We in the security profession are a cautious lot by nature. Innovation can sometimes create a perceived risk of compromise. This is why new technologies tend to take a little longer to disrupt the tried and tested practices that are proven to be secure.
Take, for example, DVR technology. The first DVRs were introduced back in the early-to-mid 1990s. At the time, these were touted as the next big thing that would radically change CCTV systems. But only now, some ten years later, are we beginning to see DVRs outsell time-lapse analogue recorders.
The old technology was proven and installers and security managers trusted it, so there was little reason to change. That was, of course, until the flexibility, performance, price and safety of the new machines were sufficient to convince us of their benefits. As the digital revolution gathers pace, this process will repeat itself throughout the industry, as more and more new digital technologies are introduced.
Digital drivers
A large number of CCTV systems that are operational today are based on old analogue technologies. But many of the users of these systems are now looking at ways of migrating to digital systems, so that they can harness the power and flexibility that digital technologies offer.
There are already a number of hybrid systems, which involve analogue cameras transmitting images to DVRs that convert footage to digital format before it is saved. Video servers that perform analogue-to-digital file conversion can also be used to transpose analogue surveillance into a digital system, allowing systems users to gain remote access to footage they would have previously only been able to view in the security control room. Hybrid systems that mix analogue and digital technologies are perfectly workable as an interim solution but, ultimately, a fully integrated end-to-end digital system will offer much more in terms of cost-effectiveness, performance and scalability.
At the network level, there are also changes afoot. Before broadband services became widely available in the UK, transmitting footage from remote locations to a central control room had to be done either via a private leased line, which is very expensive, or via a ISDN or PSTN line. While ISDN and PSTN were the cheapest of what was available at the time, they remain dial-up solutions and, in comparison to broadband services, are still expensive. Increasingly, ISDN and PSTN connections are being changed to more cost-effective and secure ADSL connections.
Watertight worries
While IP-based security systems are rapidly gaining acceptance and their deployment is becoming more commonplace, there is a lingering concern among some security professionals that CCTV systems using broadband may be unreliable and insecure. Most of this fear stems from a worry about network failure and access control. As with any network, analogue or digital, there is always this risk but the job of the security professional is to minimise this by making sensible decisions about how IP CCTV networks are deployed, and which partners are used to support these systems.
The way in which IP CCTV networks are configured is vitally important to ensure they are both secure and resilient. So while it is possible to simply add digital security cameras to an existing corporate network, this is not the most sensible approach if you want a secure CCTV system. While most network cameras, and in fact all IP devices that can be attached to a network, now have a degree of security built in, via authentication and authorisation procedures, to ensure a system is secure from end to end demands more than just protection for the devices attached to the network.
Build or buy?
When integrating multiple locations, the security and resilience of the broadband network that is used for transmissions between cameras and the monitoring station is critical. There are two options for security system installers. Either they can configure, secure and integrate the network themselves using basic connections from local broadband providers, or they can use an Internet Service Provider (ISP) that is able to deliver fully secured and managed network connections to all locations.
Installers should only take on the challenge of configuring the network connections themselves if they have a high level of technical expertise, and experience, in configuring firewalls and IP routers for the secure management and transmission of video and data.
There are other limitations to the ‘build’ approach. Firstly, if it is necessary to use multiple broadband providers for the various branch connections, the risk of network failure is increased by the fact that the system is dependent on more than one infrastructure. For example, if traffic needs to pass from one ISP to another en route to a monitoring centre, then if one of these networks fails, the connection is lost and the system is compromised.
A matter of contention
Another issue is that of network contention. Expressed as a ratio, this is the number of users that the ISP will allow to use the same bandwidth at any one time. For home user broadband accounts, this is usually set at a limit of 50:1 (i.e. 50 users on a line), and for business user accounts, it is normally 20:1. Transmission speeds rise and fall with the number of users coming online, downloading data and then going offline. Naturally, the more users online the slower the network.
High contention rates have a direct impact on the performance of the CCTV system. Latency response times increase, thereby reducing the precision with which remote equipment can be controlled and the rate at which footage is transmitted.
This can also have an impact on the video quality – less bandwidth availability means either you accept lower resolution images or be prepared to wait longer for higher quality images to arrive. This is certainly not an ideal scenario, so to avoid these problems, security professionals should always be asking their broadband service providers to guarantee a maximum contention ratio of 20:1 or better.
A great advantage of IP-based systems is their accessibility. Anyone with an Internet connection and the appropriate authorisation can access systems from anywhere in the world. This sort of remote access has revolutionised the way monitoring and alarm response handling is managed, creating easier access to vital video footage when and where it is needed, giving security professionals greater working flexibility.
The security configuration of a remote access system is an important element when setting up the network. Ideally, authentication should take place at the network core and not at the device level (or CPE – customer premises equipment). This means that a user, whether mobile or static, enters the system via a firewalled gateway before gaining access to cameras that they are authorised to view.
If access is gained at the device level, it means you have to expose all of the devices that require remote access to the public Internet, which can create vulnerabilities. The ‘walled garden’ approach of putting the whole security system behind the network, and authenticating and authorising users at the core of the network, should offer better security.
In an ideal configuration, every device connected to the IP security network, whether a camera, DVR or storage server, should be assigned its own IP address. This makes the management and control of each device much simpler for the monitoring station. To ensure that you can assign unique IP numbers, your ISP must have RIPE (Reseaux IP Europeens) status (see panel, p35), which gives authority to assign these IP addresses. If you choose to work with a broadband reseller – rather than an ISP that owns its infrastructure – it is unlikely that they will be able to directly control the assignment of IP addresses for your devices.
Diverse resilience
Another element that needs careful consideration is that of fail-safe procedures in the event of a primary ADSL connection failure. There needs to be a process by which the camera, or any other device, is re-connected to the security system as quickly as possible, following an outage of the ADSL service. Systems are available which provide an instant re-connection to the monitoring station using a PSTN and/or a GPRS connection, if the ADSL circuit fails.
Ideally, a system should also achieve this using the same IP address that the device used for the ADSL connection. This approach simplifies the re-connection procedure for the monitoring station and ensures that a steady stream of images continues to flow to the monitoring station.
In working with an ISP that provides ADSL services for your digital security system, there are some basic pointers that will help ensure your system is secure and well-managed. Ideally, web browsing should not be allowed on the CCTV network. By preventing general Internet users from browsing on the network, you avoid network contamination and reduce the risk of intrusion. An ISP that understands the demands of the security sector should not have a problem with this request.
You also need to consider what service levels you will need for your security system, particularly in terms of fault response, fault resolution and technical support. Arranging a service level agreement (SLA) that stipulates these minimum standards from your provider is always good practice.
Ideally, an ISP should own and manage its own infrastructure, as there are a plethora of ADSL resellers that operate as virtual ISPs and do not own any infrastructure. One drawback of these is that they tend to delegate all the technical support and infrastructure management to third parties, and this can make rapid fault resolution and technical support difficult.
You should also find out what sort of account management and customer service arrangements are in place before committing to an ISP. Technical training and support are critical elements if your engineers are to undertake the deployment of any routers. This should be a standard and simple procedure and, ideally, the routers ought to be pre-configured by the ISP before they are shipped to the site.
Conclusion
There is no doubt that ADSL technology is revolutionising the way security systems are deployed, integrated and managed today. It is a technology that has proved itself and is now gaining acceptance in the security sector but there are pitfalls if you do not have the right approach. ADSL must be correctly deployed and managed to ensure that you get the best from it – both in terms of performance and security – so working with the right ADSL provider is paramount.
Ross Ferguson is the founder and chief executive officer of the MultiLayer Communications Group, which includes MLC Security, a specialist ISP that focuses on providing secure ADSL services to the IP CCTV and security market.
