Troubleshooting the Network
When using IP-enabled physical security devices, the only way they can be useful is when they are connected to a local area network (LAN), which is the only method by which such devices can communicate. There are a number of issues involved when IP security devices are placed on a network, and astute security technicians must know how to manage network issues and troubleshoot common network problems as they relate to the security system components.
YOU'RE NOT THE BOSS OF ME!
The first issue to consider is whether the network in question can be actively managed or not. Most home and small business networks utilize unmanaged switches, which typically have no monitoring or diagnostic capabilities. This limits the troubleshooting capabilities of the network, as the central switch(es) cannot report whether it has a problem or what the problem might be. So the only troubleshooting indications from the unmanaged switch are the “happy” LEDs that indicate whether a device is connected and communicating on a particular switch port.
High-end enterprise networks typically deploy managed switches, which will possess various levels of monitoring and performance reporting that can be accessed by the IT personnel by using the proper user name and password. These types of networks usually can actively manage both the connection and the bandwidth of particular devices, such as IP cameras, that are placed on the network. Specific programs such as simple network management protocol (SNMP) monitoring, intrusion detection systems (IDS) and network access control (NAC) can be used with managed switches to monitor devices on the network and provide a variety of reports in the event of a device or network failure. These sophisticated programs are typically run by the IT department, and security integrators will need to make sure that the new IP-enabled physical security devices have been input into the monitoring software so that they are indeed being watched.
INITIAL INSTALLATION ISSUES & ANSWERS
Pick the Right Addresses: Most of the problems that develop during the initial installation of IP-enabled security devices center on the proper selection of static IP addresses for the new components, cabling deficiencies, and the use of software ports to allow remote access to a device from another network or over the Internet.
Installers must investigate the current IP addresses in use by the LAN to which the device(s) are to be connected. A simple way to do this is to perform the “ipconfig” command from any PC that is currently connected to the target LAN:
This report will show what IP address range is in use, what is the proper subnet mask setting, and the address of the default gateway or router. Using this information, security technicians then can select an unused address in the same range as those on the network, and input the same subnet mask and default gateway. Smart technicians will test the static IP address they’ve selected for the new component(s) by firing off a “Ping” test against the proposed IP address. If no responses occur, then there is nothing on the LAN currently using the selected IP address. This step is very important, because a duplicated IP address on a LAN will create communications failures for both the existing device and the new device that duplicates the address.
Cabling Testing: All cabling should be considered suspect until tested, whether the cabling was installed new by the security company or is existing cabling being repurposed for IP security communications. This testing process is often overlooked, even though over 50 percent of network connectivity problems stem from bad/poor cabling and connectors. Always test every UTP cable with a two-ended tester and replace any suspect connectors. A particular problem with RJ-45 male sockets is the spring clip that holds the connector into the female socket; these clips often lose their “spring” over time and don’t provide a solid lock-in when inserted into a device or switch. If it doesn’t click in securely, replace it now and avoid a spurious service call later when the weak connector clip causes the connection to fail.
Fiber optic links can be tested for continuity with any flashlight. Just hold one connector end onto the turned-on flashlight and have someone else look at the other end. If the light comes through, the fiber and its connectors aren’t broken. If the light doesn’t go through, this particular fiber link is broken, with most breakage occurring at either of the connector ends or at any splices, if they exist. Be prepared to replace fiber connectors with the appropriate type when planning to use existing fiber links, as there have been many examples of mediocre to bad fiber connectors being installed onto unused or dark fibers.
Software Port Programming: In most cases the maximum benefit of installing IP-enabled security devices is the ability to access the devices, such as an NVR, from remote locations over the Internet. To provide this accessibility, technicians need to understand and properly program the software port(s) into the proper locations in the network. The first setting is typically in the NVR or IP-enabled devices, most of which are default programmed to software port 80. This is also called the hypertext transfer protocol port or HTTP. Smart network security planning requires that this port number be changed, preferably to a number higher than 1600. Because there are 65,435 software ports, selecting a higher port number for a security device makes it harder for outside hackers to use scanning software to find an open port in a LAN from over the Internet, as they would need to scan thousands of ports to find the open ones.
Once the port(s) has been selected in the LAN device, the exact same port number(s) must be programmed into the default gateway router in the network address translation (NAT) field, and any firewalls that reside between the LAN and the Internet. Such firewalls are typically included in the cable modem or DSL adapter.
One typical problem that occurs is that often a device will require more than one port to provide full remote access and functionality. For example the NUUO 2040 four-channel NVR requires three ports; one for management, one for viewing live video, and one for viewing recorded video. These ports must be opened for both UDP and TCP protocols. If the installing technician doesn’t understand this and doesn’t set all three ports, the authorized remote viewer might be able to connect to the NVR over the Internet, but not be able to see any video.
MANAGED NETWORK PROBLEMS & SOLUTIONS
When dealing with an enterprise-level LAN network, in most cases there is one or more IT personnel who are responsible for programming and running the network. When IT people are available, the smart technician will discuss the connection of the IP-enabled security devices with them and together plan for the static IP, subnet mask, default gateway, and port(s) to be used for each device. If the IT personnel do the firewall settings properly, all should go well provided the security technician accurately programs each device. Don’t forget to test each cable being used.
Once the system is up and running, an all-too- familiar problem occurs when IT personnel make hardware and/or software changes to the network without considering how these changes will affect the electronic security systems. Changes in managed switches can disconnect devices or choke down the available bandwidth to an IP camera or encoder, reducing the quality of the live and recorded image viewing.
When a problem appears in a device that was previously working well, the steps for the technician are relatively simple: First, confirm that the device is still connected to the network by viewing the “happy” LED, which is usually present on most security devices. If it’s lit or blinking, the device is connected. If the LED is dead, check the cabling to the switch; perhaps the device has been unplugged within the telecom closet. A simple reconnection may be all that’s needed to bring the device back into service.
If the device is connected and properly powered, but still isn’t performing properly, check with the IT personnel to see what changes they’ve made recently in their network that might have affected the throughput or functionality of a security component. The upgrading of a switch or router, or a change in cabling may instantly disable a security device’s communications. In most cases the new network devices can be reprogrammed to allow the IP-enabled security components to regain their functionality.
A Parallel Network for Physical Security
The potential problem of the IT department making changes in the enterprise network without considering the effects on the physical security devices is a reason to consider installing a parallel IP network specifically for the security system. By providing separate network switches integrators can effectively avoid problems when changes are made to the enterprise system, while utilizing existing UTP or fiber cabling to reduce the overall labor cost on a particular job.