The ABC of IP (part 3)

Ultimately the aim of technology is to somehow improve both the user's experience of the task that they are performing, whilst adding value and benefit.

Arguably, the better the technology, the less it appears to be doing so for the user. Everyday tasks rely heavily on the systems that support them, which are transparent to the user. We now take for granted, for example, that we will be able to reach into our pockets in a busy high street shop to talk to someone in the shop next door or in an entirely different country. This task is so simple that the Mobile Operators Association claim that 79 per cent of UK adults own or use a mobile phone. Adoption of this technology has been widespread amongst users of all backgrounds, all having no problems using the phone.

It's strange to think that ten years ago only the select few had access to this technology. The underlying technology is not understood by almost all users of mobiles – and why should it be?

Many tasks that use Internet technologies share these same characteristics as the mobile phone. In our personal and working lives, the Internet is used continuously for correspondence and sharing up-to-the-minute information with ease. In the previous articles we have looked at how an IP solution might be used on a small network or by a company to share information across multiple sites. These are both examples of how networking is used on an ever increasing scale as an affordable and reliable method of communication. This article explores how this transparency is possible and how it can be used by installers in the security industry.

Automated configuration

Until now we have looked at adding security devices to a network manually and assigning the network configuration to each camera or recorder individually. This is a viable method and in many cases will be the preference for assigning security equipment. However, on some networks there are ways of automating this activity.

When a device is connected to a TCP/IP network it requires an IP address, subnet mask, gateway and DNS address. Each of these parameters is a unique requirement to the network. Correctly configured equipment looks for a device known as a DHCP server (Dynamic Host Configuration Protocol) on the local network to assign these settings.

A DHCP server has a range of IP addresses – known as a pool or scope of addresses – that are available to be used on the network. When a new device is added to the network it looks for a DHCP server to assign it an IP address.

This DHCP server does not need to be within the same subnet as the device requesting an address. The server will determine what IP addresses are available from the pool and allocate an address accordingly for that subnet, along with the correct mask and gateway for the location of the device.

Each device is given an address for a finite amount time, after which it must request a new address; this is known as a lease. Leasing is required as networks are constantly changing, with devices been constantly added and removed; a carefully selected lease time should ensure that there are always IP addresses available for devices. It is likely that the device will be given the same address again, but it allows good management of addresses. (Figure 1)

Internet users are familiar with @'s, www's and .co.uk's whilst navigating the Internet, remembering some web addresses and guessing the rest. Computers work best dealing with logically arranged numbers, which is why IP addresses are used. The user, on the other hand, has no chance of remembering an IP address as well as a normal web address. In the same way that an IP address is logical to a computer, the web address is logical to the user. This causes a problem, as there needs to be a mechanism in place to translate the human users' written address into the correct IP address.

A closer look

To understand how a web page, for example, is found from an address, it is best to look closer at a web address. If we take the address www.panasonic.co.uk, it can be arranged into four sections: uk, co, Panasonic, and www.

On the Internet the structure of this address is regulated by the Internet Corporation for Assigned Names and Numbers (ICANN) to ensure that correct naming procedures are followed and names only occur once at each level. This structure is known as a domain. The theory behind the domain structure is that similar types of organisations are more likely to require the exchange of information than with organisations of differing disciplines. For example, educational institutions such as universities are less likely to communicate with businesses than with other universities.

Figure 2 shows how a typical domain is structured. At each of the rectangular points of the diagram there is a Domain Name Server (DNS). When a device on the network attempts to communicate with another device using its name instead of the IP address, the device will send a request to the local DNS to 'resolve' the address – this simply means to find the IP address. The device on the network labelled user attempts to contact www.Panasonic.co.uk – it does not know the IP address of this device and sends a request to the DNS. The DNS has a table of devices that have been registered with it, and amongst this list is the device www. It then returns the correct IP address to user.

If the same device, user, now attempts to contact the machine www.Security-Installer.co.uk, it makes a name resolve request to its local DNS at Panasonic. This time the DNS knows that the device is not part of its domain and passes it to the DNS on the next level, the co DNS server. It checks the domain name (co.uk) to see if it is part of the same domain. As security-installer is part of this domain the DNS looks at its own records for the IP address of the security-installer DNS server.

It is then the task of the security-installer DNS to resolve the IP address of www.Security-Installer.co.uk. The security-installer DNS passes the address back to user directly. From now on the communication is between the www and user and the DNS is no longer used.

This use of a domain hierarchy allows devices on a network to be addressed in a format that has been widely adopted by users of the Internet and greatly simplifies the process of finding a device on a network.

Adding cameras and recorders

For a security system we can now add cameras and recorders to a network without the need to assign IP addresses and network configuration and access them using the same conventional naming used on the Internet. This is possible thanks to the DHCP and DNS.

Referring to Figure 2, there is an IP camera assigned to the Panasonic domain with the host name Camera. If correctly registered with the Panasonic DNS, a user on the Internet could type camera.panasonic.co.uk to access live images from the camera.

Although this article has focused on an Internet based example, a similar structure may be adopted by an organisation that does not intend to publish information to the Web. In this case the root of the domain will be the organisation, and the domain structured into divisions of the company, for example Research, Sales and Manufacture.

Again, as on the Internet, most activity is between similar organisations, divisions within an organisation are most likely to be with that division.

In Figure 3 the security recorder within the sales division would have the address recorder.sales.Panasonic.

The move from a traditional closed security to this open IP-based solution admittedly will present concerns to an organisation about distributing surveillance over an open system, whether this is a private corporate network or the Internet.

Throughout this series we have discussed different technologies which each contribute to the overall security of the system. The structure and organisation of the network allows a larger network to be distributed in areas of functionality, separating users of desktop machines from surveillance systems using subnets. Communication between subnets can be controlled by the systems routers. On a domain, such as the sales domain shown, there may be a number of subnets.

Security systems on a corporate network normally have security policies in place that will protect surveillance devices from the outside world. Access to these networks are rarely left open for all to discover.

Instead, connection to the network is normally through a secure channel such as a Virtual Private Network (VPN). VPN configures the remote user's PC to make it part of the network. For this connection to be made the remote PC must adhere to the security policies stated for the network to reduce the risk of the network being attacked or accessed by an illegitimate user.

With these security measures already in place on corporate networks there is little that the installer of the network camera has to do to protect its unauthorised access.

Strong passwords and changing the default port number to the device will stop unauthorised access to the cameras and other IP security devices from users on the network. Most importantly, these security procedures will already be in place and configuration of the system will already have been decided long before the camera is installed on the network.