Fiction: Ethernet is a Supervised TechnologyEthernet as a standardized protocol (IEEE 802.3) does not provide for the supervision of devices on a LAN. If a device is unplugged from a switch, loses power, or fails, Ethernet itself will not provide an indication of failure.
The only way to know that a device has lost communications is if a device will not respond to a ping or authorized user’s connection attempt. As more physical security devices are connected to networks, the ability to supervise the functionality of devices becomes very important.
There are two ways in which supervision of LAN devices can be achieved. There are programs available such as FREEPing (http://www.tools4ever.com/products/free/freeping/) which can be run as a PC application on a network. This program is configured to send out ping messages to each device to be monitored on the network, and will generate a variety of annunciations (instant messages, audible sounder) if a device fails to respond to a ping within a programmed time frame. This is a simple way to monitor security devices, such as encoders and cameras on a LAN. The drawbacks are that the program must be constantly running on a PC on the network, and if that PC is turned off, unplugged from the network, or if the software is disabled the program won’t operate. Also the periodic ping messages will slightly increase bandwidth usage on the network, which shouldn’t be a concern on a modern 100 Mbps Ethernet system.
A more sophisticated option, and the one preferred by enterprise IT departments, is the use of the Simple Network Management Protocol (SNMP) to communicate changes in state of network devices to a PC located in the IT manager’s office. SNMP is a standardized communication method that can be programmed to monitor whether devices are connected to a network switch. SNMP messages, called traps, are transmitted to the monitoring computer. Based on the sophistication of the monitoring software, various alarm messages can be activated when an abnormal condition occurs. The SNMP application software can also be programmed to poll devices on the network to verify their state.
Typically SNMP monitoring resides in network switches, and the individual wired switch ports are monitored for whether network devices are plugged in, powered up, etc. This monitoring can include what specific device is connected (via the device’s MAC address), if a device has been unplugged from one port and plugged into another, etc.
Most medium to large size IT networks are already using SNMP to monitor their devices. Some security equipment manufacturers are including SNMP support within the security device itself, providing this sophisticated level of device monitoring even if the network switches don’t have this capability.
Whichever technology is chosen, security integrators should plan for the supervision of network-attached security cameras and other devices, either by providing a separate monitoring system or piggy-backing onto an existing SNMP application.
Fact: Specialized PCs Are Needed to Monitor Network Security Video StreamsAll PCs are not the same. Different computers from different vendors use different chip sets, and the processing power of PCs continues to ramp up dramatically, particularly with the release of the newdual core(dual processing chips) devices. Types and capabilities of graphics accelerator cards and RAM memory can also affect the ability of a particular PC to effectively display multiple video streams simultaneously.
When planning on how a client will view networked security video it’s very important to either provide a video-capable PC or to carefully investigate the capabilities of the PC that will be used for viewing purposes. Some computers can easily present one or two simultaneous video feeds without introducing substantial lag time or latency, where the time duration required for the PC to process and display the video on the screen is excessive. However, it has been demonstrated that a low-end PC may provide up to 10 seconds or more of latency if five or six simultaneous video streams are being processed. If a PC takes a long time to process video, it’s also likely that there will be increased instances of video freeze or software lockup, requiring a software or device reset.
There are two answers to this issue. The first is to provide a properly configured PC supplied by the primary manufacturer of the video system being installed. Many major security vendors now resell specific PCs from major vendors, such as Dell, that function well with their specific video viewing software programs.
The second option is to have the client either configure an existing computer or provide a new one that is maximized for video and graphics processing. As to the proper PC configuration, most vendors provide information in their product materials specifying the minimum requirements for a viewing PC.
Another approach is to instruct the client to provide a viewing PC with gamer capabilities, such as those used by the players of online video games. Such computers will usually provide reasonable quality video processing.
Fiction: Local IP Addresses on a Typical Enterprise Network Are all DHCPMost network administrators set up their networks with the majority of the devices receiving their local IP address through Dynamic Host Control Protocol, or DHCP. When a client device such as a PC is configured for DHCP, it will ask the network for a usable address when it’s initially powered up, and the network’s DHCP server will provide an address to use.
DHCP addresses have a “lease” time, which can be set by the IT department for hours or days. When the lease time expires, the device will ask for a new address, which may be the same or different from the one previously issued. DHCP is commonly used, as network administrators don’t have to personally keep track of what devices have which IP addresses.
While DHCP is commonly used for the majority of network devices, there are some important exceptions. Network “servers” that provide centralized application software and storage of files often use static IP addressing, where a specific IP address is manually input. While users (“clients”) on a network might receive various DHCP addresses when initially connected to a network, servers need a constant address so that the client computers can locate the server(s) on the network to receive programs and files.
Another typical network device that needs a static IP address is the default gateway, which is the local IP address of the router that connected LAN devices must communicate with to get to the next network or the Internet. When a computer requests a DHCP address from the network, the DHCP server will provide a usable local IP address as well as the static IP of the default gateway and the appropriate subnet mask information.
It’s important to understand that network-enabled security video devices are servers; they “serve” video streams to the “clients,” which are the authorized users. If installing security video security devices onto a shared enterprise network, those devices need static local IP addresses so that the users can locate the device on the network.
If the IT manager is reluctant to provide static IP addresses for the network video devices (cameras, DVRs, encoders) in some cases explaining that the devices are servers will solve the problem. If the IT manager is adamant about not providing static IPs, some DHCP servers can provide addresses through “reservations.” The DHCP server providing the reservation is programmed to provide the same IP address each time a specific device (identified by its unique MAC address) requests an address, and the DHCP server won’t issue the reserved address to any other device. This in effect provides a constant specific IP address, like a static, while allowing the IT department to monitor and control their IP address usage through the DHCP server.
It’s important to mention that some security-specific devices will accept a DHCP address, while others don’t have that capability. If using the reservation method mentioned above, the security device must have DHCP functionality.
Fact: The Operating System (OS) in a Network Device Is an Important ConsiderationDevices such as network-enabled DVRs, which include an operating system (OS), are sometimes called appliances. Most such devices will employ either an embedded Microsoft Windows or Linux-based OS.
While the OS chosen by a particular vendor may not greatly impact the functionality of a particular product, there are significant differences between these two operating systems from a network security perspective.
The recurring security problems of Windows are well documented. Many IT personnel have learned to dread Patch Tuesday, which is the day of the week when Microsoft issues software “patches” to fix security problems that have been detected. IT personnel must then decide if the patches are necessary for their network-connected Windows computers and appliances, and input them into all such devices on their network.
If an appliance such as an embedded Windows DVR is present on the network, it also may need to be updated to prevent security breaches. This brings up the issue of whether the security integrator is going to perform the security patching on devices they’ve provided, or whether that task will be handled by the IT department. The device(s) in question must also provide access to their embedded OS so that security patching can be performed.
Linux-based devices generally are less of a security concern, as most hacker exploits are aimed at the much larger population of Windows devices.
There is a growing movement among IT management to not allow embedded Windows devices onto their networks. Security integrators should be aware of this, and may want to consider offering Linux-based devices as an alternative if a client’s IT department balks at a Windows device.
Whichever type of OS is provided, installing dealers should select products that allow for any necessary software patching in the event of a publicized potential security breach in the device’s OS.
As network video takes over from analog, more video storage and playback capabilities will be configured as network video recorders (NVRs), with software directing video storage onto RAID (random array of independent disk) drives or other network-attached digital storage. It’s likely that in the near future IT management will require NVR technology to be provided as a software-only product that directs storage and video review capabilities onto the same type of network servers that the enterprise is using for other purposes.