IP Network Testing
Avoid the 7 Deadly Sins of IP Programming & Installation
In church one Sunday, my mind wandered during the assistant pastor’s sermon on the Seven Deadly Sins. I realized a couple of key issues: first, that I might be guilty of sloth (whatever that is), and also that there are a number of mistakes that can be made in connecting IP devices to clients’ networks that can cause serious problems for their network communications. So let’s take a look at the Seven Deadly IP Programming and Installation Sins that can render our customers’ networks and/or our IP security devices hors de combat.
1. Duplicated IP address on the LAN. In most cases our devices (DVRs, NVRs, IP cameras and encoders) need static IP addresses so they can be located by the authorized users and so that port forwarding and firewall manipulations can be established to provide for remote Internet connectivity. Because of the relationship between IP and MAC addresses, it’s critical that every device on a LAN, be it a physical security device or not, must have a unique IP address. When one computer tries to reach another device on a LAN, a “broadcast” packet is sent to every device on the network and basically asks, “Who’s got IP address 192.168.10.15? If you’re out there, please send me your MAC address because I need to communicate with you.” If two devices have the exact same IP address, based on their location on the network and the speed of the switching equipment, the broadcast request might be answered by one machine at one time, while the other device might answer a second time. A duplicated IP address can wreak havoc on a LAN, and technicians must ensure that the static IP address that they program into an IP-enabled security device is not in use by anything else on the network. After selecting the address use the “ping” command to check that the address is not in use, and make sure that the address selected does not fall into the range of dynamic DHCP addresses issued by the network server.
2. Not testing for Internet bandwidth prior to connecting IP cameras/encoders or video devices. Internet connections are like two pipes — one going up to the Internet (uplink) and one coming down to the clients’ DSL, cable modem, or other broadband connection (downlink). If the goal is to provide video that can be viewed remotely, it’s important to test the client’s uplink bandwidth, as this will determine how many frames per second and at what resolution/compression settings. To test for uplink bandwidth, go to http://myspeed.visualware.com/index.php from any Internet-connected PC on the client’s LAN. After a couple of minutes the results will be provided. What you’re looking for is the size of the uplink and also the “Quality of Service,” which in the case of this test means packet loss. If the size of the uplink is less than 500 kbps and/or the packet loss is in excess of 5 percent, either of these conditions may cause erratic remote video viewing. Test the client’s Internet connections to avoid future failures and frustrations when the client wants to view the DVR/NVR/IP camera(s).
3. Not performing a pre-installation survey of the client’s network and Internet connection. You are shooting blindly if you don’t know how your client’s network and Internet are configured. You may well forget a critical piece of hardware if you don’t know that it’s required to make your devices work on that particular network. A sample networking survey form is available at my website, www.slaytonsolutionsltd.com. If the customer is to have IP physical security devices installed on their network, the alarm company salesperson should go over the survey with the client and gather all available information about the network and broadband connection to be used. With accurate data from the survey, the system installation can be properly planned and executed in a timely fashion, saving your company labor cost overruns.
4. Not demonstrating how IP security video will appear on the client’s PC/laptop/handheld viewing device. IP video over the Internet is not the same as the HD quality television that our clients and we are accustomed to from a home TV. The available bandwidth for Internet video most likely will allow approximately 3 to 5 frames per second of reasonable-quality video images. It is critical that the salesperson demonstrates to the customer what they are going to see when they communicate with an IP camera. The most effective way to do this is for the installing company to install IP cameras in their office and connect them to the Internet. These cameras then can be used to show the customer the quality of video that they likely will view after the installation is complete.
5. Not testing all cable and connectors. As was vividly demonstrated to me during a recent ESNT certification class held at ADS in Nashville, Tenn., it is very important to test all cables and connectors on the network, and make sure that RJ-45 plugs are solidly inserted into devices and switch ports. Cables that have been disconnected/reconnected many times often develop a failure of the locking spring clip on the connector, and those cables may slide out of a switch port a fraction of an inch. This is just enough to make your devices non-functional. Whether you have installed the cable or are using existing cables, make sure that they are properly terminated, whether they are coax, Cat5e, or fiber optics. Inexpensive testers are available for electrical cables and fiber links can be tested with a flashlight. Bad cabling and connectors account for up to 50 percent of networking problems. Get the simple stuff out of the way and test each cable before connection into IP electronic devices.
6. Leaving IP devices on the factory defaulted Port 80. There are 65,535 software ports available in TCP/IP LAN and Internet connectivity. Most of our vendors ship their IP video devices such as NVRs, DVRS, and cameras default programmed to port #80, which is commonly referred to as the “http” or Hypertext Transfer Protocol port. While using this port makes it a bit easier for clients to access devices on the LAN, if the device is to be available over the Internet, using port 80 makes it very easy for hackers to find the device on the local network and attempt to take it over. Common hacking software such as NMAP will scan the first 1500 ports if a hacker tries a “quick scan.” If technicians select port numbers higher than 1600, typically a hacker will need to scan all 65,535 ports, which can take hours. Selecting high port numbers provides the IP device with “security through obscurity.” And, remember, if there are multiple IP devices that need to be accessed from the Internet, each device must be on a unique port number(s).
7. Not taking a snapshot of the system once it’s functional. After an installation has been performed and everything is working correctly, most security installation companies would pack up their gear and head for the next job. Remember that if you are using the client’s network and/or Internet connection, any changes to the network configuration may well spell trouble for the IP physical security devices. Smart installation companies take a “snapshot” of the network once everything is working, using either freeware software such as NMAP/ZENMAP or higher-end programs such as IntraVue. However you do it, it’s very important to take a picture of the network when it is working properly. Then if there are problems, take another snapshot and compare the two. In many cases you’ll find that the network and/or firewall has been reconfigured and needs to be changed to allow the proper communication of the IP security devices.
While none of us is perfect, we can perform perfect installations of IP security devices if we follow the rules and avoid the mistakes detailed above. Do it right the first time and your profitably is assured.