Sizing Up IP
LIKE TELEPHONES and access control systems, surveillance technology has evolved to where video can be sent across a company’s data network, allowing the video feed to be accessed from anywhere the company decides, from inside a security director’s office or from a laptop in a distant hotel room. The camera becomes like any other network device, such as a desktop computer or a router; it is given an Internet protocol (IP) address and plugged into the network. It’s fairly easy to do and can be very cost effective. But before you sign on the dotted line, you need to have a solid understanding of the pitfalls you may encounter.
Security Management asked a number of physical security and network security experts to name the top issues that arise when IP video systems are contemplated and implemented. The issues that came up in every conversation were bandwidth considerations, the need for clear and professional interdepartmental communication, and concerns about security and quality of service.
First a word about IP video. Traditional analog CCTV systems connect cameras to multiplexers via coaxial cables. Add a new camera and you might well have to run new cables through walls or out to remote locations. With IP video, the local area network (LAN), wide area network (WAN), or wireless network, or even the Internet, replaces coax cables. A new camera can be installed quickly and easily, since an organization’s data network is typically already installed and spread widely across the facility (and the connection can be wireless if a wired connection point is not conveniently located).
Having video move across the network allows security professionals to monitor cameras from any location with access to the network, rather than only from a central monitoring station as with analog based camera systems.
When I switched my home telephone service to voice-over-IP (VoIP) provider Vonage a few years ago, I quickly learned an important lesson about my home network: I couldn’t listen to an Internet radio station and make a phone call at the same time without suffering degraded performance on both. It was a simple problem to overcome, but it proved that there were limits to what my broadband connection could handle.
Your company’s network may have much more bandwidth than my home network does, but the principle is the same: There’s only so much data that it can handle before problems begin to occur.
John Moss, CEO of S2 Security Corporation, doesn’t mince words. “Cameras are just bandwidth pigs,” he says. He uses a plumbing analogy. “Bandwidth is how fat your pipes are. If you’ve got a 3/4 inch pipe going up to your shower and then somebody downstairs uses a one-inch pipe and starts to fill his hot tub with it, then you’re not going to get much water pressure upstairs, and you’re going to be unhappy.”
There are ways around this problem. IP cameras typically are intelligent, says Fredrik Nilsson, general manager of Axis Communications; they can be programmed to send images over the network based on criteria such as motion and time of day.
“In many cases, the camera will only send video over the network if the video is worth recording, which might only be 10 percent of the time,” Nilsson explains. “Ninety percent of the time nothing is being transferred over the network.”
It’s also possible for a camera to capture scenes in multiple formats, some high resolution, some low resolution. This approach allows users to view images in low resolution, which means the images being transmitted aren’t consuming much bandwidth. At the same time, the system can store higher resolution images locally so that the more detailed images can be retrieved later if they are needed for use by law enforcement or in court.
So is bandwidth really a concern? It depends on how much bandwidth your network has to begin with and how many cameras you have installed, says Nilsson. He says that most bandwidth concerns he’s heard are from customers with older networks that have 100 megabits of bandwidth, a small amount compared to more modern networks with a gigabit (Gb) of performance on every port.
If IT says that the company’s network can’t handle any video traffic, it’s probably time to upgrade the network. IT may like the idea of an upgrade, and security may be able to help sell management on that concept by pointing out the possibility of adding Internet for phone service, as well as the possibility of video over IP. “If they do that, they’ll have ROI [return on investment] easily below 12 months. In any organization, if you can do an ROI that’s below 12 months, you should go ahead and do it,” says Eric Fullerton, president of Milestone Systems, a maker of IP-based video surveillance software.
Most bandwidth concerns can be addressed by properly configuring the elements of an IP video system, including the way that the video is compressed and how the camera features are being used.
Compression. There are multiple video-compression schemes available, depending on the usage. For example, a casino may want a constant and high-quality video stream to watch dealers and patrons, while a manufacturing facility may only need to activate a camera when somebody passes by the building after hours. In the former case, a high frame rate (20-30 frames per second) is necessary, which means that a lot of data moves across the network. In the latter case, a much lower frame rate—and thus much less data—could suffice.
Newer video compression schemes such as MPEG-4 compare reference points between frames, so that if parts of an image (say, the sidewalk in front of the manufacturing facility) never change, less data need to be sent over the network. “That’s the strength of MPEG-4,” says Nilsson. “If nothing changes, it doesn’t send any information. That saves normally between 30 and 70 percent of your bandwidth.”
Features. Any change of the scene being captured will cause the camera to send additional data, so pan-tilt-zoom (PTZ) features on cameras can affect bandwidth, a consideration that is sometimes neglected, says Michael Glasser, of the Security Group at Kroll Worldwide. “When most PTZs are first powered up, they go through a self-test mode. If a power problem occurs and your entire system repowers up, it can flood your network with data,” Glasser says, an operational consideration that can become a serious and unexpected problem.
Another factor that can exacerbate IP video’s effect on network bandwidth is when the security team starts to tweak settings once the system is running. “You may have situations where the image isn’t acceptable, so physical security turns up the image quality, and they don’t tell IT because it’s already on [the network] and it already works. That’s where you start running into issues, and it can definitely be a problem,” says Glasser.
Nilsson counters that the extent to which that is a concern may depend on how much bandwidth your network has. One of his clients has a network with 34 Gb backbone. When they run all 100 cameras at 15 frames per second (the company requirement), he explains, “all the cameras simultaneously consume less than five percent of the network. They can double the frame rate, double the resolution, and still be consuming basically nothing.”
Separate networks. Nilsson says that it’s smart to have IP video running across a separate network. This doesn’t mean running a separate set of fiber (although in some high-security applications, a client might feel comfortable doing just that), but rather segmenting the IP video traffic from the rest of the network.
This is done with a network switch, a piece of hardware that routes data to particular ports and helps to increase the performance of the network. Even installations that have a huge number of cameras can operate efficiently when the IP video traffic is isolated. “Any good network should be virtually segmented anyway so you don’t have high bandwidth requirements running on the same network as you have e-mail,” Nilsson says.
If security cameras are going to be networked, the security department and the IT department will have to work more closely together. Both security managers and IT professionals pointed to the importance of good communication between the two departments.
Dwayne Healy, senior management analyst with the Los Angeles Police Department Office of Operations, remembers when he first proposed to IT the notion of streaming video across the department’s existing data network. They didn’t just say no. “They laughed at me,” he says.
He learned an important lesson: Make sure you’re communicating properly with your colleagues in IT. “If I’m going to be critical of the security industry, it’s that we haven’t focused enough yet on relationship building,” Healy says. “Not only with IT but with other sectors of business operations. The onus falls on us because we’re asking to play with their toys.”
Eventually, Healy got the IT department to give him the okay. He describes how he improved relations and kept the lines of communication open between himself and his colleagues in IT when he was promoting a project like IP video. The key is to be straightforward—don’t oversell or sugarcoat what might occur.
“The best advice I can give anybody is, tell them what the worst-case scenario impact is going to be,” he says. When Healy was early in the planning stages of a 1,500-camera setup, he went to his vendor, DVTel, and asked his contacts to tell him what the effect on the network would be if everything went wrong at once, even if this was the unlikeliest of events. Then Healy explained the scenario and its impact to IT, and ultimately got the okay.
As Healy and his team got better at “talking intelligently in IT terms,” as he puts it, projects began to move faster. He says that planning sessions that would have taken three or four weeks a few years ago are now wrapped in a single meeting.
While non-IT security managers may be intimidated by the jargon-filled world of IT, there are ways they can help make the case for an IP-based video system without having to learn every element of network security first. Healy says that product information from the IP video vendor can help. “Bring some cutsheets showing them what the architecture is going to look like, where the connections are going to happen, and ultimately what the vendors are saying the loads are going to be,” he advises. “IT loves it if you walk in there with white papers that say, ‘This is what the vendor is saying.’”
Turf. Most experts said there are not many battles over turf when IP video projects get underway. “I see less of that kind of fighting than you may think,” says Moss.
It makes sense to show that you respect the other department’s area of responsibility, however—and that means documenting every way that you touch on the network, says Steve Hunt, President and CEO of 4A International, LLC. He adds that simple nomenclature can create disharmony between the departments.
“You’re not the only security professional,” he says. “The IT department has a very skilled group of IT security experts. Refer to yourself as a ‘physical security’ professional and to your counterparts as ‘IT security’ professionals.” (Some readers may balk at the narrowness of the physical-security moniker. Some security professionals have offered up the term “operational-security professional” as a better alternative.)
In Healy’s experience, the IT team, once engaged and treated as a partner, doesn’t demand control over IP video projects. “They are giving up some of their turf, if you will, and offering us their best practices on how to architect these systems,” he says. “It’s great that we’re finally starting to see this partnership forming with IT, which I can’t say enough about.”
Security and Service
After bandwidth concerns and communications problems, physical and IT security professionals say that security and quality-of-service considerations are the issues that most often come up related to an IP video installation.
Security. The security of the video information being sent via the network—both internal and external—is an important consideration when planning an IP video system. “For the internal half,” says Moss, “the question is, are you passing secure data down the network so that somebody else inside the firewall can’t see it and decode it?” Having these data secured prevents unauthorized employees from seeing it.
“It’s even worse if I can sit outside the network and decode the video stream, because there basically anybody could see it,” he adds. Indeed, some hacker sites advise how to use “Google hacks” to find video streams that can be seen by anyone; these hacks can be as simple as a series of words typed into the search engine that returns a list of accessible cameras—not all of them set up by their users to be accessible to the public.
Nilsson notes that the Internet is regularly used to transfer all types of sensitive information and that security of an IP video system shouldn’t be an issue, provided the correct security measures, such as firewalls, VPNs (virtual private networks), and password protection are implemented. Whereas an attacker with access to a camera and cables could tap into an analog system, he says, a network would recognize that the intruder’s feed doesn’t have any of the correct credentials and will cause an alarm.
The flip side of the issue—and one that may not be as obvious a consideration for operational security professionals—is the possibility that the IP video system will cause the network itself to become less secure. How can that occur? Allowing video to stream across the network can mean opening ports that would typically be closed or punching a hole in the firewall to allow this traffic to pass through. Both of these situations can potentially open up the network to additional threats.
Healy says he’s learned that any questions of network security are best left to the experts—the IT staff. “Obviously you need to defer to them on some of the security protocols,” he says. “Make sure it’s clean and you’re not introducing viruses.” And get their advice in terms of what you should be doing on your end to keep the network secure.
Quality of service. When networks are used simply to allow workers to share information and send e mail, occasional downtime will not be a life-or-death situation. But when critical data streams, such as security video or telephone calls, are coming across the network, suddenly any downtime—planned or unplanned—becomes a significantly larger issue.
Systems rarely go down accidentally today. Companies do still need to take systems down for service, however, and there should be a discussion of how surveillance will continue through even those maintenance downtimes.
Nilsson says he’s seen customers approach this unavoidable situation with careful planning and the use of security officers. One airport customer was upgrading parts of its system, he says, and each time an upgrade was performed, part of the network was taken offline. The airport put guards in those locations where cameras were to be offline.
In other cases, customers have put two cameras in some areas, with each running through a different network switch. That allows the IT team to take down part of the network while leaving another segment up and running, so that critical areas remain online.
IP video systems may even be more reliable than the analog systems they are replacing simply because they are part of the system that is vital to the company, Nilsson says. “The network is such a vital part of any organization today, so if it goes down, even on a Sunday, people notice it because they use e-mail and so they’re alert in going to the IT manager.”
Security practitioners who voiced their opinions in this article agree that the two groups of security professionals are working closely on IP video projects. That’s good news, because IP video is on the rise; industry analysts estimate that network cameras will account for half of the CCTV cameras sold next year. Healy couldn’t be happier to hear that.
“The game is changing,” he says, “and it’s probably changing a lot faster than some of the old-school integrators want to admit. The days of relays and analog switches are long gone, I hope.”
Peter Piazza is an associate editor with Security Management.