Ten Steps to a Successful IP Surveillance Installation: Step 8

Step 8: Security


[Editor's Note: This is the eighth in a series of articles that is being published jointly between Security Technology & Design and SecurityInfoWatch.com. This article originally appears in the September issue of Security Technology & Design; earlier articles appear on the website and are linked at the bottom of this article.]

Nearly all network video installations transmit sensitive information that should be protected from unauthorized users and potential hackers. There are several ways to provide security within a wired or wireless network and between different networks and clients. Everything from the data to the use and accessibility of the network should be controlled and secured.

Today, IP surveillance systems can be made just as secure as those used by banks for ATM transactions. Network cameras and video servers are currently being used in highly sensitive locations such as the Logan Airport in Boston (see Case in Point, page 101) and by the largest ferry terminals in Alaska for homeland security purposes.

Secure Transmission

Some of the most common ways to secure communications on a network and the Internet include authentication, authorization, IP address filtering, VPNs and Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). Some of these methods secure the data as it travels over the network, while others secure the network path itself.

Authentication identifies the user to the network and is most commonly done by providing verifiable information like a username and password, and/or by using an X509 (SSL) certificate.

The 802.1X standard is a new port-based authentication framework available for even higher levels of security in a both wired and wireless system. All users' access requests are filtered through a central authorization point before access to the network is granted.

During authorization, the system analyzes the authentication information and verifies that the device is the one it claims to be by comparing the provided identity to a database of correct and approved identities. Once the authorization is complete, the device is fully connected and operational within the network.

IP address filtering is another way to restrict communication between devices on a network or the Internet. Network cameras can be configured to communicate only with computers at pre-determined IP addresses—any computer from an IP address that is not authorized to interface with the device will be blocked from doing so.

Privacy settings prevent others from using or reading data on the network. There are a variety of privacy options available, including encryption, virtual private networks (VPNs) and Secure Socket Layer/Transport Layer Security (SSL/TLS). In some cases, these settings can slow down network performance because data has to be filtered through multiple applications before it is accessed at its final destination. This could have a negative impact on the performance of an IP surveillance installation, which often requires real-time access to video.

A VPN uses a public infrastructure, such as the Internet, to provide secure access to a network from remote locations. A VPN secures the communication through security procedures and tunneling protocols like Layer Two Tunneling Protocol (L2TP), effectively creating a connection that is just as secure as a privately owned or leased line. The VPN creates a secure “tunnel” so that data has to be properly encrypted before entering the tunnel. Data that is not properly encrypted cannot enter the tunnel.

SSL/TLS—also known as Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)—encrypts the data itself, rather than the tunnel in which it travels. There are several different types of encryption, including SSL, Wireless Equivalent Privacy (WEP) and WiFi Protected Access (WPA) for wireless networks. When using SSL, a digital certificate can be installed from the server to authenticate the sender. Certificates can be issued locally by the user or by a third party such as Verisign.

This content continues onto the next page...