Home » Magazine Archives » November 2007
Security Technology and Design
Most Read
Most Emailed
E-mail Article
Print Article
COMMENTARY: Access Control Best Practices
HID's director of technology examines ways to mitigate the vulnerability of physical access systems
Recent questions have been raised about the vulnerabilities of physical access control systems. Unfortunately, some critics, with limited familiarity of the security industry, have oversimplified the tradeoffs between convenience vs. security of access control systems.. Some have actually sensationalized these accounts and even worse, some have not presented the facts in an accurate manner.
One positive benefit of this is to increase the awareness of the need for a set of "Best Practices" to mitigate the risks of some of these "theoretical" attacks. This article will focus on the best practices that should be followed when choosing and installing access control readers. This information should be important to systems integrators, consultants, architects and engineers, and access control system end-users.
The most important concept to embrace in adopting best practices is that an effective security system uses "layered security." Simply put, this involves using additional safeguards to make sure that a security failure at one point will be detected at a successive point. For example, a home protected by a burglar alarm might use both glass break detectors and motion detectors to detect when an intruder gains illicit entry through a window instead of a door.
Choosing the Right Reader
There are a variety of reader technologies being offered by today's manufacturers, and it is important to make sure that the correct technology is chosen to match the desired level of security. Using a good/better/best grading system will help make the correct choice easier.
Proximity technology is a viable choice, especially for sites where there are existing prox cards in use. Contactless smart cards represent the next-generation in prox technology, and they offer increased security as well as additional benefits such as multiple applications, read/write and increased memory. But some manufacturers, in an attempt to sell a "universal" reader capable of reading almost any contactless smart card technology, actually disable all of the security mechanisms in order to achieve their goal. These readers, referred to as "CSN readers," only read the card's serial number - which, as per ISO standards, must not be protected by any read security since they are needed by the reader to be able to detect when more than one card is presented to a reader at the same time. This process, referred to as "anti-collision," takes place before the card and reader mutually authenticate each other. Because the ISO specifications are a publicly available document, details of how this anticollision process works can be used by a perpetrator to build a device to clone (simulate) the serial number of a contactless smart card.
Ranking these three types of readers from the lowest to the highest level of security provided would be CSN readers, prox readers, and then contactless Smart Card readers using mutual authentication.
Communications Protocol
A reader typically reads a card and sends the card data to another "upstream" device, which makes the decision as to whether or not the door should be unlocked. (Upstream devices include panels as well as host computers running the access control management software.) When the communication takes place using wires, there are many different methods to choose from. The most popular and de-facto industry standard is the Wiegand protocol, which became very popular because it is almost universally supported by reader and panel manufacturers. Although more modern protocols such as RS485, F/2F and TCP/IP offer more security in the communications, there is less interoperability between different manufacturers of readers and panels.
