiser Sound Control Protocol Version 2 – SSCv2. It is an encrypted REST API allowing the user to control the device using widely accepted HTTPS commands.  
 
 
What are the differences between SSCv1 and SSCv2: 

SSCv1 

  • On most devices only UDP (Port 45) connections are possible / on some (e.g., TCC 2 and MCR) TCP is available as add on.  Why port 45? Simply, Sennheiser was founded in 1945.

  • No secured connection and communication.

  • JSON formatted commands but not standardized between the product groups. 

  • Same access level for all users. 
 
SSCv2 

  • Only HTTPS (Port 443) with TLS1.2 connection is available.

  • End to end security in connection and communication.

  • JSON formatted standardized commands over all products. 

  • Different access level for Cockpit and 3rd party control.

  • While using well known IT standards such as: RestAPI / OpenAPI and ServerSendEvent based subscriptions.   
 
Why Sennheiser is changing our API  
 
Our motivation for changing the API came from the growing request of security in mostly corporate and higher education projects. Furthermore, due to product family growing e.g., TC Bars and more. We wanted to offer a state-of-the-art API which allows users to implement the product in every IT environment. 
 
Our goal is to gradually switch the Business Communications portfolio to the new protocol, including some legacy products. We want to make your work with SSCv2 and our devices is secure and easy to use as possible. Sennheiser offers a comprehensive API documentation page here
 
As always, the Sennheiser Technical Application Team is always wanting to hear your thoughts regarding how we could make life easier and any wishes or concerns regarding network communications and control.   
 
Glossary 

API (Application Program Interface): A set of protocols, routines, and tools for building and interacting with software applications. It specifies how software components should interact, enabling different software applications to communicate with each other efficiently.  
 
DDoS (Distributed Denial of Service): A type of cyber attack that aims to overwhelm a machine or a network resource with traffic from multiple sources, making it unavailable to its intended users. 
 
DoS (Denial of Service): A cyber attack that seeks to make a machine or a network resource unavailable to its intended beneficiaries by disrupting the services of a host linked to the internet. 
 
HTTP (Hypertext Transfer Protocol): A protocol used for sending and receiving files, including web pages on the internet. It defines how messages are formatted and transmitted and what actions web servers and browsers should take in response. 
 
HTTPS (Hypertext Transfer Protocol Secure): An advanced and secure version of HTTP. It uses SSL/TLS protocols to provide encrypted and secure communication, protecting data integrity and confidentiality. 
 
JWT (JSON Web Tokens): A compact, URL-safe method of transferring claims between two parties. JWTs are often used to authenticate users and exchange information, with tokens being signed using a secret key or a public/private key pair. 
 
RESTful (Representational State Transfer): An architectural style for creating web services. RESTful systems typically communicate over HTTP, using verbs such as GET, POST, PUT, DELETE to operate on resources. 
 
SSL (Secure Sockets Layer): A security protocol for establishing encrypted links between a web server and a browser in online communication. It ensures private and secure transmission of sensitive data over a network. 
 
TCP (Transmission Control Protocol): A main transport tier protocol that allows hosts to establish a connection and exchange flows of data in a reliable, order-preserving and error-checked manner, guaranteeing delivery of packets between devices. 
 
TLS (Transport Layer Security): A cryptographic protocol that provides secure communication over a network. TLS is the successor of SSL and incorporates improved encryption algorithms and enhanced security. 
 
UDP (User Datagram Protocol): A communication protocol used across the Internet for time-sensitive transmissions such as video playback or DNS lookup which can afford some packet loss. Its simplicity provides speed