Isonas IP Access Control: Protection Of Network Connections on the Outside Of A Building. When installing pure IP physical security systems or other IP based edge devices such as IP-based video camera systems or IP-based intercom systems, we sometimes hear questions regarding the security of network connections that reside on the outside of a building. Often, the site’s IT department colleagues can quickly answer the concern by following a few of the commonly used techniques we will outline below.
Networking Tool Chest
The techniques described here are part of a “networking tool chest” that may be used by the system integrator and end-users to provide security to the network connections used by the PowerNet reader-controllers.
In some ways, this “Networking tool chest” is similar to an auto mechanic’s tool chest. The mechanic has many tools in his tool chest. Some are used for every repair job. Others are only used on a select number of jobs, where the project being completed requires them.
Likewise, you will probably not use every tool in this networking tool-chest, on every project. In fact, most projects will typically only use one or two of these techniques. Depending on the brand and model of networking equipment used, there may be other tools available to the customer that we will not discuss.
ISONAS SYSTEM CONCEPTS:
The vast majority of the tools within the networking tool chest are implemented thru the networking hardware/software; such as Network Switches, Routers, Firewalls, VLAN’s, etc.
There are several concepts and features of the ISONAS system that are important to understand, when discussing this topic.
The IP communications between the PowerNet reader-controller and the Host computer can be encrypted using AES 256 bit encryption. For installations where data will be passing over the public Internet, encrypting that data is encouraged. IP data encryption is also a tool that is available to prevent anyone from attaching to a network connection and sending data to the access control system. Within the Powernet itself, the credential and event data is encrypted using the same AES 256 bit techniques, prior to being written to the PowerNet’s nonvolatile memory.
Assigned IP Port
When discussing IP Networks, the term “port” has two meanings. A “port” can be the physical connector where a network cable is attached to a device. This might be on a network switch, on the PowerNet, or on a laptop.
For our discussions, when talking about a physical connection, we will use the term “physical port”.
A “port” can also be an internal identifier that network devices use to organize different conversations over the network. For example, assume that your laptop has a single LAN connector and a single IP Address assigned on that connection. Even though you have a single physical connection to the network you may simultaneously receive email, browse the internet, and maintain an active connection to your payroll system. In order for this to work, your laptop needs a way to segregate the data coming from these different systems. IP Ports are used for this. Each conversation will be assigned its own IP Port. For your laptop’s one IP Address, there are 64,000 IP Ports available.
An analogy may help explain this. If your IP Address is like a Post Office, then one of your IP Ports is like a single Post Office Box.
For our discussions, when talking about these internal network identifiers, we will use the term “IP Port”.
The ISONAS system is designed so the host computer communicates to the PowerNet using a single “IP Port”.
This design feature of the ISONAS system allows the network to be configured to block the remaining 64,000 IP ports.
This is a very efficient configuration and assures that a PowerNet is the only device that will successfully communicate over the physical port.
How The IP Connection Is Initiated
Commonly, the ISONAS system is configured so the host computer will always initiate the IP communication connection to the PowerNet reader-controller, in an outgoing direction. Once the network connection has been established, the data can travel both ways. This allows the network to be configured to treat the physical port going to the PowerNet as an “outgoing only” connection.
An analogy would be a simple intercom speaker located at the front door and connected to your phone system.
People inside can call the front door, but the front door cannot call into different phones inside the building.
The PowerNet and Crystal Matrix software can detect different alarm conditions that would indicate that someone is attempting to disrupt or disable the PowerNet.
Through the PowerNet’s Tamper Detector, if the reader is physically disturbed, it will generate an alarm.
Through network communication heartbeats, if the communications path between the PowerNet and the host is disrupted, then alarms will be generated.
Alarms can cause a Video System to focus on the door, email to be created, or notify personnel who are monitoring the Access Control System.
Stay tuned as next week, we will review the Managed Network Switches Techniques.