Pass or fail: The out-of-the-box experience

Part two of the three-part IP Best Practices series (expanded Web version)

For example, many networked physical security system deployments are done using unmanaged network switches. These are switches can't report their health or status to network monitoring software. Thus if a camera's video stream is lost, someone has to physically go to the camera and to network equipment rooms to troubleshoot the problem. Many video systems are not set up with real-time video loss alarms, and not all cameras are closely monitored by personnel. This often results in problems going undiscovered for days, weeks or months -as many TV news stories report each year, including for two major airports this year.

Sound Engineering

The way that systems are designed and deployed must be done in a manner that highly facilitates their management and maintenance. This is not a new concept. In 1877 marine engineer Alfred Holt stated to a meeting of the Institution of Civil Engineers (referencing both the yet-unnamed "Murphy's Law" and best engineering practice):

"It is found that anything that can go wrong at sea generally does go wrong sooner or later.... Sufficient stress can hardly be laid on the advantages of simplicity. The human factor cannot be safely neglected in planning machinery. If attention is to be obtained, the engine must be such that the engineer will be disposed to attend to it."

This is what engineers in the IT domain have learned: that their equipment and networks must be designed and deployed so that technicians will be disposed (inclined) to attend to them. That can't be said, for example, for video deployments where "black video" goes undetected and unattended to for days, weeks or months, and where system setup and troubleshooting is complicated.

Security manufacturers, systems integrators and security consultants who do not take sound deployment factors into consideration, can't excuse themselves by saying or thinking that these are "new IT topics" that the physical security industry is just a little late in catching up on. As Alfred Holt's words indicate, these critical system success factors were known to systems engineers in the 1800's. In reality, the physical security industry is 200 years late in taking sound deployment engineering into account. It is only because the industry's customers are not engineers that the industry's comparatively low caliber of deployment engineering practice is commonly accepted.

To get a good look at best practices in a related industry, see the excellent white paper by TAC titled, "Smart Facility Automation Solutions for Regulatory Compliance". In particular look at pages 11 and 12 that deal with Good Automated Manufacturing Practice (GAMP). Nearly all of these practices apply to security systems. (Download from:

The point is that IT's design and operations practices are much more than an IT-specific way of doing things. They are universally sound engineering practices applied to information technology deployment.


Enterprise IT groups look to have systems and equipment that can be deployed quickly and accurately, with a minimal amount of effort, and that can be operated at low cost and low risk. IT groups have personnel who are assigned the task of evaluating candidate technology to see how they comply with these general requirements.

Evaluation Criteria

The first step in such an evaluation is informally referred to as judging the "out-of-the-box experience". What does it take to unpack, connect and "fire up" the system or device? What kind of problems can be anticipated? What are the general characteristics of its network traffic? How accurate and complete is the documentation?

The key question is: Will the product PASS or FAIL the out-of-the-box experience?

Most security industry manufacturers, integrators and consultants are surprised to learn what IT evaluators can conclude from the out-of-box experience. Tables 1 and 2 are charts showing some simple evaluation actions for networked appliances and end devices. It includes example conclusions that can be drawn, expressed in informal language, for the initial evaluation steps from opening the box to examining the documentation.

Most vendors and security practitioners have never heard of such an evaluation. Yet in July 2010 a Google search on the term out-of-the-box-experience returned 97.5 million results. These results include a wealth of product reviews, not limited to computer or network products, as well as two