IP Infrastructure: A Secure Platform?
The migration of security systems to a networked environment can be something of a double-edged sword. Whilst the move undoubtedly delivers higher levels of flexibility across all disciplines, it also introduces vulnerabilities to systems that either were not present with other technologies, or which were addressed in different ways in the past.
It is very hard to argue against the benefits of network-based security solutions. You only need cast your mind back to the days of analogue technology, relays and bent metal to appreciate that the industry as a whole had to work around a relatively high number of technological limitations. Some systems didn’t want to talk to other systems, and on the few occasions when someone went through the pain of integration, the benefits reaped as a result didn’t always justify the effort.
The modern security sector has a much higher level of flexibility,with regard to communications, integration, data handling and processing, interoperability, etc.. Much of this can be attributed to the slow but sure move towards more open platforms, typically associated with all things IP. The conservative approach of the security sector – ranging from manufacturers, specifiers and consultants, through integrators and installers, down to end users – has dictated a more careful and considered adoption of the technologies than many other sectors. However, as the available real-world benefits have increased, so has demand for advanced functionality.
With older technologies, many of the system were ‘closed’, in that they were standalone in their infrastructure, as well as in their operating technologies. Often it was difficult enough for the experts to get one device to talk to another, and these factors, often cited as limitations (and rightly so), did at least serve to protect the integrity of the systems themselves. It could be argued that the sheer inability of certain devices and systems to co-exist with others actually helped to ensure that outside forces could not take control of them or manipulate their data.
As today’s systems become increasingly ‘open’, and with soaring levels of interoperability, it has to be accepted that the risk of vulnerabilities inherent in a system will also increase. Even for those who are ‘ahead of the game’, protecting networks isn’t easy. Recent high profile hacks include Sony, Paypal, Apple and Amazon. These, along with the sustained programme of data theft via the Red October attacks, which went on for over five years and targeted governments and international agencies, highlight that there is a constant struggle between those with valuable data, and those who want it.
It is interesting that some involved with security solutions don’t consider the issues associated with data protection, network integrity or system protection as significant for security systems. This is because many feel that the data their security system delivers simply isn’t of great value. All too often, this thinking creates very simple and basic vulnerabilities which are easy to exploit.
Those implementing network-based security solutions, and indeed those using them, must not only consider the traditional threats that face security systems, but also many of the typical threats associated with IT systems. Whilst security system design considers events such as wire-cuts and device tampering, today it is just as vital to plan for hacking, data manipulation and other IT threats.
Whilst security standards generally ensure that any physical attack on infrastructure is protected against via tamper alarms and other system protection functions, there is less of an emphasis on network integrity in these documents.
Of course, the overall security of a network can be affected by much more than external threats from those seeking to attack a site. Environmental issues, system failures and infrastructure issues must also be addressed. There is also the very important task of ensuring compliance with the Data Protection Act and other relevant legislation. There is little to no point in having an advanced solution if evidential information is ruled inadmissible due to a breach of legislation. Similarly, a very secure network-based system isn’t going to be of much use if the possibility of power outages hasn’t been addressed.
When considering the overall integrity of a network-based system, it is all too easy to concentrate on firewalls and VLANs, whilst forgetting some of the fundamental basics of security design. If a system is there to protect against the unexpected, then the unexpected must be legislated for from the very first point of the design stage.
Another important aspect to be considered is that vulnerabilities in the security system, often due to the lack of a correctly configured firewall or the poor implementation of a VLAN or VPN, could actually be exploited to access the corporate network. It may seem an irony, but the repercussions could be significant if the corporate LAN is compromised because the security system itself has introduced vulnerabilities.
Help at hand
Increasingly, there are simple solutions being introduced to the security systems sector, and these range from switches which allow the user to easily establish VLANs, through to dedicated devices designed to assist with the creation of secure and trusted end points on a security system.
Such systems do offer simplicity with regard to securing the network; however, it is vital to have an understanding of what these units are doing, and why they are doing it!
For some, the knee-jerk reaction to security issues on a network is to simply make the solution ‘closed’. There are two schools of thought about this. The first is that the network can be closed, thereby eliminating threats. This may sound like a retrograde step, but it should be remembered that for around the last twenty years or so, even CCTV wasn’t fully closed. Indeed, it was closed when it needed to be, and was open when required! A security-centric network could be protected from the outside world, but with strictly controlled access for those with the right levels of authority.
The negative side of such an approach is that many of the benefits that make the technology attractive to users will be restricted or even lost in some extreme cases.
Some applications will specify that any network carrying security data must be both closed and separate from any other corporate networks, and if the user decides this, it is fine. However, the decision should never be taken solely on the grounds of side-stepping the configuration of a proper secure network.
The second and more beneficial approach is to ensure that the proper levels of protection are in place, both for the security and the corporate network elements, to make certain that the full potential of flexibility and interoperability are exploited.
Of course, whichever approach is chosen will not affect other important issues, such as ensuring continuity of power, data protection, device monitoring, continuity of audit trails, etc.. As with any security system, the fundamentals still apply to networked solutions. If anything, these issues are more applicable, due to the way in which captured data is used, stored and processed.
The use of networked infrastructure delivers a wide range of benefits for all concerned, and the growth of functionality shows no signs of abating. In the near future, systems will continue to integrate and interoperate, and the need for secure infrastructure will increase.
Ensuring that solutions have integrity is not rocket science; it just takes a small amount of time and effort to understand the risks and put necessary measures in place.
The upside of this is that the infrastructure will be better organised and managed, leading to enhanced levels of performance.
|Plug & Play?
One commonly quoted selling point for certain networked video devices is their billing as ‘plug and play’. This insinuation surrounds the ease with which such products can be installed and configured. This is a positive point – after all, the team at Benchmark often argues that where devices are difficult to install or configure, the manufacturer has to accept that the product hasn’t been well designed. If a system is going to deliver high levels of performance, that performance must be accessible. The scrapheap of history is littered with some excellent devices that simply were not purchased because they weren’t user-friendly.
Whilst ‘plug and play’ cannot be criticised as a positive approach on its own, it is vital that those involved in the specification and purchase of networked solutions do not apply that sort of thinking to the entire system and its infrastructure. Whilst it is unarguably possible to build a simple ‘plug and play’ network for certain purposes, it will not be suitable for advanced security solutions which share data with other systems, and communicate remotely.
Any secure network that delivers the high degrees of flexibility demanded from today’s end users, and also boasts a good degree of integrity, will require thought and consideration when it comes to its configuration. Through the use of VLANs and firewalls, along with careful management of the data, enhanced performance can be enjoyed for all elements of a solution. Plug and play thinking is a benefit, but it can never be the full story!