Fredrik Nilsson is general manager of Axis Communications and an authority on IP surveillance.
[Editor's Note: This is the seventh in a series of articles that is being published jointly between Security Technology & Design and SecurityInfoWatch.com. This article originally appeared in the August issue of Security Technology & Design; earlier articles appear on the website and are linked at the bottom of this article.]
Networks allow devices such as network cameras, servers and PCs to communicate with each other, sharing information and, in some cases, a common Internet connection. Network designs can take many forms and vary in terms of performance and security.
It is useful to think of building a network as a layering process, beginning with the physical cabling configuration and connections. The number of cameras, the physical environment, the sensitivity of the application, and the protocols and software will impact the operation of the IP surveillance network.
Types of Networks
Networks can be local area networks (LANs), metropolitan area networks (MANs) or wide area networks (WANs). Each network covers a progressively larger area. For example, LANs exist within a building or company, while MANs could cover a campus or city center. WANs cover the largest areas-anything from multiple distant areas to the entire world. WANs often connect several smaller networks, such as LANs and MANs. The largest WAN is the Internet.
Basic Network Layout
Networks are made up of cabling such as Ethernet or fiber, and equipment such as servers, routers and hubs. There are many ways to physically lay out networks, but the main four designs are bus, ring, star and mesh. You can determine the right layout for any IP surveillance system by considering requirements such as redundancy, cost and number of cameras.
Bus: A bus network connects each device to a main cable or link called "the bus," creating a simple and reliable network configuration. If one device fails, the rest can still communicate with each other, unless the bus itself is broken. This setup is most often found in older LANs.
Star: Star is the most popular topology used in LANs today. In star networks, all devices are directly connected to a central point. If one device is disconnected or crashes, none of the others will be affected. However, if the central switch goes offline, the entire network could fail. This makes it important to build redundancy into the system.
Ring: In a ring network, devices are connected in a closed loop, meaning that adjacent devices are directly and indirectly connected to other devices. MANs and WANs often use ring configurations, but this design can be used for LANs as well.
Mesh: Mesh networks come in two varieties: full and partial mesh. In a full mesh network, devices are connected directly to each other. In partial mesh, some devices are connected to all the others, while some are connected only to those with which they exchange the most data. Mesh networks are becoming popular as the use of wireless technologies grows.
Wired and Wireless Options
Network devices can be connected over wires or wirelessly. Ethernet cabling provides a fast network at a reasonable cost and is the primary medium for most existing IT infrastructures. Ethernet connections-which resemble phone jacks-are usually integrated into network cameras and video servers, making it easy to connect them to the network.
Fast Ethernet is the most common standard used in computer networks today. It supports a transfer rate of 100 megabits per second (Mbit/s). Gigabit Ethernet (1000 Mbit/s) is the current standard endorsed by network equipment vendors and is used primarily in backbones between network servers and network switches. The upcoming standard is 10 Gigabit Ethernet (10,000 Mbit/s), which will soon be incorporated into network backbones. IP surveillance systems work with all of these standards, so as networks become faster, they will be able to support higher-quality video.
Another benefit of Ethernet cabling is Power over Ethernet (PoE), which powers devices through the network cables. This eliminates the need to install power outlets at camera locations and enables a more continuous power supply.
Sometimes a non-wired solution is beneficial, particularly for buildings where cable installation will damage the interior, or where cameras will be regularly moved. Another common use of wireless technology is to bridge two buildings or sites without expensive and complex ground works. Wireless LANs are available in a number of well-defined standards that allow for vendor neutrality. The most common standard is 802.11g, which provides higher transfer rates at greater distances than 802.11a and 802.11b.
New or Existing Network?
With all of these networking options available, it is sometimes difficult to determine whether to run IP surveillance on an existing network or to build a new network dedicated to security and surveillance needs.
Today's LANs typically offer plentiful bandwidth, with network switches providing 100 Mbit for each device connected on the network. Since network cameras can consume anywhere from 0.1Mbit to 8 Mbit, some precaution is needed to ensure the network video system will operate as intended. Depending on the number of cameras and required frame rate, three options are available:
1. Dedicated Network. Professional surveillance applications may benefit from a dedicated network in which the IP surveillance system has its own dedicated switches that are connected to a high-capacity backbone (see Figure 1). Dedicated networks handle video traffic more efficiently, without slowing down other general-purpose network applications like voice over IP or file sharing. In addition, keeping the surveillance network separate and disconnected from the Internet will make it as secure as-or more secure than-any local CCTV system. Dedicated networks are preferable in very sensitive applications, like those in casinos or airports, and for systems requiring high frame rates and more than 50 cameras.
2. Combination Network. In some cases, it might make sense to implement a dedicated IP surveillance network in conjunction with a general-purpose network. Video can be recorded locally and isolated to the dedicated network, except when a viewer on the general-purpose network wants to access it, or when an event triggers video to be sent to a user on the general-purpose network (see Figure 2). Because access to video using the general-purpose network (and the extra load it causes) is temporary, it makes sense to have the two networks work in combination.
3. Existing Network. When there is enough capacity on the network and the application doesn't require heavy security, you may simply add network video equipment onto the existing network. You can further optimize your network using technologies such as virtual local area networks (VLAN) and quality-of-service (QoS) levels.
A VLAN uses the existing LAN infrastructure but separates the surveillance network from the general-purpose network. The router/switch is configured to provide a range of IP addresses with assigned features. In Figure 3, the router/switch manages the IP addresses, bandwidth and security allocated to users on VLAN A (with access to video) and VLAN B (general purpose traffic). No matter where users might physically be, all those on VLAN A will have access to the video while those on VLAN B will not.
QoS ensures that bandwidth will be available for surveillance equipment on the general-purpose network by setting priority levels for specific ports on a switch. Connections to network cameras and storage servers can be set at high priority, while desktops can be set for low priority to ensure that bandwidth is always available for critical surveillance video.
Once your network layout is established and your devices are connected, information will be transmitted over the network. Transmission Control Protocol/Internet Protocol (TCP/IP) is the most common way to transmit all types of data. It is the protocol used for nearly every application that runs over a network, including the Internet, e-mail and network video systems.
TCP/IP has two parts: TCP breaks data into packets that are transmitted over the Internet and reassembled at the destination. IP is the address that enables the packets to arrive at the correct destination. For identification and communication purposes, every device on the network needs a separate IP address.
After the network is set up, it is critical to consider how much information will pass over the network and the contingency plan if critical components fail.
The amount of bandwidth required is dictated by the amount of information passing through your network. In general, avoid loading a network to more than 50 percent capacity, or you risk of overloading the network. When building a new network or adding capacity to an existing network, build in 30 to 40 percent more capacity than calculated. This will provide flexibility for increasing use in the future. Bandwidth calculators-available free on the Internet-will analyze your bandwidth and recommend an appropriate capacity.
With the success of the Internet, securing networks has become a mandate. Today there are several technologies available, such as virtual private networks (VPNs), SSL/TSL and firewalls.
A VPN creates a secure tunnel between points on the network, but it does not secure the data itself. Only devices with the correct access "key" will be able to work within the VPN, and network devices between the client and the server will not be able to access or view the data. With a VPN, different sites can be connected together over the Internet in a safe and secure way.
Another way to accomplish security is to apply encryption to the data itself. In this case there is no secure tunnel like the VPN, but the actual data sent is secured. There are several encryption techniques available, like SSL, WEP and WPA. (These latter two are used in wireless networks.) When using SSL, also known as HTTPS, a certificate will be installed in the device or computer that encrypts the data.
A firewall is designed to prevent unauthorized access to or from a private network. Firewalls can be hardware or software, or a combination of both. All data entering or leaving the intranet passes through the firewall, which examines it and blocks data that does not meet the specified security criteria. For example, using a firewall, one can make sure that video terminals are able to access the cameras while communication from other computers will be blocked. Some network cameras have built-in IP address filtering, a basic form of firewall that only allows communication with computers that have pre-approved IP addresses.
Network video systems can take a number of different forms depending on the requirements of the individual installation. No matter what form your network takes or what elements you choose to deploy, it is important to work with a well recognized and reliable vendor to ensure all components work well together and you have maximized the system's functionality.
About the author: As the general manager for Axis Communications, Fredrik Nilsson oversees the company's operations in North America . In this role, he manages all aspects of the business, including sales, marketing, business expansion and finance. He can be reached via email at Fredrik.Nilsson@axis.com.