With a growing number of solutions being based on network architecture, it is increasingly important for installers and integrators to ensure that they have considered the implications of endpoint security. Here Benchmark looks at some of the issues associated with delivering secure systems.
Let’s start with the most basic element of endpoint security. What is it? Why does it matter? What has it got to do with me? These questions might seem obvious, but a little reflection on the potential severity of an endpoint security breach is always a sobering moment.
As far as security systems are concerned, an endpoint is an edge device, so called because it sits on the edge of the network. Such devices might be cameras, codecs, detectors, door readers or any other IP-connected device that is positioned in an insecure area.
The servers, storage units, power management systems and other essential peripherals are all tucked away, safe and sound inside the secure site. If the system including security has WAN access, this might be secured with a range of specialised products. However, the edge device, the endpoint, offers a connection from the outside world into the core of the system.
It is important to consider endpoint security, because in a worst case scenario a criminal could disable the entire system by accessing it via an endpoint connection. Whilst this could be a reality, one integrator recently told Benchmark that endpoint security was important to him because end users asked about it. While he understood the risks and had taken appropriate steps, it was vital that he could prove those steps to the customer.
Taking steps to harden endpoint security start with some very simple basics. Ensuring that devices are updated with any firmware upgrades is essential. These can not only include bug fixes and address p[potential vulnerabilities, but often also include performance upgrades and sometimes might add extra features and functions.
Password management is important, as is ensuring that user permissions are applied in a way that helps the customer restrict control of the system to authorised personnel.
Deploying appropriate encryption is also important. All credible security devices will support this, and it is important that installers and integrators understand how to use it correctly. If in doubt, ask the manufacturer. Some tend to not explain its potential very well, and if that is the case then push them for assistance. There is also a wealth of support material available as most encryption types are commonly used across the world of networking.
Many security devices have a number of features designed to simplify installation and set-up. Some will be used by the installer or integrator, and others are designed for end user use. Once these aids have been used, best practice is to disable them. It is also prudent to ensure that the end user is made aware of any risks associated with services running which they might use.
Consider the use of IP filtering. Most security endpoints should be accessed solely by a server within the system, so ensure that other devices cannot gain access.
Reducing an attack ‘surface area’
Atul Rajput, Regional Director, Northern Europe, Axis Communications
Smart connected devices are already transforming our world, whether it be a smartwatch, fitness tracker or even a refrigerator. We are entering a new era where billions of devices will be able to collect and transmit data via the Internet, so much so Gartner recently forecasted that there will be 6.4 billion connected ‘things’ used world-wide in 2016.
While the vision of IoT is enticing for the convenience, capabilities and flexibility vast networks of connected devices offer, there is a growing risk for security threats and breaches as the number of entry points into a network dramatically increases.
In a recent survey by Cisco, 73 per cent of business decision makers said they expect the IoT to cause security threats to increase in severity over the next two years. More worrying, 78 per cent of IT security professionals are either unsure about their capabilities, or believe they lack the visibility and management required to secure new kinds of network connected devices.
As a general rule of thumb, as you increase availability and access to any network device, it potentially increases exposure to cyber threats. As security devices become increasingly network-connected, we are seeing the rise of the Internet of Security Things offering benefits such as remote access and third party integration. Similarly to other network-connected devices, it is critical to carry out a risk assessment and implement security polices in the design and implementation of a networked security system.
Risk assessments have been common practice in the design of physical security systems for years, particularly for enterprise installations. Integrators and installers should apply the same thought-process to the configuration of network video devices, even though unlike other devices on the networks such as laptops, desktop or mobile devices, a network camera is not exposed to the common threat of users visiting potentially harmful websites, opening malicious email attachments or installing untrusted applications.
However, as a network device, a camera or other connected physical security devices may expose risk. Consequently it is important to reduce the exposure area of these risks. Minimising the attack ‘surface area’ is a common cyber protection measure.
If devices, services and applications do not need to interact, installers and integrators should try to limit connectivity between them. Additionally, segmenting the security system from the core network is a good overall protection measure, thereby reducing risks of security resources and business resources adversely effecting each other.
The process of securing a security system – or hardening it – is an increasingly necessary one for installers, integrators and IT personnel to understand.
A good hardening guide provides a configuration strategy suited to specific user requirements to deal with the evolving threat landscape. Axis Communications uses the SANS Top 20 Critical Security Controls as a baseline for its hardening guide.
A first step is an understanding and use of industry standard security protocols, including multi-level user authentication/ authorisation, password protection, SSL/ TLS encryption, 802.1X, IP-filtering and certificate management.
In addition, security device suppliers like Axis continuously update their product firmware with new features, bug fixes and security patches. To deal with the increasing risk, variety and volume of security risks, security systems, installers and integrators will need to stay on top of updates from their suppliers and take heed of best practices for preventing attacks through network-based security systems.
Begin with the end in mind
John Croce, CEO, NVT Phybridge
Enabling IP security endpoints, either to deliver a security solution or to be part of the Internet of Things movement, within a business environment is not a simple thing to do. Ultimately, having everything connected requires significant planning. The foundation to having a business’s building IoT-enabled is the local area network.
What is critically important in local area network design is taking a financially and operationally sound approach focusing on the desired end state prior to defining LAN requirements.
There are three main technical factors when considering a LAN to support IP endpoints: bandwidth speed to support the edge devices being connected, the ability to provide power to an endpoint such as a camera, detector or door reader and the ability to provide a platform that gives priority for latency applications such as video.
Begin with the end in mind. Many decision-makers looking to migrate to IP should clearly define the desired end state. What endpoints and applications are important to the business? What things do we not want to risk or compromise for the sake of being connected? Is the network ready to support the IP-based applications and devices we are considering? Will my team be able to handle the evolution?
For many businesses the IoT revolution has already begun. It is possible to segment the LAN considerations for IoT applications and endpoints into core business requirements and supporting requirements.
The core business LAN includes the switches that connect devices which are used by the business to drive revenues, operate effectively and make the company or organisation successful. This can be referred to as the ‘profit network’.
There are three other supporting platforms. Physical security includes video surveillance, access control and enhanced applications. There are voice-based systems, encompassing the migration to IP telephony and collaboration. Finally, building control demands include PoE lighting, PoE climate control and other building oriented devices.
The common requirement is having PoE-enabled switches able to connect the applications to endpoints located throughout the building. Therefore, planning and preparation to create a LAN platform to support all the different requirements is critically important.
One of the biggest mistakes made when designing the LAN for security applications is creating a network topology based on the limitations of standard PoE switches. Instead, installers and integrators should consider some recent switch innovations.
The first Ethernet switch was introduced in 1990. Over the years there have been enhancements to switch capabilities: greater speeds, routing, power, and quality of service.
There are two things that have not changed in over 25 years on standard LAN switches: the need for multiple pairs of UTP cable and the maximum reach over which the switch can deliver connectivity to the endpoint. This currently is 100 metres.
Many security LAN designs are based on using standard LAN switches with their wiring and distance limitations. One of the more interesting switch innovations in recent years is the creation of long reach PoE switches that allow customers to transform existing coax or multipair UTP into a robust IP platform ideal for many of the endpoints being considered.
Long reach PoE switch technology delivers Ethernet and PoE over a single pair of wire with four or even five times the reach of traditional switches.
Long reach PoE devices are enterprise grade switches and allow businesses to transform their legacy infrastructure into an IP platform with power. These switches eliminate the need to rip-and-replace infrastructure, allowing for a non-disruptive, cost effective and vitally more secure way to migrate to IP.
Because existing security infrastructure will be dedicated, long reach PoE switches allow the creation of a security IP network which is separate from the corporate LAN. This in itself not only simplifies installation, but also adds a degree of overall security.
By extending the network using long reach PoE switches, businesses are creating a robust and highly secure platform.
Security is enhanced in three ways. First, the physical separation of the LAN extension is achieved with a single cable. The LAN can be configured in a manner to allow for limited or no access to the corporate network.
Second, MAC port locking capabilities allowing installers and integrators to lock down a port to a specific device via the MAC address of that endpoint.
Finally, a dedicated out-of-band management port on the long reach PoE switch can provide secure limited access to the switch fabric. Out-of-band management uses a dedicated channel for managing network devices. This allows the installer or integrator to establish boundaries for accessing network resources.