This is part two of the second article in a series of articles that explores the convergence of physical security technology and information technology, and its impact on security departments and IT departments, vendors and management. The term internetworking refers to the connecting together of otherwise independent networks. This article examines some of the technical and organisational issues involved in connecting security networks with business networks, and how to avoid some common problems that plague such projects.
Addressing the issues
Properly addressing these issues requires active participation from IT in the security project. Involve IT at the initial concept stage. Brief them on all relevant aspects of the project, including the purpose and objectives, initial timetable and general approach. Do not make the mistake of thinking that it is just IT security personnel that must be involved. There are usually significant network design and evaluation tasks involved, in addition to network security.
Have security provide IT with a single-line diagram of the computers and network connections of the proposed security system, including all wireless devices. The drawing should show what kind of data will be sent between what computers (such as e-mail, video streams, reports of alarm history, data entry to enrol users), and any external systems interfaced, such as paging systems or radios. Identify the protocols that will be used for each type of security data to be carried on the network. When in doubt as to whether to include information, include it. If computers on the business network require access to the security system, include the business computers in the diagram as well. Identify those elements that are 'must-have' and those that are desirable but not absolutely necessary. Include the estimated bandwidth requirements for each network connection. You may have to consult with current or prospective vendors to get the information you need to determine the bandwidth requirements using scenario-based requirements assessment, for which I have included guidelines later in this article. Share the method used to estimate the security network bandwidth with IT.
Have IT determine how many of the internetworking requirements can be supported by existing network infrastructure, and what new infrastructure (if any) would be needed, along with ballpark estimates on the costs involved. Have IT present this information to security, and answer any questions that result.
Have IT provide a list of computer operating system, software and hardware standards, network standards, and network security standards (such as for remote access) with which any security system vendor must comply. Have the vendor review the requirements and incorporate them into any proposed system project.
Have IT provide a drawing of the network infrastructure that it will furnish for the security network and for the business network connections. The drawing should identify the type of each network segment (microwave, telephone company line, etc) and the maximum bandwidth capability of each segment.
Have the security system vendor verify the compatibility of security system network traffic with the proposed network infrastructure. This will require discussions with IT department personnel and perhaps also with vendors that provide the network technology to IT. If any incompatibilities are discovered, get together with IT, the security system vendor and the network technology vendors to explore the possible resolutions. Review the security project budget estimates and incorporate any new information provided by the IT and security vendors.
Review the security project schedule to make sure it takes into account the time frames for installing any network infrastructure that does not yet exist.
A significant amount of work is involved in most of these steps, especially for those who have not been through them before. While these are not necessarily all the information sharing steps that need to be taken, they are the major ones, and the remainder should fall out from these.
Security network bandwidth
Bandwidth is one of the most troublesome issues in internetworking projects. Bandwidth generally refers to the amount of information that can be carried in a given time period (usually a second) over a wired or wireless communications link. Any digital or analog signal has a bandwidth. The word originated as a reference to radio transmission signals.
Frequency band - or just band, for short - means a specific range of frequencies in the radio frequency spectrum. This spectrum is divided into ranges from very low frequencies to extremely high frequencies. Each band has a defined upper and lower frequency limit, which establishes its bandwidth. The wider the bandwidth, the more signals can be transmitted within the band, much the same as a wider highway can allow more cars to travel at the same time.
Frequency is measured in the number of cycles of change per second, or hertz. In analog systems, bandwidth is calculated as the difference between the highest-frequency signal component and the lowest-frequency signal component. The full range of the human voice is 300 Hz to about 5 kilohertz (kHz), which is a 4,7 kHz analog bandwidth. Most speech occupies a smaller portion of that range, giving typical voice signals a bandwidth of about 3 kHz.
In digital systems, bandwidth has come to mean the measure of the maximum data speed. Bits per second (bps) is a common measure of data speed for computer modems and computer data transmission carriers, and means the number of data bits transmitted or received each second. A network is often composed of multiple segments, each segment being one point-to-point wiring or radio connection between pieces of network equipment, or between network equipment and computers. Different segments can have different bandwidths, depending upon how much network traffic they are designed to carry.
For security networks that involve WAN connections, bandwidth requirements may have significant cost or network resource impacts. For example, telephone company-based connections have a recurring monthly cost. If the security network requires expanding the capacity of a telephone company connection, that will mean an increase in the monthly cost. Usually, one-time costs come from a capital budget while recurring costs come from an operations budget. These two budget categories are entirely separate, with entirely separate budgeting processes and revenue streams.
CCTV is the main reason security network bandwidth is an issue. An analog television broadcast video signal has a bandwidth of 6 megahertz (MHz) - 2000 times as wide as a voice signal. This provides an indication of why sending CCTV video streams over a network can use up all available network bandwidth, and why the capacity of standard telephone lines is insufficient for transmitting continuous video. The bandwidth requirements of video are much higher than either voice or computer data.
In addition, digital video management software makes it possible to view live and recorded video by computer over an Ethernet network, using a technique called video streaming. The larger the CCTV system, the greater the potential for multiple users to be viewing multiple cameras. Each camera requires its own data stream. Even with video data compression techniques, security-quality video can take up to 1 Mbps of bandwidth per camera, for each person viewing the camera signal. Multicast technology (routing a single video stream over the network to multiple users) can reduce the number of streams to a single stream per camera, regardless of the number of users viewing the video stream. However, currently only two or three security video management software applications have multicast capability.
Video technologies will continue to improve, requiring less and less bandwidth per camera. On the other hand, the demand for higher-quality video (with higher bandwidth requirements) will also continue to increase for both security and operations use. It would not be wise to look to technological improvements to reduce security's overall requirement for network bandwidth. As security functions increase and improve, and as camera technologies both improve and lower in price, stronger security and business cases can be made for increased utilisation of CCTV. This means that estimating security bandwidth requirements will remain an important element of security system design and planning, especially for large-scale security networks that involve WAN connections.
Estimating security network bandwidth
Security networks have to be designed to handle the 'worst case' scenario in terms of bandwidth. This would be a situation in which multiple security and operations personnel would have to make maximum use of networked equipment, such as examining live and recorded video from multiple cameras. This could easily require 10 or 20 times the network capacity that is normally needed for security. Usually IT personnel bristle at the thought of so much bandwidth going unused 99% of the time. Unlike business network bandwidth, a good portion of security network bandwidth can be considered as insurance - you need to have it, but you hope you do not have to use it.
The activity patterns for security networks are different than for business networks. Business networks usually have typical daily and weekly activity patterns that result from the patterns of operations of the business. Security network activity is generally light until an alarm or security incident occurs, and there is no predicting when that will be.
Although this article discusses the impact of security video on networks, it is not only heavy security camera use that can elevate network bandwidth requirements. Redundant server restoration, testing or upgrades can require full-bandwidth utilisation of high-speed network segments for a good portion of a day. If it takes too long to synchronise a backup server and restore redundancy, the system could be left vulnerable for too long a time.
Scenario-based security network assessment
To accurately assess security network bandwidth requirements, a scenario-based approach must be used that examines security system use during various security and business conditions, including security incident response and emergency incident response. For example, during the World Trade Center attacks of 11 September, security personnel were able to use CCTV surveillance cameras to assist in evacuating the buildings by informing emergency personnel by radio and telephone about building conditions that were obscured by smoke or otherwise outside the emergency personnel's field of view. In such a situation, as many available personnel are put on such a task as is practical, and all available security video workstations are put to use.
It takes a bit of homework, but the various security and emergency scenarios can be worked out. Start working backwards from what you will need to accomplish under each circumstance and how you want to accomplish it. Then determine how the security system capabilities will be used and what network bandwidth will be required.
Usually security personnel can identify a half-dozen security and emergency scenarios that are of concern to them and that are representative of the kinds of responses they would have to make. These scenarios should be written out, including what security information is required for the security and emergency personnel to make an informed response.
IT should also provide scenarios involving network incidents that would result in loss of part or all of the security network. Alternate methods of accessing security system functions should be explored for each of the network loss scenarios.
Security should be pro-IT, and vice-versa
There are many reasons for security to be pro-IT. IT can help establish network security requirements and provide network security tools that will be needed for the security network. They can help answer networking questions, and they can provide project support for specifications and for testing relating to the computer and network aspects of the project. In-house IT can provide ongoing support for security computer and network issues. As security systems incorporate more and more information technology, IT knowledge will become more important to security.
Security should designate someone to be an IT liaison as a permanent role, not just for the duration of the next security project. Security system upgrades and expansions will need to be coordinated with IT, and security will want to stay abreast of network expansions in case they provide an opportunity for security to further its objectives.
Similarly, IT should designate a liaison to security. Security will continue to expand, so it behoves IT to learn more about physical security. IT will have the task of augmenting security's network infrastructure based upon security needs. They may also have opportunities to piggyback off of required security network upgrades and accomplish some of their own objectives sooner, perhaps at a reduced cost. Security can contribute to IT's planning for physical security measures as part of its information security plan.
Sometimes IT needs alone or physical security needs alone will not be a strong enough case for network upgrade expenditures, but together they can tip the scales.
Today's security systems are based upon information technology. This requires a good working alliance between security and IT departments. The result of this alliance will be, of course, stronger and more capable security systems.
© Technews Publishing (Pty) Ltd | All Rights Reserved