ProSecurityTech

The internet has been around for ages it seems, and after almost 20 years the security industry is starting to catch up… I hope. I witness more and more web based applications in the driving seat for security administration and configuration. This has me calling out to the hevans like a healing, evangelistic midget trying to get rid of a young teenager’s acne. After years of agony and torture imposed by having to deal with 300 baud dialup for “advanced communication”, manufacturers are finally hearing our pleas.

The Benefits of Web Based E.A.P. Applications
One of the main benefits that jump to mind is that there would be no need to install bulky software. It seems as though if there is a robust solution it has to have an equally robust software installation. For instance an Access Control platform may require a separate “Server”, (I put server in parentheses because most ESS. server applications run on Windows XP and 2000) because the MSDE, a scaled down and free version of Microsoft’s SQL database program, doesn’t play well with others. Once you actually have the services installed and running, getting the software to talk to the hardware can be a nightmare. Those of you who deal with Linux or BSD Desktops should be able to relate. The beauty of web based applications is that the hardware comes preinstalled with the software so all you have to do is type the IP address in a web browser and have your way with it.

Once you get the images of naughty French maids out of your head, the second benefit would be cross OS platform compatibility. That is of course the manufacturer designed it to have cross browser compatibility, but for the sake of argument the manufacture pays attention to details (another dream and another post) and builds a standards compliant application that can run on all the major web browsers. I believe that one of the main reasons for development of web based apps is that Microsoft no longer dominates the majority of the main demographic, and development of two or three different applications to do the same thing can get costly. With cross OS platform compatibility, it would not matter if you run Windows, OS X, Linux, or BSD, it would simply work.

Sounds Great, but Were can We Get One?
One first manufacturer that comes to mind is IEI, International Electronics, Inc., which is a small to medium sized access control company based out of Canton, Massachusetts. Their eMerge product is exactly what I mentioned above, a hardware solution that has the OS and software build in. They start with Red Hat, a Linux based operating system, and install Apache Web Server software along with MySQL and all the other necessary stuff you need to run web based Access Control. They programmed it to comply to web standards and paid attention to the minor quirks that goes with Internet Explorer. The only thing that I don’t know is how well it works with IE7. Microsoft broke a lot of security web services with this release (another post); however, all the other web browsers work as expected.

The second company to follow suit is Bosch, a complete security manufacturer. They canned their relationship with whoever manufactured the Ready Key product (surprise…they did not manufacture Ready Key. They just packaged, sold, and supported the red headed result) and are now distributing their own solution with Easy Key. They did not want to rock the boat with a completely different name, but the hardware and software is completely different. I am not sure what guts are behind Easy key, but I can assume that they followed IEI’s lead and utilized Linux and other open software solutions. Just like eMerge, Ready Key requires a web browser to do everything and does not require the installer to install any software. Bosch did take it up a notch and build in integration with its BIS software solution. BIS stands for Building Integration System, a software package aimed at combining a building’s Burglar, Access, Fire, and Surveillance system into one web based interface. Since it is a software only solution, you have to have a PC to run it. That’s right I said PC. Don’t get me wrong, I am not a Microsoft hater; I actually use PC’s for my desktops; mostly because I like my life to be easy and not have to worry about device compatibility; however I do disagree with their decision to ignore the increasing number of users that utilize non-windows computers in the business place. It seems that every day I read how another Architecture firm, Web Development Firm, Hospital, or Interior Design Firm switches from Windows to either MAC or Linux. Did you notice that 75% of my list comprised firms that are artistic in nature. I wonder if it also ties into their political beliefs. Anyhow, there are companies that need a solution and Bosch is one of the first scratched off the list because they have decided to only support Windows.

Final Thoughts
More and more companies are charging their I.T. or I.S. Department with maintaining their security system. This is due partially to the fact of the complicated software involved. Manufacturers go out of their way to make it as easy as possible, but if it isn’t a part of MS Office, certain people don’t want to work wit it. The catch is that the last thing that I.T. professionals want is to install this complicated software on one of their servers. They would love to access it through their favorite browser and forget about it. Security Manufactures need to take this into account. The change is already in place for Access Control and Surveillance (I did not mention any Surveillance companies because technically you have to provide a PC for video storage and this fact takes these companies out of the “no software to install” category). If they would wake up and provide the same convenience for burglar and fire alarms…well they would be ready for the 21st century.

Not many people are aware, but back in the mid and late 90’s there was a war for web browser domination. The bout was between Microsoft’s Internet Explorer and Netscape Navigator. We know now that Internet Explorer won the early battles due to the pure dominance of their OS Windows; however, they are slowly losing the war. With the release of IE7 it is evident now more than ever that Firefox, (the progression of Netscape when the company went under and open sourced their code) Opera, and other standards based browsers are creating a real impact. And I am sure that you have wondered why I am talking about web browsers when I am supposed to be talking about EAP (Electronic Asset Protection). Get ready…Here is the segway. Internet Explorer is losing the war because they are holding on to a monopoly that ultimately hurts the user. They are holding onto Proprietary code and are trying to force as much of it as possible; however, because of the other standards compliant browsers Internet Explorer has had to give in and become more standardized…but not completely.

How this gibberish relates to Security
There are companies out there that re-invent the wheel and attempt to force it down the end users throat. The end user is completely unaware of the proprietary nature until it is time to upgrade their system. There have been attempts at standardizing areas of the industry, for example 26-bit weigand format for card readers and most companies have modified the way you mount the equipment to fit standard back boxes. I believe that if the industry moved to a more standards based approach we would all benefit as web browsers have. We would have equipment and interfaces that would be successful because they were “Best of Breed” and not because a large national company sold their equipment because it fit their pocket book.

Give Credit when Credit is Due
Just like Adobe is given credit for its contribution of the wildly popular PDF file, here is a short list of companies that lead the way in the same manner, standardization through domination.
• HID leads the way with its Card Readers. Besides having 98% compatibility with all access platforms they offer a program that guarantees your card will never be reproduced and/or hacked.
• Pelco is one of the industries leading camera manufacturer. They are best known for their contribution of the PTZ camera. They may not have invented the camera but they have perfected it along with their telemetry protocols that can be found in almost all other manufacturers PTZ cameras.

Short list huh!! This is the closest thing that we have to standardization. Companies that are so large that manufacturers have to build in compatibility in order to survive.

Closing Thoughts
Web Browsers have flourished because of the W3C, an organization dedicated to setting standards for the web. Maybe the security industry needs the same, an organization dedicated to setting standards for all things security related.

I recently chaired an Initial new client meeting, this is a meeting where the design team sits down with the client and jots down the “Wish List’.  During this meeting, one of the customer’s representatives said to me that my company was actually their second choice, and their first choice argued with them then refused to work with their budget.  This made me wonder how many consultants actually listen to their clients.

In my design process I listen to my customer's wish list, and then make product recommendations accompanied by budget analysis for the recommendation.  This is usually where the actual budget is announced and compromises begin.  The goal is always design for the future with today’s money, and about 90% of the time this is somewhat feasible.  The other 10% the people are completely out of touch with reality, and you can tell before the ink hits the consulting contract.

Is Anybody Listening
This is not the first time I have witnessed or heard of such behavior.  My company just finished a project when the project manager met with the Chief of Police for a local ISD.  This particular Chief was very involved with all intrusion alarms for the ISD and preformed all of the programming as far as codes and cards were concerned.  He said that he met with the architect and security consultant and wanted the new school to have a Caddx system like all the other schools; however, when the specs were produced it reflected Bosch equipment.  The Chiefs recommendation were completely ignored and cost the ISD $1,600.00 for Software and Hardware just to maintain programming when they were already set up with Caddx.  I wonder who dropped the ball.  Was it the consultant or the Architect?  My bet is the consultant.

Final Thoughts
People want to be listened to and want to feel as though their input makes a difference.  So it is very important to keep those people happy, especially when you want any type of lasting relationship.  This industry is not that forgiving and a reputation can be made very quickly.  It is vital that you make it a good one.  What do you think the Chief will say when it is time to design the next school?  Do you think that he will have any favorable comments about the architect or the consultant?  Fortunately, we had a pass due to the fact that we were going off of spec and did not know of the existing Caddx infrastructure.  Had we known, you bet we would have installed caddx.  This particular system did not utilize any of the advanced features that Bosch offered and swapping out with Caddx would have actually been preferred.  I know that you probably have heard a facility manager or other administrator charged with maintaining the security system talk about how useless something is due to poor design and I would love to hear about them.

This topic can get a bit technical and complicated. Lucky for you, I will not force you into either. This post will just show the bare basics and guide you through how to select the correct type of wire.

Types of Wires
There are basically two types of wires used in all systems: Plenum and PVC. Plenum and PVC refers to the smoke rating of the wire jacket. Plenum is a “Low Smoke” jacket and is approved for use in open indoor areas, like the plenum of the ceiling. PVC is a “Higher Smoke” jacket and is only approved for running in conduit or in plenums where a designated return air duct is used. PVC omits a toxic chemical into the air when burned, and the last thing you want is to spread toxins through out the building because either the building has an open ceiling return air system and the toxins are sucked up into the air conditioning and the blown about, or not run PVC in conduit and those who are close to the burning wire are affected. I always use plenum wire for indoor application just to be safe. Wiring that is used outdoors carry an outdoor rating and is filled with gel to prevent corrosion. When faced with running outside wire, I always run plenum wire up to the exterior wall of a building and create a splice to continue with the outdoor wire

AWG
American Wire Gauge is a standard that we use to determine the circular mills of the copper in the wire…how thick the wire is. AWG is an important consideration because voltage and data will only travel so far on smaller wires. You will have to consult the installation guide for the equipment that you have purchased to find their data limitation as for voltage use the table below and you will coast through most of your installations. On a side note, most manufacturers also follow this table for data transmition.

AWG	Distance*
24	300
22	500
18	1000
16	1500

Table 1.1 - *Wiring must be home ran and not daisy chained

I have yet to use a thicker gauge wire than 16AWG in an intrusion system, other systems are a different story. Personally, if my device is more than 1,000ft away from my control panel, I will install a secondary power supply.

Final Thoughts
Intrusion systems can be the easiest system to install if you keep sick by the following:

1. Always use plenum wiring for indoor applications. It will cost you more money, but save you a lot of liability in the long run.
2. Use 22AWG and 18AWG in the distances laid out in table 1.1 and stick with them. Don’t try to “stretch”, as it could lead to hours and days of trouble shooting to fix
3. Keep wire color simple. Set a standard and stick with it throughout the job/carreer. For instance, always use the red and black wires for positive and negative power, and the green and white wires for signal. This will avoid confusion with some of your lesser experienced installers.

I recently read an article published by an industry magazine informing its readers that the new government standards for access control will require the use of smart cards along with either proximity, pin pads, or all the above.  This move was to insure that whoever needs access is who their credential says they are.

The Problem
The problem is that the use of smart cards takes away the decision making from the Access Control System.  Here is how the smart card process works.

1. A person swipes their Smart Card.
2. The Same person places their finger or hand on the biometric reader
3. The reader then compares the data from the biometric read to the data from the card
4. If there is a match then it passes the o.k. to swipe the proximity or dial the pin pad.

The issue lies in the whole smart card process.  Everyone knows that a proximity card can be duplicated, and a pin number can be lifted.  How long do you think it will take someone to recreate their own smart card to house their print?  Chances are, it has already been accomplished.

The Solution
Government facilities, or any other high security complexes, should use biometrics as a piece of their access control credential requirements; however, they should not use smart cards.  A more secure method is to evoke the whole process with the proximity reader.  Here is the correct process:

1. A person passes their proximity card next to the proximity reader
2. The Same person then places their finger or hand on the biometric reader
3. The Access Control CPU compares the data from both readers with the stored data in the database.
4. If there is a match then it passes the o.k. to dial the pin pad or opens the door.

The main difference is what is deciding if the biometric data is correct.  By using a database instead of a smart card reader, chances of passing a forged credential is severely minimized.  Someone could still hack into the database and change the record entry in the biometric table; however, then the IT department gets involved and yet another set of road block are set up.

Final Thoughts
It is nice to find that our government is upgrading their standards as far as ESS is concerned; however, I just hope they do it properly and the article I read was wrong.

I recently ran into a customer that was unhappy with their system. Their exact words was “This is absolutely useless.” The customer had the system just installed and was unhappy with the results. When they asked the installation company to fix the issue, they were given a change order to approve.

What Happened.
The customer did have an unreasonable expectation of their equipment. They wanted a fixed camera to be mounted twenty five feet in the air and provide a wide viewing angle. This is absolutely doable; however, they also wanted to read the license plate of any car that drove by. This is a clear case of a salesperson selling equipment not educating the client, and a customer buying a system.

??? Do What???
Some salespeople are driven by the almighty commission and say anything to sell equipment and labor. Using the above example, the salesperson did give the customer what they wanted, A fixed camera on a pole mounted twenty five feet in the air, the disconnect was that the customer expected a level of detail that the salesperson couldn't deliver and didn't try to educate on why.

How to fix
After sitting down with the customer,listening to what they wanted, and educating them on several different ways to achieve close to their desire (cameras that have a 15,000x zoom with crystal clear picture exist only in the movies), a remedy was chosen that would give them greater detail utilizing the equipment they already purchased. They did agree on the change order; however, the change order was for an end result and not for equipment. In all fairness the change order did contain legal jargon that protected both side. Lets face it, if you give a client two inches they will want two thousand miles...most of the time.

We as security professionals need to find the balance between just selling equipment and labor and selling a system. One of the best ways that I know to do this is to include a system summary that contains a “Operational Logistics” of the system along with the parts list. The “Operational Logistics” should spell out exactly what the sum of the parts are capable of doing once pieced together. For example here is a basic summary of an access control system:

“Once completed the customer will have to ability to program and distribute access cards. These access cards will serve two purposes. One will be for personnel identification and the second will be to contain personnel credentials that will be analyzed each time the card is presented to a card reader. If the personnel has the correct authority the door will unlock “Granting” them access to restricted areas, that will be lock by electromagnetic locks and controlled by the access control system. The access control system will also monitor a door's position. If the door is held open too long or is “Forced” open, an alarm will be distributed to the proper authorities by means of email. The system will also monitor a “Request to Exit” motion. This motion, when tripped, will transmit a signal back to the access system to unlock the door for a predefined amount of time, allowing hands free egress when exiting a restricted area.”

I know this is a little crude and lacks serious detail; however, you get the point. It might take you a little longer to complete a quote; however, you leave nothing to the imagination of the customer and they don't become estranged when the warranty is over.

More and more clients seek out the obvious benefits of cross-platform integration, and it is the manufacturers desire to give the clients what they want; however, It has been my experience that manufacturers will put out a product and promise integration whether it actually works or not. I was blown away by how common this practice actually is. Here is anexample:

A leading intrusion manufacturer we will call “Burg” recently parted ways with their OEM partner that developed their management software for their high end intrusion panels. These panels are able to not only act as in intrusion system but also a fire alarm and a small access control system. Their OEM software package integrated all three plus added dynamic mapping, live event monitoring, and system reports. When the relationship was about to expire the Burg developed their own software and took it a step further and integrated all of their offerings: intrusion, large access control, and surveillance.

It was about 99% complete when the initial roll-out date was met. It was those customers that wanted dynamic mapping that received the raw end of the stick. Apparently they wanted to import an AutoCAD file; however, due to a time constraints they relied on a common conversion software known as Whip!. Normally this would be acceptable, but in this instance AutoCAD announced that they would not longer support Whip! Files two months before the release date of the new software. After word got back, Burg announced an apology and promised that every effort was being made to correct the small issue in the next revision.

I find it interesting how many integrators actually take the manufacturers for their word on what they are able to deliver. It is essential to bench test a solution before installation if you are installing it for the first time, or at least have a manufacturers rep demo the integration.

Recently I have noticed that a lot of companies are taking a serious look at IP versions of ESS security. I am being asked about IP cameras, IP intrusion systems, IP fire, and IP Access Control. While surveillance and access control have complete IP offerings, intrusion and fire do not.

Why are Intrusion and Fire slacking?
One of the major reasons is code. National, State, and city codes restrict fire systems from being completely IP. The NFPA is currently written around analog inputs and relays for fire. It states that fire systems have to have two forms of communication to the Central Station for commercial installations. A complete IP solution would lack the second form of communication. As for intrusion systems...I have no idea. I believe that intrusion manufacturing companies realize that installation technicians are not always IP savvy. I am not saying that installation techs are idiots or there are not some sharp pencils out there; however, my experience has been that 99% of installation techs are not schooled in the ways of security and networking.

A IP workaround for Intrusion systems
First all access control companies sell what I call RIO (remote Input Output) modules. All you have to do is seek out a capable access control platform (there are plenty out there e-mail me and I will point you to one or three) and utilize their RIO modules for monitoring remote sensors like door contacts, motion sensors, and glassbreaks. Second utilize the RIO to activate a dialer to call a central station. These devices are more commonly used in fire alarms systems; however, intrusion models are available. A competent installation company should have someone to program the system accordingly.

But How do we arm and disarm?
This is simple to describe, but can be difficult to program. Like I said before a competent integrator should have a super tech on staff. Here is a list of methods:

• Utilize Card in / Card out on all of the exterior doors. This way the system can keep a head count and arm the system when the building is empty. Not recommended for companies who receive visitors.
• Set up a time zone to activate the monitoring of the intrusion devices. This one is the easiest to implement
• Utilize a arm/disarm reader to activate the monitoring of the intrusion devices. This is actually a preferred method on typical hybrid intrusion / access panels

There are numerous benefits to using your access system for alarm monitoring. One is that you now have a way to run reports on alarm events without having to call your integrator. Another is you have complete control over every device and can check its status through the access control software. There are more benefits; however, I feel that this is already running a little long.

What about Fire?
National NFPA code keeps us from utilizing these methods on fire systems. For now we will have to be satisfied with an IP DACT (Digital Alarm Communication Transmitter). This is a module that transmits alarm and troubles through the network. It is currently acceptable for an IP DACT to act as the primary form of communication; however, you still need a different secondary backup.

I have a client from my installation days who had a unique situation. A few years ago he came to me and asked that I network his four DVRs and access control equipment. His only requirement is that his IT department not know about it due to their strict rule of NO SECURITY ON OUR NETWORK!!!

How I did it
I simply installed a residential Linksys cable router with eight port switch. I then plugged his computer, the four DVRs, and the 485 Lantronix device that talks to his access control equipment into the switch portion of the router. Then I plugged his network into the WAN port. I programmed the router to pass all inbound network traffic to his computer and mimicked his MAC address. It worked without a hitch...until the day before Thanksgiving. He called me and complained that he could no longer see the security equipment and could not log onto his domain server. Sure enough his router kicked the bucket.

I asked him if he had another router/switch hanging around and he passed me a hub.

When will you get to the title of the post?
I had to preface this point. A hub takes in all network requests and passes them through to all ports while a switch learns which port contains the device the traffic needs to go-to and passes it onto that port only. Installing a hub instead of a switch will result in unneeded network traffic. If that wasn't enough, Hubs only allow for half duplex transmission. That means that it can only send or recieve and any particular time. If you are in the middle of receiving, then you have to wait for that to get done before you can send. Now that you know the difference, think of how clogged the network arteries would be if you installed a hub to connect eight or 16 IP cameras...The network, and possibly you or your customer, would figuratively have a stroke.

What about your customer???
In a pinch for time (it was the day before Thanksgiving and I was a half an hour away from leaving to visit family in Dallas) I found an unused switch and gave his computer a second IP and put the other security devices on a different sub-net. Invisible to 99% of his network. Time will tell if his ultra secure IT Department will discover our little mirage. If they do I will install another router, but for now it is not broke and no one is complaining.