Physical Access Control - The new way!

Historically, physical access controls have never run over IP networks, but now with Cisco in the game, the convergence for a complete physical access control solution over IP networks is now a reality.


The Cisco Physical Access Control solution is made up of both hardware and software
components. The Cisco Access Gateway connects door hardware (traditional readers and locks,
as well as the new Hi-O® hardware from Assa Abloy) to an IP network. In wired deployments, the device is capable of being powered by Power over Ethernet (PoE). It is also possible to connect to the gateway over a Wi-Fi 802.11a/b/g wireless link.


The diagram below depicts a typical Cisco PAC archtiecture:

Since there is a gateway for each door, access control can be deployed incrementally, door by
door. There is no central panel; this simplifies system design, wiring, and planning, resulting in
significant cost savings over legacy architectures. Additional modules can be connected to the
gateway, allowing for extensibility. All communication from and to the gateways is encrypted.
The Cisco Physical Access Control solution offers the following modules (in addition to the Access
Gateway):

• 
  Reader module: This module can connect to a complete set of door hardware, allowing an
  additional door to be controlled by the same gateway.


• 
  Input module: Eight supervised inputs can be connected to this module and controlled
  through the gateway.


• 
  Output module: Eight outputs can be connected to this module and controlled through the
  gateway.

A picture of Cisco's Integrated Access Control Gateway is shown below for reference:

Cisco Physical Security Manager (CPSM) is the software application used to manage the Cisco Access Gateways on the network. The Web-based software provisions, monitors, and controls all the access control gateways on the network. Role-based access control policies are supported for CPSM. You can create access control policies for N-person, two-door, anti-passback, etc.

CPSM also integrates with MS Active Directory, LDAP, and some HR databases.

CPSM is integrated with the Cisco Video Surveillance family of products, enabling an organization to associate cameras with doors, and to view video associated with access control events and alarms.

In addition to basic access control features, Cisco plans to integrate physical access control with
network security to provide a comprehensive solution that spans both areas of security, allowing
enterprises to:

• Create and enforce policies so that network and application access is granted based on the
  physical location of employees
  
• Provide wireless access only if employees have badged into a physical location.
  
• Terminate an employee’s active VPN connection when that employee badges into a
  physical location
  
• Change an employee’s privileges on the network based on entering or exiting a secure
  area

There is no question that Cisco is accelerating convergence in the physical security industry. The move to integrate physical access control and network security is something I've been preaching for a while now, it will be interesting to see how this evolves over time. I'll keep you posted...

Stay secure,

-boni bruno

Configuring a wireless video surveillance solution on a Cisco ISR.

If you read my VMSS post, you will know that Cisco offers a video management solution in a network switch module that plugs right into a typical integrated services router. That being said, wireless access points can also plug into these integrated servcies router. Hmm...are you thinking what I'm thinking? Full featured wireless video surveillance with just a Cisco router!


I recently setup an elaborate demo for one of the largest outsourced physical security firms in the nation. They wanted to increase their service offerings to their clients to provide more value added services as well as generate another stream of revenue for the firm. I told them to look at adding outsourced video surveillance which can be easily deployed as a kit and they loved the idea.


Basically the kit consists of a Cisco 2821 ISR with a VMSS and HWIC-AP cards and Cisco 2500 series cameras. The demo went over like a charm. Let me be the first to share this with the community...


First, let's start out by discussing what it takes to configure a wireless Cisco 2500 series camera.


These cameras come in either hard wired or wireless form factors. We will be focused on the wireless camera for this article.


First, connect the lens to the camera by inserting the lens in the front of the camera, then screw it in by turning the lens in a clockwise direction.


Once the lens is in, connect an ethernet cable to the camera and then connect the power adapter to the camera.



When the camera powers up, the default IP address of the camera is 192.168.0.100. If for some reason the camera does not come up correctly, press and hold in the reset button on the back of the camera for 10 seconds and it will reset the camera back to default factory settings.


Connect and configure your computer to the same subnet and lauch your browser and connect to the camera IP address. The camera's web interface will prompt you to assign an admin password then allow you to configure the other camera attributes.


The basic setup in the camera's web interface allows you to change the IP specs to DHCP or to a different camera IP address, assign a default gateway, etc. Assign the IP specs you want for the camera then click on the wireless tab.

The wireless tab allows you to set the wireless specifications like the SSID and authentication/encryption settings. The wireless Cisco 2500 series cameras can easily support open,wep, or wpa security settings.

Once you finish entering and applying the wireless settings, disconnect the ethernet cable going to the camera and unplug the power to the camera. Congratulations, you just finished configuring the basic settings of your wireless camera.


Before you turn the wireless camera back on, you need to configure your router for wireless communications. The HWIC-AP card is basically an access point in a network module form factor available for the integrated service router.


The configuration below will show you how to configure your HWIC-AP module in your router for open, wep, and wpa wireless configurations. I'm providing a configuration that includes all three options for reference. Comments are provided in the configuration to help explain the configuration:


! Below is how you globally set an ssid and vlan for your dot11 configuration.
! I recommend you use vlan statements to easily configure multiple ip subnets for your wireless network.
!Below I show how to set three different ssid's using three different networks using three different security settings. This should cover any kind of deployment you may be considering.
!
! Below are the global commands needed for an unsecured/open wireless configuration set for vlan3.
!
dot11 ssid dswisropen
vlan 3
authentication open
mbssid guest-mode
!
! Below are the global commands needed for a wep based wireless configuration set for vlan1.
!
dot11 ssid dswisrwep
vlan 1
authentication open
mbssid guest-mode
!
! Below I show how to setup wpa with an ascii preshared key for vlan2.
!
dot11 ssid dswisrwpa
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 0 12345678901234567890123456
!
! Below are the interface specific commands for the wireless radio, note I'm using subinterfaces to support the multiple vlan configurations above as well as 802.1q to trunk the vlans over the wireless interface.
!
interface Dot11Radio0/3/0.1
encapsulation dot1Q 1 native
ip address 192.168.193.1 255.255.255.0
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0/3/0.2
encapsulation dot1Q 2
ip address 192.168.194.1 255.255.255.0
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Dot11Radio0/3/0.3
encapsulation dot1Q 3
ip address 192.168.195.1 255.255.255.0
bridge-group 3
bridge-group 3 subscriber-loop-control
bridge-group 3 spanning-disabled
bridge-group 3 block-unknown-source
no bridge-group 3 source-learning
no bridge-group 3 unicast-flooding


Congratulations, you just finished configuring the wireless card on your router.


At this point, power on your wireless camera and watch your wireless camera associate itself with the access point on your router. Use show dot11 association on the router to check that your camera does in fact associate to your wireless network. If it doesn't, you probably type in something wrong.


At this point, you are ready to add your wireless cameras to your video surveillance management system and administer things as usual...


I hope you enjoyed this post, I went through a lot of trouble shooting to figure all this out. You now have the quick quide to setting up a wireless video surveillance system on an ISR.


Ciao,


-boni bruno

Video Management & Storage System Network Module

Cisco is such a innovative company...just when you think their routers have reached the peak of functionality, Cisco goes ahead and throws in a Video Management & Storage System (VMSS)network module to the router providing you to rapidly deploy highly distributed, IP-enabled video surveillance at your offices, guard shacks, parking lots, basically wherever you need surveillance allowing you to easily migrate traditional analog surveillance equipment to IP. The Cisco VMSS module is designed to be deployed in highly distributed environments as an edge device.

This module plugs right into an available slot on your typical integrated services router (ISR) and will provide you with a full functioning version of Cisco's Video Surveillance Operation Manager (VSOM) and Video Surveillance Media Server (VSMS). Beautiful!

Just think of all the applications you can use this in... Since these ISR routers can also be equipped with integrated access points and 3G-GSM WAN cards, you can now provide very robust wireless surveillance solutions and architect a number of solutions that just where not available before.

So how do you configure one of these bad boys in an ISR anyway? First, it is important to know what the VMSS module interface name is. The module name will be Integrated-Service-Engine and the slot/unit number like 1/0 . For example, if you where connected to a router equipped with a VMSS network module, you would enter the following while in config mode and type:

Router (config) # interface Integrated-Service-Engine 1/0 [enter]

and you would be connected to the VMSS module in the router. From here you can enter all your ip related info. I recommend you specify an unnumbered interface for the router interface and assign an IP address to the VMSS module as follows:

# Router (config-if) # ip unnumbered gigabitethernet 0/0 [enter]

# Router (config-if) # service-module ip address 192.168.192.10 255.255.255.0 [enter]
# Router (config-if) # service-module ip default-gateway 192.168.192.1
# Router (config-if) # exit

Following the example above, you would have connected to your VMSS and assigned it an IP address of 192.168.192.10 with a default gateway going to the IP address of 192.168.192.1 which is bound to gigabitethernet 0/0 on the same router. To finish with the layer three stuff, you need to add a host route for the VMSS as follows:

Router (config)# ip route 192.168.192.10 255.255.255.255 Integrated-Service-Engine1/0 [enter]

Save your configuration by issuing the wr mem command. At this point you are half way done with the configuration. Are you getting excited? I am...

The next task is to open a session to the integrated service engine on your router and go through the one-time process of initializing your VMSS network module. To do this type the following:

Router# service-module integrated-Service-Engine 1/0 session

Once you run the above command, you will need to answer questions about host name, dns, ntp, etc. Go through and answer accordingly, if you do not have any of these services on your network, just answer no to a question and move on...

A key thing to set is the time zone and time. The format for the time would be:

( hh:mm[:ss] [YYYY-MM-DD] ), so you could enter: 19:01:00 2009-04-15 [enter]

to set the time and date for 7:01PM on April 15, 2009 in this example.

Once you enter the time and date, the system will configure itself, goto into run level 4, start some shell scripts in the background, then boot the VMSS moldule for you.

When the system finishes booting the VMSS, you will be dropped into a vmss> prompt.

The first time around not all the vmss processes may start, you can verify the status of VMSS by typing the following:

vmss> video-surveillance task status

If you notice that httpd is not running, your will have a problem connecting to VSOM. To resolve this issue, run the following command:

vmss> video-surveillance task restart

That's it my friends. At this point bring up your browser and connect to the VMSS as you would if it where a standalone VSOM appliance.

Using the configuration example above, you would access the management console by going to http://192.168.192.10/vsmc.html where you can enter your license info. The default username and password to access the console, or VSOM for that matter, is root and secur4u. To get a license, send email to vsm-license@cisco.com, you will need to provide the MAC address of your VMSS module which you can get from the management console.

Remember to get licenses for VSOM and the Media Server. Once you get your VMSS fully licensed, just goto http://192.168.192.10/vsom/ to configure your surveillance system just like you would do a normal Cisco VSM appliance...

Ciao,

-Boni Bruno

Cisco Stream Manager Plans...

Cisco Stream Manager has been the topic of many conversations. I have asked key Cisco Executives the question many others are asking - Now that Cisco VSM is out and being upgraded, advanced, and improved, what is the longevity of Stream Manager?

You may find the answer to your liking, Cisco is working on a converged product of the two enterprise solutions. With Cisco Stream Manager being the matrix integrated solution and Cisco VSM being the web-based distributed environment solution, the new product will combine the features of both solutions and finally put an end to customer concerns about the viability of Stream Manager and future enhancements. The Stream Manager thick client will go away and the Cisco ActiveX web-based GUI will take over as the primary video interface for both products.

So the next question you may be pondering about may deal with backwards compatibility. We’ve been assured that most of the current products will be upgradeable, with some minor inconveniences. For example, some of the older Stream Manager equipment doesn’t support H.264 video compression and may not scale beyond a couple of High Definition streams. If we were able to share some of the features being put into the converged system, you would all be very excited about what the future holds with the converged platform currently codenamed Viper!

Stay tuned...

Cisco Medianet ... WOW!!!

WOW! At the 2009 International Security Conference (West) held in Las Vegas, NV, Dennis Charlebois (Cisco PSBU Director) announced Medianet (www.cisco.com/go/medianet). A lot of people keep asking the questions “Why would Cisco get into Surveillance? Aren’t they a little late to the game? Don’t they have a long way to go to catch up? What can Cisco provide that others can’t?” All of these are great questions, and the answer is medianet. Medianet is the Cisco story for Video that they already have for Data and Voice. However, Medianet is actually one step up from regular switching that will revolutionize the way people work with Video Surveillance and many other Video technologies in only a way that Cisco can control.

So you’re asking, what is medianet? Imagine a world where you plug a device right out of the box with no configuration, no management, and everything worked exactly as it was designed to. Cisco medianet is an upgrade to their current Cisco switching topologies that adds intelligence to the network for IP video. Medianet provides a policy template manager that enables you to automate the configurations of video surveillance cameras and bind them to the nearest network video recorder with the right IP specifications. This prevents the need for manually assigning IP addresses, VLAN information, default gateway, netmask, and other related IP properties and stream lines the process of adding cameras to a video surveillance management system.

Many people may be wondering about the considerations you need to make with IP cameras over analog cameras. Medianet takes a lot of the guess work out of engineering video surveillance networks and addresses quality of service issues like Best Effort, Expedited Forwarding, Random Early Discharge, DSCP, etc. With the Medianet policy engine you will be able to simply apply templates to your devices in an easy to use format. For example, you can configure traffic from one camera with a higher priority over data traffic and configure another with a different set of priorities. Templates automate the switch configurations to ensure a high degree of service quality.

Medianet is an emerging technology solution slated for release in 2010. Medianet promises to deliver benefits to video surveillance architects that are unheard of in the surveillance industry today.

Cisco Stream Manager vs. Cisco Video Surveillance Manager

As many of you know, Cisco acquired two companies, first Sypixx, then Broadware and have been Cisco-izing those products over the past couple of years. The acquisition of Sypixx was made due to its video matrix integration capabilities and market appeal. Broadware, because of its integration with many product lines such as Axis, Panasonic, and Bosch, to name a few. As well, Broadware (now VSM) has the framework for what Cisco stands for in their quest for network domination, where Sypixx (now Stream Manager) was really built to be a hybrid support of Analog systems with the capability to migrate to an IP system.

In talking to members of the Cisco teams, we know there is a merged environment coming soon (codenamed Viper) that will merge the two product sets into what I consider an unstoppable product. They are also moving towards H.264 with their newer encoders and cameras.

So, here is a quick list of questions to answer when deciding on which of the current two systems Cisco offers:
1. Do you currently have a Matrix such as a Pelco 9760, 9770, or 9780, Bosch, or AD Megapower?
2. Are 90% or more of your current cameras Analog?
3. Do regulations in your industry require a limited number of connections per recorder?
4. Do you only have one property to secure?

With a handful of other questions to answer, if you answered yes to all of these questions, Stream Manager is likely the right choice. If you answered no to all of the questions, VSM may be the more likely choice.

A few more things to note about the product lines:

• Stream Manager Client is an application that runs on a PC, VSM is Web-based
• Both products can run a Virtual Matrix application
• Both applications can send video to Decoders
• Stream Manager and VSM have different Supported device matrices (If you already have IP cameras, this may tell you which one is right for you)
• The Cisco ISR blades are only supported by VSM
• The Cisco Hybrid Decoder is only supported by Stream Manager (there is a non-hybrid decoder for VSM)
  
• Integration with Cisco Physical Access Manager (PAM) is only available with VSM

There are many other things to note between the two systems, but this should help in getting things started with your design. As always, feel free to contact me with your exact specifications for more detail.

If any of you have more details between these products, feel free to comment.

Ryan Peterson
www.dsw.net

Cisco Video Surveillance Encoder/Decoder Convergence Chassis

I get a lot of questions about the Cisco VS Chassis and how it works. Unfortunately, Cisco's website on the Chassis is very unclear and somewhat inaccurate. Here are some tidbits of information to clear things up.

There are 2 versions of the Chassis currently available. The Fast Ethernet version and the USB version. Either way, this box is simply a power connection with communication ports on it. The actual Encoder or Decoder is a card that slides into the chassis. Those cards often confuse people. Here are some of those items that should be taken into consideration during your design phase:

1. The cards are not interchangeable between the USB Chassis and the FE Chassis.
2. The 4 port Encoder card is only available on the USB chassis (CIVS-4BECMD-C16U=)
3. The Fast Ethernet Chassis can only take 1 port Encoder Cards (CIVS-SG1B-ECMD-C16=)
4. The Fast Ethernet Chassis is only available with an Internal Power Supply which means you can only use 14 of the 16 ports for cards.
5. The USB Chassis requires an External Power Supply Chassis (CIVS-EXTPWR-CHS) which is capable of powering 2 Convergence Chassis. In addition, you need a Power Supply Module for each Convergence Chassis.
6. The cards have an A and B version. The A version is MPEG4 only and has been EOL'd by Cisco. The B Version is MPEG4 and MPEG4 v.10 (H.264).
7. On the USB chassis, 16 ports of Encoding match to each USB. So, the first 4 slots connect to one USB cable. There are 4 USB on the back of the USB encoder.
8. The USB cables for the USB chassis connect to a Cisco Services Platform aka SP (not the Integrated Services Platform aka ISP which has encoder cards built in)
9. There is currently no way to locate the USB Chassis in a separate location as the Recorder (SP) where the USB connection is made. Testing has been done using USB to Fiber converters, but the results are mixed due to the inconsistency of video over the 3rd party converter devices.
10. The costs of the cards are the same as the non-chassis cards making the non-chassis solution cheaper (but not as pretty).
11. The chassis does work with both the Cisco Stream Manager systems as well as the Cisco Video Surveillance Manager.
12. The ISP will not connect to the Chassis via USB.
13. Although the Single port Encoders support PTZ controls and alarm inputs, the 4 port Chassis card does not.
14. The Fast Ethernet Chassis has 14 Ethernet ports (1 for each analog port) There is not 16 ports since the first 2 slots are used by the power supply.



Since pictures speak 1000 words. Here are a few to give you a better idea of how the Chassis works.





































As always, since this product line is an Emerging Technology, I would suggest getting an expert to assist in developing your design for any large scale system.

Feel free to contact me with questions.

Ryan Peterson

http://www.dsw.net/

Cisco HD Camera

Many people have expressed interest in the HD camera Cisco has created.





The Cisco HD Camera (CIVS-IPC-4300) or (CIVS-IPC-4500 with DSP) run around $1600 list price. Figure that the average price off list to an end customer is 25% then to the end customer your looking at about $1200.



The camera is capable of running 1080p with 30 frames per second or 720p at 60 frames per second. Now due to a thing called motion blur, the human eye will normally only process about 24 frames per second. So why do we care about 60 fps then? Becuase you can stop the video. When doing a frame by frame review of the video later, you may want that 1 frame that happens to be 5 of 60 in that second. But I digress.

To make it clear, I have seen many HD Cameras and recently reviewed the Cisco HD Camera and I believe Cisco has a winner.

With the 1 exception that most consumers are beginning to see the value behind dome style cameras, this fixed directional camera really does a great job.

Expect to see this camera in buildings around mid-year. Even though Cisco is selling this item, it will take some time before customers see the value of the expense for the reward of higher quality when it comes to surveillance.

Cisco Surveillance Introduction

Hello and Welcome to the Cisco Video Surveillance Technical Blog!

My name is Ryan Peterson and I work for a Cisco Partner (Data Systems Worldwide) in their Las Vegas branch office.

We are one of the first partners to begin selling Cisco's Surveillance product line and as of today, our largest install is right around 1000 cameras.

After using Cisco to do 1000 camera installations, you get to know the ins and outs of that product line. I would like to share that knowledge to those interested in what Cisco is doing.

So welcome to my blog, I look forward to answering any questions you may have about the product.

Ryan Peterson