Best practices for IP security systems

It is the twenty-first century. Computers are interconnected by a vast and sophisticated infrastructure that covers the world and beyond (our "common" GPS systems are satellite based - see the photo above). Thirty years ago, we were amazed to hear assertions that anything bigger than a toaster might eventually have a microprocessor in it. Today everything is networked - including your physical security technology infrastructure.

Due to the computer-based and networked nature of security systems and devices, the security of the technology itself has become an issue. Old assumptions no longer hold true. Aspects of systems that were previously never visible to the customer now are visible. Things never thought to be security holes - because they were never known to the "bad guys" - are now common knowledge. The convergence of Information Technology networks and Physical Security networks is upon us like a rising tide, and security practitioners and technologists need to be ready to deploy and operate technology in that kind of an environment.

This article's authors have begun sounding the cry to secure our security systems and their networks. Networks are complex webs of interconnections. We cannot keep thinking of them as a few "point-to-point" connections. Security systems networks interact with business networks that interact with the World Wide Web. How can we NOT think of security when our systems are connected in this way?

The figure from RAND Corporation below illustrates the three types of networks across which our corporate and world networks have evolved (purchase the research paper at: Network type A depicts centralized networks - the kind used for analog video systems and older access control systems. Type B illustrates decentralized networks, the network architecture that initially most networked access control systems were deployed on. Type C is the distributed network architecture - the architecture of the Internet and of wireless networks - that we now find our security systems deployed on. This includes multiple satellite-based communications networks.

Our thinking for design and system operations must take into account the opportunities, requirements and threats that the new network situation presents. This also requires a new set of best practices for security system deployment.

Best Practices

Networks for physical security systems should be built and operated to the same standards as the data networks they stand among. Both networks are critical components of a modern enterprise-class network infrastructure. There is no reason that the computers, databases, switches and cabling we use to both enable and defend our physical security should be held to a lesser standard than any modern computing or networking device used for business information purposes.

The authors are among those who have decided that examining real security products in realistic deployment situations would be of critical benefit to understanding their requirements for sound deployment.

It is long past the time to establish some practical best practice standards for what kinds of network security should be used in our physical security systems. The "bad guys" have already decided that it is time to look at this attractive target (our security systems). It is high time we begin protecting it.

The Bp.IP Assessment Criteria

Most security products and systems are not designed and deployed with device and network security in mind. The authors have formed the Bp.IP initiative to advance best practices for soundly deploying IP security systems ( We have identified a selected set of deployment criteria to use in establishing a "best practice" example. The point is to establish what we need to do for deployment - be it configuration tuning, compensating controls, or workaround procedures - to address these criteria in an effective manner. The criteria were selected to cover a reasonable but broad sample of enterprise-class networking features that can be judiciously applied to physical security solutions.

This is the first of a series of articles that will present best practice approaches, using actual products and systems and realistic deployment situations. The next article will present a set of assessment criteria for determining what constitutes a "best practice deployment," and explain each assessment criterion's reason and value.
The third article will present our first best practices demonstration testbed, and how to securely deploy the array of leading products tested even though the products were manufactured independently, without the manufacturers collaborating on secure high-performance deployment.

About the Authors

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), and a regular columnist for Security Technology Executive.





James Connor is founder and CEO of security technology consultancy N2N Secure, a security consulting firm specializing in migration of analog to converged IP-based Physical and Logical security solutions. He is the former Senior Manager of Global Security Systems for Symantec Corp.






Rodney Thayer is an independent network researcher focusing on network attack and defense issues as they relate to business infrastructure. Current security research (exploit development) includes product and infrastructure evaluations, and training/lecturing on computer security topics. Mr. Thayer's background is in engineering, deployment and evaluation of computer and network security solutions. He has participated in the authoring of IETF standards, written product reviews for trade publications, taught at venues like RSA and Black Hat, played Capture The Flag at Defcon (on a winning team), and has consulted for large and small enterprises and Infrastructure Operators.