Is the era of IP turnstiles coming?.
How quickly time flies! Unfortunately, I could not find a worthy replacement for this phrase to begin the article. And indeed, just yesterday the joke that seemed so funny: «Hello, the owner is not at home now, his refrigerator is talking to you» is now nothing more than a short description of another fashionable and expensive (for now) network device.
Obviously, modern society always needs some kind of fetish to worship, and not only to create surplus value for a certain group of people, but also in general – so as not to get bored.
Today, this role is performed by various devices with the IP prefix. And although the contours of the «replacement» of the current idol named «nano» are already quite clearly visible on the horizon, at the moment, it is unlikely that anything can compare in the security market with the popularity of various network systems. It is understandable that manufacturers and suppliers of security systems, in their absolutely rational impulse to strike while the iron is hot, try to use the IP brand to the maximum. After all, it is obvious that if you somehow attach an Ethernet port to the ACS controller, then you can quite easily call this product an IP controller. Some of my colleagues in the shop went further: it turns out that if you hide an IP controller inside an ordinary turnstile, you will get an IP turnstile. In my opinion, this is a very reasonable undertaking, I think that new innovations in this direction are just around the corner. After all, it is even difficult to imagine how many more wonderful places there are where you can place an IP controller.But seriously, in my opinion, there is a common substitution of concepts, so familiar to us all when choosing a consumer product. There is no need for emotions here: you are already accustomed to front-wheel drive SUVs in car dealerships and natural 100% reconstituted juice in hypermarkets. It is just that everyone has developed certain criteria for themselves, what is considered real, and what is not. So I just want to express my view on the criteria by which ACS controllers and systems created on their basis can be classified as network ones.
Let's start with a simple, I would even say, amateurish view of the information network as such. What associations does the phrase «computer network» evoke in an ordinary person? Well, these are, of course, computers connected by that very «cord» that the system administrator sometimes checks for some reason, crawling under the table and tripping over your feet. Right! I can't say when the term «network» appeared on the CCTV market, but network ACS have been on our market for about 10 years, I think. Advertising for this product often looks something like this to this day: a schematic computer network with designated operator and administrator workstations, which also shows some «network converters» for connecting ACS control controllers to the network via the same RS485, virtual COM port, etc. Well, and then the main or master ACS controller is usually drawn, uniting junior or similar controllers with proudly spread out in different directions loops of the same RS-485, RS-422 or current loop. Don't consider this tedious, but what exactly is network here and why, for such a «network» system, the customer, in addition to laying an Ethernet network across his facility, needs to think about placing additional kilometers of various twisted pairs in the screen? So, in my understanding, a real network system should have a connection between its various components via a network. Of course, I am not talking about the periphery: reed switches, exit buttons, readers, locks and actuators (although who knows, who knows! — see IP turnstile).
Now, let's move from form to content. If you look closely at the products left over from the previous «cutoff», called «network access control systems», you can easily notice that the vast majority of manufacturers use the same Ethernet to COM port or RS-485 converters for network communication between elements of their ACS. In other words, controllers and interface modules of ACS, usually developed long before the IP era, communicate with each other, for example, via the same RS-485, not knowing that there is now a chain of «intermediaries» on the communication line between them, converting the signal first from RS-485 to a network protocol, and then back. Formally, this is indeed an ACS operating over a network. But this option has a number of functional limitations, which, in my opinion, at a certain scale of the system, blur the very idea of the advantage of using a network solution at the facility. Firstly, the very presence of a chain of such converters for signal conversion, coupled with the passage of information packets through a network consisting of not one, but, for example, several subnets with gateways, converters, etc., can cause a long delay in the response signal from the slave controller to the master controller's request. And this delay may well be perceived by the master controller as a malfunction (let me remind you that the controllers «do not know» that they are communicating through the network). Secondly, probably the most popular (and quite budget-friendly) RS-485/Ethernet converters on the ACS market from Lantronix support network operation via the UDP protocol, which is primarily intended for operation in peer-to-peer networks, where the lack of guaranteed message delivery and the requirement for mandatory availability of certain addresses in the network is not a big problem*. In addition, the ACS manufacturers themselves often recommend connecting no more than 4-8 slaves to one master controller via the network, even if in the standard version, when the master and slaves communicate via RS-485, there can be up to 32 or more. So, to work in this mode, the customer needs a dedicated subnet for the ACS only, with additional restrictions on the number of system control points. But then a reasonable question arises: why sacrifice the functionality of a good ACS for the sake of some ephemeral innovation? You will still have to lay cable connections only for it, so isn't it better to use the good old RS-485, where everything works reliably, and the loop itself can be extended, if desired, with 1200 m signal repeaters for more than 3 km?
So, in my understanding, the network controller should have a fully implemented (software and hardware) Ethernet port with the TCP/IP network protocol and support for the dynamic address distribution system (DHCP), which allows avoiding configuration errors caused by the need to enter values for each network device manually. In addition, DHCP helps prevent address conflicts caused by using a previously assigned IP address when setting up a new computer on the network. In fact, this should be an industrial computer (probably with Linux OS), allowing, as a network ACS controller, to take advantage of all the advantages of full-fledged information exchange between modules and the system server within the framework of the network already existing at the customer's site. Moreover, full implementation of all network operation capabilities implies the creation of an ACS with distributed intelligence. In other words, the software of such controllers should ensure effective interaction not only at the level of the controller — the system server, but also in such variants as controller — controller (equal to equal or peer-to-peer), controller — external CCTV or fire alarm system, controller — life support or energy saving system of the building, etc. The general idea is that after loading certain operating scenarios into the ACS controllers, they can independently (without intervention of the control server), if necessary, interact both with each other to perform the necessary access functionality (the simplest example is global antipassback), and turn on external IP cameras for recording using a protocol they understand, send commands to the energy saving system to turn off the lights in empty offices and, in turn, receive commands and information from other building (enterprise) management systems operating at the customer's facility over the network. Moreover, such an operating mode for controllers without active interaction with the system server should not be some kind of emergency, but, on the contrary, standard.
I can offer a simple IP intelligence test. Draw a structural diagram of the connections of all components of your network ACS, then cross out the system server in the drawing and try to answer the only question as honestly as possible: what and for how long can your system do now? The amount of remaining functionality and the duration of its support in this mode are directly proportional to my understanding of a properly functioning network access control system with truly distributed intelligence.
In response to the eternal counterargument about the insecurity of open networks and their unsuitability for use by security systems, I can answer one thing: «So protect yourself, gentlemen!» A firewall can be installed on a controller based on an industrial computer, and information exchange over open networks can be protected by implementing a VPN connection. Of course, this task is not simple, but in any case, with proper implementation of the network protocol in ACS controllers, all IT methods of information protection available on the market become available to you.
Another, in my opinion, essential attribute of a real network access control system is the client-server technology of construction. Moreover, the one in which the client is not a special application installed separately, but a web browser. In other words, a web client. In autonomous ACS with strictly limited functionality, the web server is built directly into the controllers themselves, and in the case of distributed network systems, it is installed on a dedicated server. The use of web clients not only provides complete mobility of movement for users of the system (work with the system through any mobile phone with a web browser), but also allows for maximum flexibility in customizing the user interface in accordance with his tasks and powers.
In addition, the customer can really save on the installation and operation of the system.
There are no problems with software updates — they occur simultaneously on all machines in the network, including remote controls/branches. Users have no difficulties associated with database desynchronization or incorrect entries in the database. The requirements for the hardware of the computers on which the workstations will be deployed are significantly reduced (it is possible to use «thin clients»). The network load is reduced several times, since only the result of the server's work is transmitted over the network, and not an array of data. There is no dependence on the operating system — web applications are cross-platform services. The problem of access to the internal resources of the computer is easily solved, all critical processes are blocked by standard means of the operating system (currently, in a number of ACS systems, even to launch the operator's place, administrator rights are required).
Regarding the issue of the insecurity of access to the system via the web interface from third parties, I would like to remind you that all the world's largest banking structures have long offered clients access to managing their finances via various web portals. Accordingly, with the proper approach, this problem can be solved thanks to the SSL protocol.
I have to finish my story with a hackneyed phrase — there are no ideal systems. You are also unlikely to find systems that fully meet the above criteria on the security market, although there are indeed a couple of serious ACS manufacturers that meet the specified requirements in most parameters as accurately as possible.
But every time you hear about a «real» IP access system, do not be lazy to impose my «template» on the information you receive — I guarantee that it will be interesting.
And a special wish to the manufacturers of domestic ACS (foreign ones will not hear anyway). Your work really deserves deep respect, if in the midst of the economic crisis you did not lose your clients and even found time to read a very worthy publication on security. It is just that, perhaps, it is worthwhile to be a little more careful in covering the IP solutions you have developed in advertising campaigns. In my opinion, all parties will benefit from this.
*Features of the operation of the ACS using various network protocols are covered in detail on the pages of the TZ magazine in the article by Mr. Stasenko in No. 6 2008.