Integrating access control with other IP-based technologies

About 35 years ago, access control systems emerged on the market as customized microprocessor-based host processors connecting to field panels (multiplexors or data gathering panels) and, from there, to field devices such as card readers and electric locking devices. More advanced security systems might include change-of-state (binary) devices such as door position switches, request-to-exit devices and other point and volumetric intrusion detection equipment. Anything more sophisticated, such as analog inputs, required custom systems and software - typically mounted on DEC PDP platforms.

Things have definitely changed dramatically for security end-users since then. With the advances in IP-based technologies, end-users are now able to integrate many different technologies and devices into a common access control system.

Old School

In the past, field devices were hardwired to access control panels and the panels communicated to the host processor via serial data transmission on dedicated copper or via modems on POTS (Plain Old Telephone Service) lines at 100 baud or 100 bits per second (300 baud if you had a fast system). To put these data rates in perspective - at 100 baud, it would take about one second to send the word "transmission." This compares to today's data rates measured in Gigabits per second - a 1 gigabit/sec rate would send this complete article 10,000 times in one second.

The low transmission rates back in those bad old days meant that data packets had to be kept short. An alarm signal would consist of a channel number and a panel number while an access control transaction sent the card number with reader/channel and panel number. The time and date stamp might be generated by the panel or at the host. A two- to three-second delay between a card read and a door unlocking was considered acceptable.

While audio transmits well on POTS lines, video was virtually impossible over voice-grade lines until the advent of Slow-Scan about 20 years ago when single-frame, low-resolution, black-and-white shots could be sent every few seconds - usually on dedicated lines. This ushered in volumetric intrusion detectors with built-in cameras that could transmit a series of still shots over the alarm lines to help reduce false alarms by identifying the cause of an alarm. However, the quality of the video was far from optimum and carefully designed scene lighting was needed to provide any chance of recognizing any perpetrators.

Although line-of-sight, long-distance video signals from analog cameras can also use infrared or microwave transmission, home run coaxial cable was the norm - achieving distances close to 1,000 feet using heavier cable (RG-11U). Unshielded twisted pair (UTP) cable, using active baluns, is another solution; UTP can achieve video transmission from analog cameras up to 1.5 miles.

Network Development

The bandwidth (transmission rates) available on today's local and wide area networks (LANS & WANS) have opened up the flood gates for security applications. It started slowly with IP-addressable access control panels connected via network switches to the corporate LAN to eliminate the duplication of "trunk" cabling to the security system "host" (server). And connection of the security system server to the WAN provided inexpensive global connections via the Internet and Virtual Private Networks (VPN).

Next followed the introduction of digital video recorders (DVRs) to replace those dysfunctional (by today's standards) VCRs and provide integrated video switching and display. Video signals were still analog and required conversion to digital through an encoder, but with the addition of a network card, the DVR became IP-addressable and its digital content could be made available on the network for other administrative workstations (PCs). The network connectivity of the DVR also made for better interactive communication with the access control system.

Pushing Access Control to the Edge

The next development was to push out to the "edge." IP-addressable single door controllers (SDCs) are a natural extension of distributed processing. The small control panel accepts inputs from all of the door devices: credential reader, electrified lock, door position switch and request-to-exit device. Only a single CAT-5 or higher cable is required to connect the panel to a network switch in the nearest data closet (cable length is restricted to 300 feet.) With Power-over-Ethernet (PoE) incorporated into the switch, the panel and its connected devices get power on the same CAT cable.

There are a couple caveats to using PoE to power the electric lock. Power is limited - the latest standard provides for 25.5 watts at the powered device (42-57 VDC at 600 mA). Additionally, many local authorities having jurisdiction (AHJs) require a UL-approved lock power supply and/or a direct connection between an approved fire alarm system relay and the lock power for doors in the path of egress.

It can be argued that the IP-addressable single door controller is not an edge device - the door devices themselves are at the real "edge." Now credential readers (magnetic stripe, proximity, smart card and biometric) are available in IP-addressable form for direct connection to the corporate LAN via a network switch. IP-addressable locks - the integrated hotel-type units with wireless network transmission - are also already on the market. An IP-addressable PoE motion sensor may make sense (particularly if sensitivity adjustments can be made remotely), but an IP-addressable door position switch may be pushing it over the edge! People joke about an IP-addressable refrigerator in your home, but many components in your new car already connect on a data network.

With the ever-increasing power and miniaturization of electronic components, and the reduction in component costs, the IP-addressable single door controller can contain almost all of the functionality of panels that talk to multiple doors. Indeed, a group of SDCs can be addressed directly by an Internet browser for both configuration and access/alarm transaction annunciation. The middleman - the access control system host or server - is no longer needed in a small, simple access control system. Larger and more sophisticated systems still need a host or controller to provide global functions, such as anti-passback, and to interface with other security subsystems.

Video at the Edge

IP cameras are real edge devices and, despite their cost, their popularity has grown tremendously over the last few years. Cameras are a natural candidate for PoE since they consume very little power - even dynamic (PTZ) cameras units can be powered with PoE. However, environmental considerations - including the need for powered accessories (such as heaters, wipers and blowers) and the need to isolate the network from lightning - may restrict exterior applications.

A camera used to grab video data from its sensing element, convert it to the required format and transmit it to the Command Center for any additional analysis and processing. The IP camera now has huge processing power with the ability to perform behavioral video analysis to transmit only selected content, to transmit multiple data streams in different formats, and even to store video data for future processing. And all of this can be configured, adjusted, selected and viewed through the Internet browser on your PC - with suitable password protection, of course.

Another benefit to IP camera processing power is reduced bandwidth requirements. However, this reduction is leading to the use of higher-resolution images to improve the identification and recognition of aberrant behavior and its perpetrators. Digital video systems still require large measures of bandwidth, and, although many business and educational entities are implementing multi-gigabit networks, negotiation with the IT department and, possibly, the development of a dedicated video network may be needed.

DVRs were PC-like units with encoders (to convert analog video to digital), software (to control display, storage and playback) and a lot of disc space (for video archiving). Network Video Recorders (NVRs) and Video Management Systems (VMS) accept video data from IP cameras directly across the network and require no encoders (except for existing legacy analog cameras). The video storage hardware is now separated from the VMS and also sits on the network as Network Attached Storage (NAS) or Storage Area Network (SAN). It is shared by all the video channels/cameras (rather than, for example, "up to 16 channels" as with each DVR) which optimizes the use of storage space. In addition, corporate-wide, IT-controlled, data storage can be used instead of dedicating hardware to the VMS.

Voice over IP (VoIP)

We tend to think of VoIP as related to office or home voice systems, but audio intercom and emergency call box systems now use IP-addressable handsets or push-to-talk panels. Similarly, video intercom systems are now available as IP-based solutions with the master station software loaded on a PC.

Wireless IP

Wireless networking solutions are everywhere from the hotel lobby to the internet caf‚, and now on board your favorite airplane. While these systems stress the mobility of the user, the more common application in security is to bridge a road or a paved area, such as a parking lot, where trenching would be impractical.

As long as power is available in some form (e.g., lighting pole, solar panel, wind turbine, battery) data transmission for access, audio and video is easy to achieve; however, special consideration needs to be given to the security of the data being transmitted, for example encryption, since signal interception is not difficult.

Command and Control

IP technology offers many benefits and its (almost) plug-and-play nature simplifies some aspects its installation and maintenance. However, the addition of IP security devices to an existing network requires negotiation with those responsible for the network - the IT staff. Their agenda may be very different from that of security and their standard operating procedures usually add some overhead costs to a project. They will want to ensure adequate firewalls and both machine hardware and operating system (OS) compatibility with their standards.

Some IT staff view security as a simple add-on to their responsibilities an believe that they can buy components and devices on-line and install them themselves. However, they may lack the skill-set and experience to understand the applications and features required for optimum performance. For example, it is possible to buy a box of eight IP cameras and a DVR online for less than $1,000, but the image quality is poor and the IT person often does not know where to mount the camera to avoid contrast problems.

It is the security department's responsibility to acquire the skill-set needed to understand the new technology, discuss with IT those features that IT controls and coordinate implementation of the IP project such that security standards are adhered to and security maintains ownership of the application.

David G. Aggleton, CPP, CSC, is president and principal consultant of Aggleton & Associates, Inc., located on New York. He has been practicing in the security system design and implementation field for over 30 years and for more than 500 projects. Most current projects include networked security devices. He can be reached at