Sound deployments for IP Security Systems

Part three of the IP Best Practices series includes an assessment of popular access control and video surveillance products


While monitoring for video loss is an important video software feature, network cameras should also have network monitoring applied. Some network cameras can have their passwords and IP addresses reset to the default by pressing the reset buttons. The default IP addresses and the camera reset procedures are published on the Web for most major brands.

Simply pressing a reset button to cause an IP address reset may take the camera out of the subnet that it is on. It takes knowledge of the default IP address to find it again (as it is has moved to a different logical network segment). Where a fixed IP addressing scheme is in use, resetting multiple cameras to the same default IP address can take all but one off the network due to the IP address conflict.

In a well-managed network, there is logged network activity resulting from a network camera reset. Log messages including "device offline" and "IP address conflict" would be reported by the network management software. The nature of the messages can provide indications of the type and location of trouble.

Access Control Server Software

Access control servers can be vulnerable to cyber attacks. See the May Convergence Q&A Column titled "The Security World Has Changed" for a description and reference information on the access control system attack that was documented at CarolinaCon, an annual hacker's conference in North Carolina. Vulnerabilities are specific to each access control server, but some vulnerabilities are not brand-specific and apply to many brands.

For example, a number of access control systems require that one specific password be used for the SQL Server database, and all systems use the same database password. Sometimes the passwords are contained in the installer or user manuals downloadable from the vendor's Website. This makes it possible for anyone with basic database knowledge - and any brand's password - to access any access control databases of that brand. Such access can often be accomplished across the network - physical access to the server is not necessary.

Where database passwords can be changed, many integrators leave the default password in place or use the same password for all of their customers, to keep things easy for the service technicians. Passwords should be changed when technicians leave employment, but that does not happen in these situations. Integrators should be asked about their approach to password management, and the response should be considered during integrator selection.

Access Control Equipment

Access control equipment (control panels, system controllers, door controllers, IP readers - various items that provide the hardware-based distributed intelligence) can be vulnerable to outside network interactions, including intentional attacks.

Additionally, some systems introduce proprietary "plug-and-play" traffic or device discovery traffic that can appear to be an attack to some types of network monitoring software. Some systems provide DNS server functionality (to enable automatic IP addressing), and there must only be one such DNS server on any network segment. Using a subnetwork will isolate such network traffic from other systems and devices on the enterprise network.

State of Practice

High-caliber consultants and integrators attend to many of these issues, but often do so without educating clients and customers about the protective measures, and without documenting them sufficiently. Some integrators give little attention to these issues.

Security system designs should include a computer and network security plan, which addresses sound deployment practices appropriate for the specific types and brands of software and hardware being deployed. Where vendors have recommended specific hardening practices or options, those that are being applied should be referenced in the plan. Where no vendor recommendations are available, an IT evaluator should examine the system or device (this can be done during a Proof of Concept test), to determine which network practices and protective measures should be applied and included in the plan.

Editor's Note: Read the full three-part IP Best Practices series in the STE magazine archives at SecurityInfoWatch.com/magazine/ste/archives.

About the Authors