By Neal Bellamy, IT Director at Kenton Brothers
- Part 1 – Do we eat our own cooking? How the experts approach physical security.
- Part 2 – How does a security integrator design their own security systems?
In our last story, we designed an intrusion system for the new building. Now we need to design the other security systems including the network infrastructure security and capacity. Then we’ll look at different camera technologies and their uses.
You’re only as strong as your foundation:
All of our systems use the IT network as a foundation. It can often be overlooked and can easily be the weakness of any security system. We need to design a good, solid foundation so that the rest of the security systems can do their job.
There’s been a lot of press lately about systems being hacked. Multiple companies and products are continually being tested (like an electric fence in the velociraptor cage). The easiest and most secure way of protecting the devices from testing is to separate them from the herd. By taking all the security devices and giving them their own network, and then channeling all network access through computers of your choosing, you seriously limit the devices that can be attacked. The IT Security industry called this idea the “Attack Surface”.
Limiting Access with Network Configuration
We’ll accomplish separating the network with VLANs, or Virtual LAN. A separate physical network is also acceptable. After we separate the networks, we will place rules into effect in our firewall between the networks to prevent anyone from the internet getting directly to the cameras or access control controllers. While we’re at it, we’ll prevent the computers inside Kenton Brothers from getting directly to those devices too. If you need to get to the cameras, you have to go through the Video server. As a result, the attack surface has been reduced to just the video and access servers. Of course, you still need to use best practices for security on individual devices. All of your camera passwords should be unique and strong, firmware should be updated, etc., but we’ve added another layer of defense.
Now that the network is secure we need to make sure it is fast enough. Most people take for granted that their network is fast enough. Most office activity is relatively slow and not much strain on the network. Every business is different, but our servers range from .2 Mbps to 3 Mbps of network utilization throughout the day.
A single 5MP camera, depending on the frame rate and compression, might run close to 7-12 Mbps and that traffic might be used all the time. It doesn’t take too many cameras to bottleneck a gigabit switch or a server with only one network connection. By the way, like the speedometer on your car, just because the top speed is 1 Gigabit, or 1,000 Mbps, doesn’t mean your switch will actually go that fast. Real world results will vary.
Testing your network and server is always advised. I estimate that our 27 cameras will consume about 150-200 Mbps of bandwidth and will need about 20TB of storage based on 40% motion. A couple of 24 port gigabit switches will work for us. I’ll still make sure the server has at least two network cards, one to receive the camera streams, and one to serve video to the clients. While our access controllers will also be on the network, bandwidth is hardly ever a concern for them. They can comfortably ride on the same network as the video.
The right tool for the job
Next, we need to start picking cameras. We always believe you should pick the best camera for the job. While that might mean all of your cameras come from the same manufacturer, it’s not always the case. There are a few challenges we need to overcome in the new building. One is Wide Dynamic Range.
Wide Dynamic Range Cameras
We’ve talked about WDR before, it’s the ability of the camera to see where there is both bright light and dark shadows in the same view. This impacts us the most when the camera is inside, but looking outside. Overhead doors, glass entrances, and parking garages all fit into this category. We need to make sure that the cameras that are looking outside have strong WDR. Most manufactures offer multiple tiers of WDR. Typically the better WDR cameras are on the higher end.
We also have an area behind the building that is hidden from view. It’s pretty dark out there, so it might be a good application for some thermal imaging. Thermal cameras use temperature rather than light for the image. It is great at detecting things, but not so great for identification. In our case, we’ll use it to sound an alarm when there is activity after hours. Adding lighting is just as important as picking a good camera, so we will do that as well. The lights won’t hinder the detection of the thermal camera, and will give other cameras a better image, so it’s a win/win.
In areas that no one should be in after hours, we’ll deploy some analytic cameras. There are various levels of analytics, some detect groups of pixels in an area or crossing a line, but Avigilon actually classifies the object into categories like Person, Vehicle and other. This makes it easier to reduce false alarms due to swaying trees or a random cat walking into our field of view.
We’ll deploy those cameras in the back of the building and high-value areas inside where we want to be notified of unusual activity. Analytic cameras can also be connected to monitoring centers, who can receive notifications and respond to any events. It’s worth noting here that analytics are awesome, but you have to have a good procedure to follow too. Having an area where no one should be is much easier to manage than “only if the guy looks suspicious”
This gives us a good start on our security infrastructure and video security. Next time, we’ll talk about access control and intercoms!