Best practices for IP security systems

The first of a three-article series on securing networked systems


It is the twenty-first century. Computers are interconnected by a vast and sophisticated infrastructure that covers the world and beyond (our "common" GPS systems are satellite based - see the photo above). Thirty years ago, we were amazed to hear assertions that anything bigger than a toaster might eventually have a microprocessor in it. Today everything is networked - including your physical security technology infrastructure.

Due to the computer-based and networked nature of security systems and devices, the security of the technology itself has become an issue. Old assumptions no longer hold true. Aspects of systems that were previously never visible to the customer now are visible. Things never thought to be security holes - because they were never known to the "bad guys" - are now common knowledge. The convergence of Information Technology networks and Physical Security networks is upon us like a rising tide, and security practitioners and technologists need to be ready to deploy and operate technology in that kind of an environment.

This article's authors have begun sounding the cry to secure our security systems and their networks. Networks are complex webs of interconnections. We cannot keep thinking of them as a few "point-to-point" connections. Security systems networks interact with business networks that interact with the World Wide Web. How can we NOT think of security when our systems are connected in this way?

The figure from RAND Corporation below illustrates the three types of networks across which our corporate and world networks have evolved (purchase the research paper at: http://www.rand.org/pubs/research_memoranda/RM3420). Network type A depicts centralized networks - the kind used for analog video systems and older access control systems. Type B illustrates decentralized networks, the network architecture that initially most networked access control systems were deployed on. Type C is the distributed network architecture - the architecture of the Internet and of wireless networks - that we now find our security systems deployed on. This includes multiple satellite-based communications networks.

Our thinking for design and system operations must take into account the opportunities, requirements and threats that the new network situation presents. This also requires a new set of best practices for security system deployment.

Best Practices

Networks for physical security systems should be built and operated to the same standards as the data networks they stand among. Both networks are critical components of a modern enterprise-class network infrastructure. There is no reason that the computers, databases, switches and cabling we use to both enable and defend our physical security should be held to a lesser standard than any modern computing or networking device used for business information purposes.

The authors are among those who have decided that examining real security products in realistic deployment situations would be of critical benefit to understanding their requirements for sound deployment.

It is long past the time to establish some practical best practice standards for what kinds of network security should be used in our physical security systems. The "bad guys" have already decided that it is time to look at this attractive target (our security systems). It is high time we begin protecting it.

The Bp.IP Assessment Criteria

Most security products and systems are not designed and deployed with device and network security in mind. The authors have formed the Bp.IP initiative to advance best practices for soundly deploying IP security systems (www.BPforIP.com). We have identified a selected set of deployment criteria to use in establishing a "best practice" example. The point is to establish what we need to do for deployment - be it configuration tuning, compensating controls, or workaround procedures - to address these criteria in an effective manner. The criteria were selected to cover a reasonable but broad sample of enterprise-class networking features that can be judiciously applied to physical security solutions.

This content continues onto the next page...