Designing and Implementing a Robust Security Network
Peter Ainsworth, Product General Manager, Video, Johnson Controls
In the transition from legacy analogue to digital security systems, it is important to ensure the network meets the demands of the solution. Whilst offering huge benefits, new technology can also bring challenges, especially with the implications of high megapixel cameras streaming across corporate networks.
Network infrastructure needs to be suitable for the load placed on it, and careful planning is needed in advance of any system deployment. Consideration must be given to several key factors when designing and building a network.
Before commencing a deployment, first assess any bandwidth limitations against expected performance. It is important to quantify the available bandwidth versus the number of cameras, along with the resolutions at which they will be streamed. Consideration must also be given to the resolution at which streams will be recorded, as this will consume resources.
The key elements in any calculations are camera numbers, stream resolution, frames per second (FPS) and the video codec. A basic formula for the calculation of bandwidth requirements is: Required Bandwidth = (Bitrate for live stream x number of cameras) + (Bitrate for recording stream x number of cameras).
The inclusion of video analytics in a system can increase bandwidth, as some analytics require high-resolution streams in order to perform effectively. The introduction or modification of analytics should be taken into consideration, particularly if performance issues begin to manifest within the deployment.
If the required configuration exceeds the available bandwidth, integrators must reconsider a number of aspects of the specification. These include use of an alternative codec, adjusting resolution, reducing the frame rate, and investigating if network bonding will maximise resources.
All devices added to a network have the potential to introduce vulnerabilities. To protect against attacks, devices must be secured prior to their introduction. Whilst not normally used for the execution of a cyberattack, devices can provide a doorway into a system. Prospective attackers can trace a route through the infrastructure to find and exploit sensitive corporate data.
Steps which can be taken to harden IP devices include replacing default user accounts and passwords. If default accounts cannot be deleted, ensure the passwords are changed. New passwords should be complex, and a secure password manager should be used.
Enable HTTPS-only mode where available, and disable discovery protocols when not in use. Utilise a hierarchical schema for user accounts and access, and minimise the number of personnel with administrative access
A network should be easily scalable so devices can be added or removed without the reconfiguration or degradation in performance. In a security deployment, device management should be conducted in a transparent manner. For example, expanding coverage through the addition of cameras should not introduce performance overheads or cause network bottlenecks.
To ensure the integrity of a network, change management practices should be implemented, creating an audit trail for accountability. At the application level, software supporting individual logins and activity logging allows traceability of system changes.
Always create a back-up of configurations prior to making changes. The configuration of redundancy provisions should be reviewed when implementing changes to ensure adequate resources will be available in the event of a failure.
It is crucial for network design to include resources for failover redundancy. This includes the use of UPS for critical infrastructure components, and the inclusion of alternative network paths such as redundant routers and switches.
Further to this, recording servers should be configured to include failover disks for data storage in the event of a power failure or disk corruption.