Security on the network: pitfalls and prizes

Business today operates in a world where all technology devices and standards are expected to communicate with each other, so it’s no surprise to find traditional physical security making the jump to the IP (Internet Protocol) environment – as reported in several editions of SMT during 2004.

Over the past few years, there has been a tangible change in attitude towards bringing security systems onto the company network. While there are many very good reasons for physical access and control security systems to make that transition, there remain serious considerations surrounding the manner in which the transition may be achieved in order that the network retains its integrity while end users benefit from painless implementation.

IT and security managers face three over-riding concerns whenever they attempt to bring physical access and control onto the network: demands on bandwidth, the amount (and scale) of IT equipment coming onto the network and the security issues themselves (including threats from viruses and, in particular, hacking). Initially, the main concern for all was bandwidth. That’s no longer the case. Networks are exponentially increasing in size, with advanced IP systems transmitting less than 500 bytes per second. In other words, an access control system should consume less than 0.01% of a 100 Mbit network.

The beauty of a TCP/IP system is that it’s also compact, with interface boxes in the region of 10x15 cm in size, while cabling is much reduced compared to traditional controller-based systems. An IP-enabled door may have just half the wiring of a traditional system, and the benefits are cumulative. If you’re wiring five doors for access control, a traditional system might realistically require 20 times the wiring of a new TCP/IP system connecting via a Category 5 hub or directly to the LAN. Therefore, the manager’s focus really should be firmly fixed on security issues.

IP portals: open to attack

It’s natural to assume that a ‘security’ product is, well, secure. However, what many managers may not realise is that there’s a device on their network that could be vulnerable to attack if left unprotected by inappropriate security solutions – the IP portal. Such an ‘assault’ could be carried out in a number of ways: over the web, from a terminal or over a wireless LAN… and from anywhere in the world.

The potential for accessing the corporate network and causing havoc is tremendous. Today, a hacker could literally open and close doors if they knew which commands to send. This may sound unlikely, even unfeasible, yet such capability was only recently demonstrated at a major corporation’s London headquarters.

To an extent, effective firewalls and other security protocols can protect the corporate network and valuable databases from hackers. However, running an access control system and the general security system over the network may lead you (albeit with the very best of intentions) into unknowingly bypassing all corporate network security with a box that doesn’t have its own firewall.

Potentially, hackers can enter the main corporate network via the access control system and cause chaos, perhaps even creating for themselves an official identity card by tapping into the database that holds all of the company security IDs. Exactly the kind of scenario that costs IT and security managers many a sleepless night.

To combat these problem areas, security and IT managers need to ask specific, probing questions of the system in which they intend to invest. Do the IP interfaces and other devices employ embedded firmware, thus thwarting software hacks? Do they broadcast? If the answer’s in the positive, this could well lead to network disruption that makes it all the more difficult to identify a possible attempted hack.

Are communications between the devices encrypted? With triple DES encryption the commands are never the same, so even if hackers could sample the commands that the box is sending, it would do them no good at all.

Perhaps most importantly of all, do the IP interfaces you’re placing on your network have their own, built-in firewall? If they don’t, you might as well leave the front door open when you next vacate the building!

Pick a card... but not any card!

Even with the IP interface secure, there’s one other major threat to the security of a business which has a particular resonance for the end user – identity theft. Document copying is a serious concern, none more so than when it targets identity or access control cards.

Given enough time and money it’s fair to say that any card could be copied, but some are far easier and faster to copy than others. For the sake of argument, let’s say I wanted to copy a magstripe card, for example. I would physically have to take that card from you – not so simple – and would have serious difficulties in copying the embedded wire of a Wiegand protocol card, which pulses a signal to a proximity reader. In fact, the old Wiegand swipe cards were really reliable and ultra-secure.

More recently, though, there has been a move towards using 125 kHz proximity cards. In doing so, companies have unintentionally downgraded their security system – because these cards are simply not secure. In fact, they have taken a great step backwards in terms of their security.

With a 125 kHz proximity card, an identity thief could steal the data on your card while it’s still in your pocket just by using a long range transmitter and receiver to turn the card on. Once on, the card continuously sends out its number when in range of the receiver, and that number may be recorded and cloned. The original cardholder wouldn’t even be aware of the theft – and therein lies the perfect crime.

Yet 125 kHz cards are incredibly popular. Indeed, at the moment they represent the preferred solution for an access control system. They’re manufactured by a variety of companies, and there are variants that include encryption. However, all of them can be cloned.

Potentially, hackers can enter the main corporate network via the access control system and cause chaos, perhaps even creating for themselves an official identity card by tapping into the database that holds all of the company security IDs

If a security manager requests an access control system, they’ll invariably be offered 125 kHz proximity cards as part of an ‘ultra-secure’ solution. Approach these cards with great care and cynicism. Ask questions. Always seek suitable alternatives.

Easier to use and secure?

If a customer were to ask me for 125 kHz cards, then I’ll always retort: “Why do you want them?” The answer lies in the misconception that proximity cards are easy to use and secure. Customers believe that it’s easier to present a card than to swipe it and, unfortunately, the security argument somehow became lost along the way.

As manufacturers, we have a Duty of Care to inform our customers and installers that, despite their reputation, 125 kHz cards are little more than a Trojan horse. Security managers should instead be considering the far more sophisticated Mifare card.

Mifare cards are the brainchild of Philips Semiconductors, and are presently supplied by several manufacturers. They’re easy-to-use proximity solutions, and cost the same as a 125 kHz card, but they are secure. The crucial difference is that Mifare incorporates additional security and handshaking with encrypted data requests and transmissions occurring between the reader and the card that makes it impossible to copy without spending years of dedicated time and resources. Frankly, that’s simply not good use of anyone’s time, even an identity thief (particularly when there are much richer, easier pickings in every town and city across Europe).

Mifare offers manufacturer-locked read and write keys for secure access control. The cards can also support the storage of biometric fingerprint identification for verification. Mifare is a standardised multi-application tool. Therefore, alongside a high level of security, Mifare can also support the storage of travel permits, visas, passports, Health and Safety certification, medical and training records. It supports cashless vending, can monitor the use of central services (such as the office photocopier) and can control the log-on procedure for PCs. In this way, Mifare offers additional security for the network and individual PC content. The cards can even monitor time and attendance.

All of these applications, together with the relevant information, may be distributed to the door by way of ‘smart’ reader terminals that provide relevant information to members of staff as and when they need it and at the right location. Remember, though, that given enough time any card can be copied.

You need a PIN for security

True security comes with the application of a PIN (Personal Identity Number), which is standard on a Mifare card, providing a timely Chip and PIN solution. Even a 125 kHz card could become ultra-secure if it were to incorporate a PIN.

If a company with an IP-enabled system employs a PIN solution, they’ll find that it offers considerable flexibility. With a PIN solution deployed, ‘smart’ card readers allow a company to increase or decrease the level of security on demand. A flexible level of security may be applied to one strategic door, or even a series of them. It can even be implemented across single or multiple sites.

Remote keypads on the reader generate an exclusive PIN at the door that’s known only to the cardholder, so the PIN becomes a truly personal identifier not held by – or generated from – a corporate database. It’s then a simple process to issue an e-mail to all staff informing them that as of Monday, for example, they will have to use their PIN. Managers can easily upgrade or downgrade the level of security as required, all with one key press that sends the command out to all readers.

Deploying an intelligent reader as part of an IP-enabled security system creates a far friendlier user experience through an increased level of interaction. If a user is denied access, for example, the reason can be clearly displayed on the reader: “You do not have access to this zone” or “Access is restricted at this time of day”.

Intelligent displays can also increase efficiency, helping companies to reduce the number of security officers or administration staff on site and previously on call to address employee questions and concerns.

Furthermore, intelligent displays may be the answer you’re looking for when it comes to disseminating information to specific employees who are entering certain areas at certain times. Timely reminders to wear a hard hat, attend a team meeting or to lock their PC out of sight before they leave the building simply make good business sense, and ultimately help the organisation to comply with a number of legal obligations.

Take responsibility for security right down to door level through the power of IP. Your security system should tell you when a door has been accidentally left open. It should also tell you who left it open and how long it has been open, and afford you the means to close it remotely. If someone cannot access a certain area, the security system should be able to tell them why. If it doesn’t ask you for a PIN when you walk up to the front door, be very afraid.

Adopting the right IP-enabled security system will put this capability into your hands, delivering a solution that’s easier to install, test and service (and to modify). One that’s also maintained regularly by your own staff and not the telecomms provider.