Sound deployments for IP Security Systems

Part three of the IP Best Practices series includes an assessment of popular access control and video surveillance products


Basic findings and recommendations are provided in summary form below, in the following categories: Video Server Software (VMS, DVR, NVR, video analytics software and related network storage servers and appliances); Video Cameras (network video cameras or analog cameras with network encoders); Access Control Server Software; and Access Control Equipment (controller panels, intelligent readers).

In the space of this article, it is not feasible to provide a complete examination of each type of finding and related sound deployment practice. This article is intended to introduce evaluation criteria commonly used in evaluating enterprise networked systems and devices, and provide some rationale for applying them to security system computers and devices.

A key recommendation for all networked security systems is to put the computers and devices on a dedicated private subnetwork, which provides logical separation of network traffic running on the same physical cable (see the Wikipedia topic: Subnetwork). This improves network performance and helps make sure the systems and devices have a stable environment to operate in without interference from any other network traffic sources.

Security systems, like any other server-based software systems, have backup and restore requirements, and the typical infrastructure requirements for power, heat dissipation (heat is what shortens the life of many DVR/NVR hard drives), and server software maintenance. The systematic application of maintenance upgrades is a practice taken for granted in the IT networking world - in the physical security world it can require extra effort to obtain version information and to learn about what mechanisms may exist to manage the application of updates to servers and devices in a large system.

Video Server Software

The broad category of "video servers" includes the VMS (Video Management System, which is software on a server), DVR (Digital Video Recorder), NVR (Network Video Recorder), Hybrid NVRs (NVRs that support both analog and network cameras) as well as video analytics software.

Some systems are Windows-based machines, as mentioned earlier in this article, and have specific vulnerabilities, and some are proprietary embedded systems that do not have the vulnerabilities of Microsoft Windows. Many brand-name DVRs and NVRs, although they function as servers, use desktop versions of the operating system (Windows 98, Windows 2000 Professional and Windows XP).

Many (not all) are not capable of running anti-virus and other security software, as their processors are not sufficiently powerful to handle both video recording and any other significant task. Video servers inherit the vulnerabilities of their operating system; thus, they need to be kept current with operating system updates (patches) for the sake of system and network security. Some operating system video components, such as Windows DirectX, should have strict update hygiene applied for cyber-security reasons as well as performance reasons.

VMS software provides the opportunity to use network or operating system features to get the level of strong authentication that should be established, for example, for remote login over the network. Therefore, some applications should be set up using the vendor-supplied features that take advantage of the underlying Windows or network login mechanisms. Where the network infrastructure provides one-time password support, it should be used.

For a high level of physical and logical authentication (such as for protecting server rooms and equipment closets), biometric authentication can be used to fortify access to specific doors, systems and applications.

Video Cameras

Many network video cameras used clear text (unencrypted) transmissions by default. Some cameras have difficulty running an encrypted connection at high resolutions and frame rates. In this situation, using a dedicated management subnetwork or Virtual LAN (VLAN) to compensate is recommended. This is to provide the appropriate privacy to this sensitive information.

Most network cameras (and network encoders for use with analog cameras) support HTTPS (Hypertext Transfer Protocol Secure), which is a combination of HTTP and TLS/SSL (Transport Layer Security is the successor to Secure Sockets Layer - for more information see the Wikipedia entry for Transport Layer Security).