Troubleshooting Network-Based Security Systems: Step by Step
A variety of network-based security systems fall under the umbrella of physical security: video surveillance, access control, intrusion detection, location-based systems, data communications, mass message communications and media distribution, to name just a few. To effectively troubleshoot these systems, integrators first need to determine whether the problem lies with the physical infrastructure or the logical infrastructure.
Rooting Out Physical Infrastructure ProblemsWhen troubleshooting physical infrastructure, integrators must examine:
• cabling and wireless networks,
• equipment that controls the network devices and system power, and
• wiring plant that supports the multiple network-based security systems.
The wiring plant includes the telecommunications closet, the intermediate cross-connect, the main cross-connect and the data center, as well as the command monitoring center and the main cable head where the physical infrastructure connects to TELCO services, external WANs or the Internet.
To determine the source problem, ask these questions:
Is there power? This is the most obvious place to start troubleshooting. Ferret out whether a break in the network cable is present or if the problem lies with the power sourcing equipment (PSE) or the powered device (PD) itself. It’s advantageous to have a network management system that can consistently monitor the endpoints of the network and pinpoint where performance has slowed down or stopped altogether, especially for larger networks.
Is the PSE’s capacity exceeded? If an Ethernet cable connects devices to a Power-over-Ethernet (PoE) switch, confirm that the device being powered can accept and use power from that Ethernet cable for its operation. As a safety precaution, a PoE switch or other PoE-compliant PSE won’t supply power over an Ethernet cable if it’s not connected to a PoE-compliant device.
Second, check the wattage rating of the network switch and the power requirements of all the PoE devices being powered by that switch. The PoE standard â€” also known as the IEEE 802.3af standard â€” designates a maximum power output of 15.4 watts per port, or 12.95 watts to the powered device after factoring in the normal power loss that occurs on a twisted pair cable. Attaching too many devices with large power requirements to a switch can exceed its power capacity. To determine the classification of a particular powered device, check the manufacturer’s specification sheet.
If the network switch supports the newly ratified Hi PoE standard â€” also known as IEEE 802.3at or PoE+ â€” it can deliver 25 watts of power per port, or 22.55 watts to the powered device once power dissipation in the cable is considered. If the Hi PoE network switch uses all four of the twisted pairs in the Cat 5 cable, it can deliver up to 51 watts of power per channel. This is more than sufficient to power and control pan/tilt/zoom network cameras, as well as heaters and fans in outdoor network cameras, over a single Ethernet cable.
Is the wireless network experiencing interference? Much like hardwired network systems, integrators should set up a network management system to monitor wireless transceivers or radios for power loss, fluctuating network throughput and poor signal strength. Radios can also be monitored for interference from external sources.
Rooting Out Logical Infrastructure ProblemsWhen troubleshooting logical infrastructure, integrators must examine:
• network switches,
• firewalls, and
• network management systems.
This is the virtual portion of your network that controls how you segment access to network security devices and systems. It also involves the way you guarantee quality of service (QoS) for critical systems during spikes in bandwidth demand from various security systems on the network.
To determine where the problem might be originating in the logical infrastructure, here are a few pertinent questions to investigate:
Does the user have permission to access the system? If a user complains that they’re not receiving information from a particular network-based device, check the Virtual Local Area Network (VLAN) to see if they have been granted permission to access that device. The VLAN is designed to separate groups of users to prevent unauthorized access to network components such as devices or databases.
For instance, human resources might have permission to look at an access control database but is barred from the access control panels themselves. A school superintendent may be able to see all of the video cameras in the district, but principals can see only the cameras covering their own campuses. Or in an emergency, first responders may be given temporary access to a building’s security cameras.
Is a new logical security application causing communication failures? If network-based devices suddenly stop communication, check to see if the network administrator has introduced a new logical security application that may have triggered the failure. This could be a new proxy server that doesn’t recognize the device, a new firewall that creates a barrier between the device and the network in accordance with the company’s information security management (ISM) policy, or a piece of security software that is blocking the network port used by the device.
The best way to test for these problems is to shut down the new application and see if the device begins communicating again. Start with the simplest communications path possible and then add layers of logical infrastructure and tracking when things start to fail.
Troubleshooting Specific, Network-Based Security SystemsAfter investigating the infrastructures, integrators should move on to the specific network systems for further inspection. The diagnostic strategies for two of the more popular network-based security systems â€” video surveillance and access control â€” are very similar.
Is the powered device working? Whether it’s a network camera or a card reader, the first thing to check is the device itself. Is it receiving power? Are all its parts functioning? If the problem doesn’t seem to be power or part failure, try resetting the device. Start with a soft reset: simply powering down the device and then powering it back up again. If that doesn’t work, a hard reset will restore the device’s settings to its factory default. Then you can change the settings one at a time to see if a particular new setting is causing the problem.
Is the problem in the firmware? One of the most common oversights in upgrading network-based systems is firmware compatibility between the network camera and the video management system or between the card reader, the door control panel and the access control management system. A manufacturer might have shipped you a firmware revision for the network device that isn’t supported by the management system. Or the network administrator might have upgraded the management system without considering its compatibility with the network device. Any of these scenarios could lead to a communications issue.
Are the databases synched? If multiple network-based security systems are designed to work in tandem, it’s important to synchronize their databases to ensure that they operate properly. For example, a visitor management system might allow visitors to enroll online to ensure a badge is waiting from them when they arrive at the facility. However, if that information doesn’t automatically populate the access control system database, then the visitor’s badge won’t be recognized by the card reader.
Is remote access being hampered? For network video surveillance systems in particular, problems can emerge with WAN connectivity when monitoring video streams remotely. To correct, first ensure that the individual monitoring the cameras is accessing the correct static IP addresses. If the network doesn’t use static IP addresses for the network cameras, check that correct port forwarding or network address translation protocols are in place. This might require specialized programming to determine if the camera’s video stream is transmitting properly through the router.
Hosted video solutions avoid much of this complex protocol connectivity by connecting the cameras to an outside dispatch service. The service automatically reconfigures the cameras to stream video to a hosted video portal, where it can be accessed by remote users.
Keeping It SimpleEven in a complex network environment, the simplest approach is the most effective one. Start troubleshooting by ruling out more obvious problems such as power loss before exploring other possible issues affecting system performance. Try to recreate a simple communications path between the network device and the user of that device’s information â€” be it a video stream or an entrance permission. Then gradually introduce other areas of the network to determine where and when the problem occurs. This systematic layering of complexity will make it easier and faster for you to root out the problem and bring the security systems back to full operation.
Troubleshooting Checklist:Check physical infrastructure
• Power to all devices?
• Manual soft or hard reset?
• PoE capacity exceeded?
• Wireless interference?
Check logical infrastructure
• User permission for VLAN?
• New logical security application?
(Proxy server, firewall, security software, etc.)
• Firmware compatibility?
Alphabet Soup: Network Security System AcronymsThese are some of the acronyms you’ll need to recognize and understand if your business is troubleshooting network-based security systems:
ISM – Information Security Management
NAT – Network Address Translation
PD – Powered Device
PoE – Power over Ethernet, IEEE 802.3af standard
PoE Plus – Power over Ethernet Plus, IEEE 802.3at standard
PSE – Power Source Equipment
QoS – Quality of Service
VLAN – Virtual Local Area Network
VMS – Video Management System
VoIP – Voice over Internet Protocol
For more network-based security system terminology and reference resources, check the following web sites: