The Future of Electronic Security Is in Your Closet
By John L. Moss, January, 2004

Open a typical electrical closet and you'll find security gear designed in the 1980s, deployed in the 1990s, and unfit for use on the networked IT infrastructure of today. But a change is underway, the driving force for which is a combination of the need to increase security in the post-9/11 operating environment and the need to reduce cost in the post-9/11 economic environment.

The past decade saw tremendous advances in software made possible by faster processors, cheap memory, and wonderfully fast-not to mention ubiquitous-connectivity. But while the software you use to control your systems has been forced to evolve (witness the fact that Microsoft recently dropped support for the Windows NT operating system), the hardware has not kept pace. The majority of hardware devices that call themselves "network ready" or "networkable" are little more than their serial-line ancestors with serial-to-Ethernet converters tacked on the front end. To truly take advantage of the cost reduction and higher level of security that convergence can deliver, the hardware-not just the software-has to change.

The largest security systems offer application integration through server-based software that interfaces to multiple, independent hardware devices. While server-based integration is effective in large systems, it is generally not cost effective for smaller ones. This means that the central, integrated system model works well in the large data centers or regional headquarters but cannot be deployed in the sales offices, which, while smaller, are numerous.

Life on the Edge
The overriding principle behind this new generation of hardware is the movement of integration as far to the edge of the network as feasible. The evolution of intelligent controllers that make access decisions at the doors they control is one example of moving intelligence to the edge of the network. The hardware of the next generation will go further by integrating video, audio and other functions at the edge of the network as well.

Putting more intelligence farther out on the network has a number of advantages. Systems can withstand communications outages with minimal loss of capability; real-time functions that are otherwise vulnerable to communications delays can be supported; and meaningful local system control is possible, as is remote control. Finally, moving intelligence to the edge of the system provides the only truly scalable architecture, because adding capability places little additional load on centralized management systems.

To put this into context, consider a simple system with an access-controlled lobby door, a video camera and an intercom located at a small field office but monitored from a large central office. In this scenario, control over the lobby door is desired both by the local site (perhaps from a reception desk) and by the central site. Current methods of dealing with this rather common situation are expensive and typically require redundant communications lines or, at best, multiple connections over an IP network. Nonetheless, current technology can handle the job.

Now consider 300 such sites, and it becomes quickly clear that another approach is required. The solution comes from the new generation of so-called network appliances-devices that solve a variety of different application problems while using the same network backbone. Fortunately, that network backbone is found in virtually every modern business as well as many homes, and it uses inexpensive equipment easily found at the local computer store.

The first network appliances that most of us come in contact with are those that operate the network itself. These include routers, wireless access points, switches and other network gear, with names like Linksys, Netgear or Cisco. Some of these names have recently begun to appear in some unlikely places. Cisco, for example, offers telephone systems that connect handsets to Ethernet ports on corporate networks, thereby reducing the labor of maintenance while allowing phones to be used on the system wherever a network connection is available without special telephone wiring. Such IP telephones are quickly becoming as inexpensive as regular analog phones and, according to "Second Generation VoIP," a September 2003 report by Forrester Research, will be installed preferentially over non-network phones within four years.

Network appliances already exist for a range of functions. They make either Ethernet or wireless (or both) connections to the network and are typically controlled locally through a Web browser. They plug-and-play on a network and act as their own Web servers, requiring no software to be installed. IP video cameras that fit this model are available today from leading manufacturers.

Securing Security
While network appliance architecture offers a good solution, it comes with a few rules of good behavior. Operating over networks exposes data in a way that operating over proprietary wires does not. When hackers put viruses on your home computer it's a nuisance; when they unlock doors at your facility it's a nightmare. Putting data on a network often exposes it both inside and outside an organization.

The first rule of good device behavior on a network is keeping security data secure. In larger organizations, the entire network may be secured, but smaller organizations, particularly those that wish to control their network appliances remotely, must rely on those devices to protect their data. The most common way to encrypt data between a device and a Web browser is through Secure Sockets Layer, or SSL, which typically uses a 128-bit encryption key to provide a data stream that is secure enough to perform credit card transactions over the Internet.

Other data protection methods such as SHA-1 (Secure Hash Algorithm 1) are used to protect data flowing between edge devices, but one thing all data protection schemes have in common is that they require a significant amount of processor resource to perform the arithmetic involved in protecting data. While the latest crop of microprocessors has special encryption logic in the silicon, that is, in the microprocessors themselves, using these processors generally requires redesign and reimplementation of existing products. The 68000-based access control or alarm panel designed in the 1980s will have to be redesigned in order to protect the data that flows into and out of it.

Unfortunately, solutions that attempt to run encryption code on existing processors often do so at the expense of reducing throughput or response time. Solutions that front-end exiting serial interface designs (typically RS-485) with serial-to-Ethernet converters also fall short, because secure communication requires the active participation of both sides of the connection and generally must be designed from the ground up.

Pressed for Time
Closely allied to security is the matter of bandwidth use. When devices are connected together over proprietary wire, no one cares how much data is passed among them. That situation changes, though, when shared data networks are used, because bandwidth used for one application cannot be used for another. If every access-control or alarm panel on the network has to be polled by a central computer every second to ensure that it is online, that polling process creates a demand on network response.

The problem is further complicated when video and audio data are considered. Video images and sound require a lot of data when transmitted in digital form. A single 640 x 480-pixel video image requires just under 5 million bits at 16-bit resolution. A 15-frame-per-second stream of video would require 75 megabits of bandwidth. Considering that many networks have 100 megabits of total bandwidth, and generally significantly less than that when data goes off-premises, bandwidth use is a real issue.

Data compression techniques such as JPEG or MPEG for images and MP3 or AIF for audio significantly reduce the bandwidth required for transmission of video and sound. The JPEG image from the previous example compressed to reasonable quality might be 240,000 bits or less-about 1/20th the size of the raw image. However, there is a rub: It requires a lot of processor power or special ICs to perform the arithmetic required to compress data, and as with the issue of data security, data compression requires product redesign.

IT Alphabet Soup
After you examine the need for data security and bandwidth conservation, it becomes clear that a security network appliance needs to be a "ground-up" design. A number of standards exist to support network administration and safety, some of which are outlined in Table 1. A security network appliance should support these IT standards in order to promote integration with networks in general use. Interestingly, the vast majority of the standards listed were not in existence at the time that most of the current access control and alarm panel offerings were designed.

Unfortunately, some of these standards compromise device security. Protocols such as conventional Telnet, FTP and ODBC transmit data-passwords included-in clear (unencrypted) text. While this would be less of a problem for data routed over proprietary wire, data on your network may have much greater exposure than you expect, especially if a WAN is involved. As a result, it is necessary to either shut off these protocols, employ a secure protocol such as SSH, or protect the device behind a firewall sophisticated enough to screen out messages from unauthorized addresses.

Faster, Better, Stronger
Over the next several years as network appliance technologies further mature, you'll see them in many environments, including homes, offices and even automobiles. As more of the software that was traditionally installed on your security system PC is installed in hardware devices instead, the capabilities of middle-market products will increase to mirror and sometimes exceed those of high-end products.

The robustness of these products will also improve. Moving mechanical parts (such as hard disks), the weak points of most systems, will not be present on most network appliances. In their place, these devices will use storage attached elsewhere on the network for backup and archive, allowing the IT department to back up security data as part of its normal operations.

The greatest potential of network security appliance architecture is its ability to offer secure, high-end application integration in products priced for use by businesses of any size. These will be devices that install more easily and are more accessible to employees responsible for managing security through any available Web browser. The Web software revolution already under way is coming, in hardware, to a closet near you.

John L. Moss ( jmoss@s2sys.com ) is CEO of S2 Security Corporation, a new company that is developing cost-effective security network appliances that capitalize on the convergence of IP networks and physical security systems. A 25-year veteran in the security industry, Mr. Moss is the founder and former CEO of Software House, now a unit of Tyco International.

(Table 1)