IP Networking for PhysicalSecurity - Cisco
Transcript of IP Networking for PhysicalSecurity - Cisco
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
1/74
2007 Cisco Systems, Inc. All rights reserved.Presentation_ID 1
Bob Beliles ([email protected])Sr. Manager, Physical SecurityMarket Management
October 29, 2007
Introduction to IPNetworking for
Physical SecurityProfessionals
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
2/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Convergence Today and TomorrowFrom Proprietary to Open, an IP Systems Approach
Todays Buildings Disparate Building Networks Proprietary and Redundant Sub-Optimal Information Usage
A Shared Vision Interoperable Efficient and Scalable Multi-use Systems Information Maximized ROI and Lower TCO
IP Communications
Fire
Physical
Security
Lighting
VisitorAccess
Elevator
24 / 7Monitor
Energy HVAC
WAN
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
3/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Building automation systems typically operate
independent of one another and suffer from an
inherent lack of functionality, which significantly limits
the companys ability to optimize facilitiesmanagement.
ARC Advisory Group, Building Automation Systems
Worldwide Outlook, 2002
Industry InsightOperational Pain and Cost
It is estimated that approximately 30% of a
building's life cycle cost is lost due to redundant
information and processes that could be avoided
by improved collaboration and data management.
SOURCE: International Alliance of Interoperability
www.iai-na.org
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
4/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
PainLimited Accessibility, MobilityDelay Incident Response & Resolution, Unrealized Value
Central station access only Little to No remote access No on-scene collaborative
access
Investigation delays Locate tape in archive Ship from remote location
Review hours of video
Multiple uses for video Customer satisfaction Trend analysis
Process control
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
5/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
1st Gen
Netwo rk Conso l idation
Network Evolution Convergence WavesStandalone to Strategic & Interoperable
FAX
2nd Gen
FAX
3rd Gen
IP-PBX
Emerging
IP-PBX
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
6/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Convergence Enablers
High performance, low cost processing and storage Cheaper and more powerful CPUs and DSPs Decreasing $ / storage byte
IP gateways (encoders and decoders)
A to D and D to A functions CODEC algorithms enhance transmission efficiency
Industry Standards, such as IEEE Common format for information Enable Interoperable platforms
Open APIs enhance flexibility and enable customization Spawn new uses Support 3rd Party software integration
IP networks Ubiquitous infrastructure
High degree of reliability, scalability, accessibility, and security
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
7/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
A Couple of Key Definitions
NetworkingVarious devices communicate and share information over a
common infrastructure using a common set of
communications rules (protocols) and a common format forinformation exchange
InternetworkingVarious devices on one network communicate with devices on
another, possibly dissimilar network
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
8/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
A Few more of Key Definitions
ProtocolA set of rules relating to the format and timing of data
transmission between two devices.
Protocol stack
A collection of modules of software that together allow aprotocol to work.
LayerOne level of a stack. Each layer solves a set of problems
involving the transmission of data, and provides a well-definedservice to the higher layers.
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
9/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Driving ForcesStandardization and Interoperability
For:Computer Communications
Why?Users: Non-proprietary, vendor-independent solutions
Vendors: More marketable products for a larger market opportunity
How?
Seven layer model defining key functions of each layer and howeach layer communicates with the layer above and below it
International Organization for Standardization (ISO)
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
10/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Open Systems Interconnect (OSI) ModelRules/Layers for Interoperability
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer Physical media specifications,electrical range values
Information (frame) transmissionformat rules and error correction
Logical address to physical address,translation, specifies route
Reliable transmission of hostmessages, segmentation / re-assembly
Establishes / terminatescommunication processes betweenhosts
Data format (presented) / syntax to beused between hosts
User Interface What the Userinteracts with
Host
P
rocesses
KeyFocusfor
NetworkMana
gers
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
11/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Peer to Peer CommunicationsEach Layer Communicates with its Counterpart
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
HostDevice A
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
HostDevice B
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
12/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Transforming Messages to Data CommunicationsMessage Encapsulation
Data = Payload
PayloadApp Hdr
AH +PPres Hdr
PH + AH +PSess Hdr
SH + PH + AH + PTransp Hdr
TH + SH + PH + AH + PNetw Hdr
NH +TH + SH + PH + AH + PFr Adr Cntrl FCS Fr
Bits = DLH/F +NH +TH + SH + PH + AH + P
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Each layer pre-pends header /footers to the payload(encapsulates the data
message)
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
13/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
Upper-Layer Data
De-Encapsulating Data
IP + TCP + Upper-Layer Data
TCP+ Upper-Layer Data
Upper-Layer Data
0101110101001000010
Transport
Data-Link
Physical
Network
Presentation
Application
Session
Upon receipt, the
host removes theheader / footers todistill the actual
data forapplication usage
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
14/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Example: Host Communications via layer 1(physical layer) Network HubData is Wrapped per Rules, Transmitted, Unwrapped
HostDevice A
HostDevice B
Physical
Layer
Repeater / HubNetworkDevice
Physical
Layer
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
15/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Switched (Bridged) Host CommunicationsConnected with a Layer 2 (Data Link) Network Device
HostDevice A
HostDevice B
DataLink
PhysicalLayer
Bridge / SwitchNetwork
Device
PhysicalLayer
DataLink
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
16/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
Routed Host CommunicationsConnected Via Layer 3 (Network Layer) Device
HostDevice A
HostDevice B
NetworkLayer
DataLink
PhysicalLayer
RouterNetworkDevice
PhysicalLayer
DataLink
NetworkLayer
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
Application Layer
Presentation Layer
Session Layer
Transport Layer
Network Layer
Data Link Layer
Physical Layer
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
17/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Tunneling Protocols
What?
Encapsulates non-switchable / non-routable information with a switch-ablelayer 2 header and/or routable layer 3 header such that it can betransported across a data network
Uses the network as a wire Why?
Preserves information format / signaling that would otherwise not besuccessfully transmitted across the network
Allows logical segmentation of information sharing a common physicalinfrastructure
Examples: Layer 2 Tunneling Protocol (L2TP), Point to Point Tunneling Protocol
(PPTP), Layer 2 Forwarding (L2F) Generic Route Encapsulation (GRE),Virtual Private Networks (VPN)
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
18/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Networking Fundamentals3 Key Types of Network Topologies
Buses
Rings
Stars
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
19/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
A Closer look at a LANEthernet Basics
Ethernet: A bus (data-link layer, aka layer 2)oriented topology
Ethernet is typically deployed as a star using a
Switch
Hub/Switch: a device that allows a bus topologyto be deployed as a Star Network
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
20/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
Networked Host CommunicationEach Device Must have its own address
Where is PC 2?
PC 2PC 1
Network
PC 3
I am not PC 2
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
21/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
DataSource Address FCSLengthDestination Address
Variable266 4
0000.0C xx.xxxx
VendorAssigned
IEEE Assigned
MAC Layer802.3
Data-Link Layer (Layer 2) AddressesUnique ID / (Physical) Address for Each Device
Preamble
Ethernet IIuses Type
here anddoes not use802.2.
Physical Device or
MAC Address
8Number of Bytes
Def: Media Access Control
aSub-la er in Data Link La er
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
22/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
2 Key ways to communicate across a networkUnicasting and Broadcasting
Unicast Communication
Message
only to PC
2
PC1
Network
PC3
Broadcast Communication
Message
to all
PC2PC1
Network
PC3
PC2
1 to 1 communication 1 to all communication
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
23/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Broadcast in ActionLocating A Given Host is on the Network / Sub-Net
ffffff
MAC DA
Layer 2Layer 3
Payload
Broadcast Frame
Network
Send Broadcast
to Everyone
PC 1 learns new addresses by broadcasting a message to every
host on the network
It uses a special destination address (all fs) to signify broadcast, it
will wait for a response to learn PC 2s layer 2 address, if it is
attached to this network segment or sub-net
PC 1
Where is PC
2?
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
24/74 2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Communicating on a Shared MediumMust Control Broadcast and Collision Domains
Hello PC 2
PC 2PC 1
Network
PC 3
Did someone say
hello?
Hello PC 2?
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
25/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
The Problem with Hubs:One Collision Domain
More end stations meansmore collisions.
CSMA/CD is used.
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
26/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
Collision Avoidance802.3 Ethernet- CSMA/CD
Ready to
transmit
Transmit data &
sense channel
(4)
Transmit
Jam Signal
(5)
Wait according to
backoff strategy
(6)
Sense
Channel
(1)
New attempt
Channel free
for IFG (9.6us)(2)
Channel busy
(3)
Collision detected
Wait according to a random Binary
Exponential Backoff (BEB)
algorthm,
& then try again. After 16
consecutive collisions,give up and
discard the frame
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
27/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Collision AvoidanceFull Duplex - Enabled in Switches
Half Duplex One station transmits, other listens.
While transmitting, you do not receive, as no one else istransmitting.
Full Duplex (standardized in 802.3x) Transmit and receive at the same time.
Transmit on the transmit pair, and receive on the receivepairs.
No collision detection, backoff, retry, etc
No CS, no MA, no CD. Only relationship to HD is frameformat & encoding/signaling method.
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
28/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
SwitchesSeparate Collision Domains, and More
Each segment is its own
collision domain.Broadcasts areforwarded to allsegments.
Memory
Switch
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
29/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Each segment / connection has its own collision domain.
All segments (switch connections) are in the samebroadcast domain.
Data-Link
Switches and BridgesOperate at Data-Link Layer
OR1 2 3 1 24
Dedicated Bandwidth /
Connectione.g. 100Mbps
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
30/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Separating Collision DomainsHub to Bridge / Switch
Floor #3
Floor #2
Floor #1
Hub
Rpt
1 Collision
Domain
1- Broadcast
Domain
8 Collision
Domains
1- Broadcast
Domain
2 Collision
Domains
1- Broadcast
Domain
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
31/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
Checkpoint:Why Physical Security Operations Should Care?
Switches typically provide full duplexconnectivity to each host
Delivering guaranteed bandwidth to eachhost
Break up collision domains
Retain single broadcast domain at layer 2
This can be a problem in large flatnetworks
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
32/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
Quality of Service Mechanisms
Type of Service bits in Layer
2 frames,
IP PrecedenceWeighted Fair
Queuing, RSVP, etc.
Session
44
Session
3
Session
22
Session
11 3
322600/3600_0498 Cisco Systems Confidential
Version
Length
ToS
1 ByteLen
IPV4: 3 Most Significant Bits called IP Precedence
DiffServ Uses Six D.S. Bits Plus Two for Flow Control
ID offset TTL Proto FCS IP-SA IP-DA Data
Traffic Prioritization, Congestion Management
N t k L (L 3) F ti
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
33/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
Interconnects multipledata links allowssimilar and dissimilarnetworks to beconnected!
Defines logical source
and destinationaddresses associatedwith a specific protocol
Defines paths through
network
Network
IP, IPX
Data-Link
Physical
EIA/TIA-232V.35
802.2
802.3
Network Layer (Layer 3) FunctionsThe relationship between IP (Network, Layer 3)
and Data-Link (Layer 2) Protocols
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
34/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
Multiple Addresses in a Typical NetworkMessageEthernet Frame specifies L2 address and IP Packet specifies L3 address
DestinationAddress
SourceAddress
Preamble
&SFD
Length Data/Payload
FCS
VersionHeaderLength TOS
Total Length
Identifier Flags Fragment Offset
TTL Protocol Header Checksum
Source Address
Destination Address
Options Padding
Ethernet Frame
IP Packet
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
35/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
The IP (Layer 3) AddressWhy a 2nd type of address???
IP started as a unique physical address (similar to layer 2)
Today: used as a re-allocatable, network dependent address alogical address that allows different types of network devices
using IP as the common protocol to communicate with eachother
Definition:
An Internet Protocol (IP) address specifies the logical location of ahost or client on the Internet.
How we see it: 202.14.64.1
What the Networked Devices see:
11001010000011100100000000000001
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
36/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
DataSource
Address
Destination
Address
IP Header
172.15.1.1Host /Node
Network
LogicalAddress
Network Layer End-Station Packet
IP addresses are written indotted decimalformat.
Four sections are separated bydots.
Each section contains a numberbetween 0 and 255 (28 = 256).
Layer 3 Network Layer PacketIP Packet and IP Address
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
37/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
32 Bits
Network Host
Network Host
Network Host
Class A
Class B
Class C
0
10
110
IP Address ClassesDifferent Size Organizations, Different Size Blocks of Addresses
Size of Network, large to small
Number of hosts connected to a given network
# of Class C addresses > # of Class B > # Class A addresses Example: Class A addresses typically given to Service Providers (e.g.
ATT) to connect many customer networks or large Universities or
corporations that support many hosts
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
38/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Difference Between Routers & Switches
OSI Model
Physical
Data Link (L2)
Network (L3)
Transport
OSI Model
Physical
Data Link (L2)
Network (L3)
Transport
Routers Care about L3 Addresses
Switches Care about L2 Addresses
Switching/ForwardingDecision
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
39/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Dynamic Host Configuration ProtocolEases Device Administration
DHCPServer
PC 2
IP AddressDatabasePC 1
Hi, Im new to the
network. Please
provide me with my
new IP address
Heres your new IP
address!
Hi, Im new to the
network. Please
provide me with mynew IP address
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
40/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Broadcast control
Multicast control
Optimal path determination
Traffic management
Logical addressing
Connects to WAN services
L3 Operation and classification
Routers the Layer 3 device:Operate at the Network Layer
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
41/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Why Do We Need Routers (Layer 3) Devices?Scalability and Segmentation: Broadcast Domain Control
All L2-switch connected devices are part of thesame broadcast domainThis becomes a performance issue, even inmedium sized networks
Networks dont scale well at L2 and need to be
segmented at L3
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
42/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
How do routers handle L2 Broadcasts?Routers Break Up Broadcast Domains
ffffff 255.255.255.255
MAC DA
Layer 2 Layer 3
Send Broadcast
to Everyone
PC 1 Sends a Broadcast to See If PC 2 Is Locally Connected
Bu t, a router wi l l not pass the layer 2 broadcast on to th e other
devices connected to it ! It wi l l pass a layer 3 broadcast if network
manager permits i t , und er certain condit io ns
PC 1
Protocol DA
Send Broadcast
to Everyone on
This Subnet PC 2
X
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
43/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Separating (Layer 2) Broadcast DomainsHub to Switch to Router
Floor #3
Floor #2
Floor #1
A1
A2 A3A4
B1
B2B3
B4
C1
C2C3
C4
C1, C2 C3, C4
A1, A2 A3, A4
B1, B2 B3, B4
Bridge A
Bridge B
Bridge C
9 Collision
Domains
3- Broadcast
Domains
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
44/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Hub Switch Router
Collision Domains:
1 4 4
Broadcast Domains:
1 1 4
Network Device Domains
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
45/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Assessment
Connect iv i ty
Access
Input
Output
Encoders
1 23
4 5 67 8 9
0
Shot
MonProdClr
PHILIPS
A-to-D
Ethernet Acc essDecoders
D-to-A
Transmission
WAN
Traffic Engineering:Another type of Network Communication Type Needed
High AvailabilityIP LAN Legend:
1st Unicast StreamRedundant UnicastStream
Unicast Wasteful for Multiple Simultaneous Viewers/Streams
A 3rd type of Network Communication
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
46/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Assessment
Connect iv i ty
Access
Input
Output
Encoders
1 23
4 5 6
7 8 9
0
Shot
MonProd
Clr
PHILIPS
A-to-D
Ethernet Acc essDecoders
D-to-A
Transmission
WAN
A 3rd type of Network CommunicationMulticast: Subscription-Based BroadcastMulticast is B/W Efficient!
High AvailabilityIP Multicast LAN
Legend:1st Unicast StreamEfficient MulticastStream
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
47/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
212.14.198.103Seen fromThe Internet
192.168.0.1
192.168.0.2
Inside the Home Network
Network Address TranslationCreates more Address Segments, Secures, Easier to Manage
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
48/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
A Look at a Network Address Table
SourceComputer
Source
Computer's IPAddress
Source
Computer'sPort
NAT Router's IPAddress
NAT Router's
Assigned PortNumber
A 192.168.32.10 400 215.37.32.203 1
B 192.168.32.13 50 215.37.32.203 2
C 192.168.32.15 3750 215.37.32.203 3
D 192.168.32.18 206 215.37.32.203 4
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
49/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
What About IPv6?
IETF IPv6 working group began in early 90s, to solveaddressing growth issues, but
CIDR, NAT, were developed
IPv4 32 bits address = 4 billion hosts~40% of the IPv4 address space is still unallocated
BUT
IP is everywhereData, Voice, Audio and Video integration is a Reality
Regional Registries apply a strict allocation control
Addressing scheme is not optimum as for any Looking ahead.
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
50/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Explosion of New Internet AppliancesTransforming Business Processes
1.5 B
500 M
350 Million
375 Million
500 Million
750 Million
35 Billion
Mobile Phones, PDAs, ...
PCs, Servers, ...
Vehicles, Cargo Containers, ...
Medical Devices, HVAC, ...
Controllers, ...
Smart Sensors, ...
Microprocessors, ...
750 Million
35 Billion
375 Million
500 M
1.5 Billion
2003 Harbor Research, Inc All Rights Reserved
Harbor
projects 44
million
devices in
2003 and
1.5 billion
in 2010 will
benetworked
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
51/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
IPv6 versus IPv4A Few of the Key differences
Address length quadrupled to 16bytes
Header Simplification
Fixed length
(Optional headers
daisy-chained) No checksumming
(Done by Link Layer)
No hop-by-hop segmentation
Integrated QoS support
(Class of Service/Multimedia support- Flow label/class)
Authentication and PrivacyCapabilities
IPv4 Header
IPv6 Header
IHL Type of Service
Options
Total Length
Identification Flags Fragment Offset
Protocol Header Checksum
Source AddressDestination Address
Padding
Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
Version
Time to Live
Version
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
52/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Internet
Telecommuter
Branch Office
Modem or ISDN Terminal Adapter
Mobile User
Main Office
Routers Also Provide WAN Access
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
53/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
WAN Selection Considerations
54000
1544+
128 / 64
56
28
19.2
9.6
Determine applications that you want to run.
ISDN,Frame Relay
Really Old Modem Telnet
Modem
Web Browsing
Voice
Video, Multimedia
E-Mail, File Transfer
Leased Line,Frame Relay,xDSL, Cable,T3, OC-3
kbps
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
54/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
Routers provide scalability at L3, controlbroadcast domains, enable connection toother networks (WANs, etc.) and more
NAT provides a layer of security by
shielding addresses of hosts from theoutside world, allows for better addressutilization
DHCP eases administration of adding /moving devices in a network, alsoimproves address utilization
Checkpoint:Why Physical Security Operations Should Care?
Can your network-connected devices work with these
key features/devices?
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
55/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
Distinguishes betweenupper-layer applications
Establishes end-to-endconnectivity betweenapplications
Defines flow control
Provides reliable orunreliable services for datatransfer
Ne
twork
IPXIP
Transport
SPXTCP UDP
Transport Layer Functions
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
56/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
Synchronize
Acknowledge, Synchronize
Acknowledge
Data Transfer
(Send Segments)
Sender Receiver
Connection Established
Reliable Transport LayerFunctions
Summary and a Few More Networking
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
57/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Summary and a Few More NetworkingIcons
WAN Cloud
AccessServer
Data Service Unit/Channel Service Unit
Web Server
Bridge Switch Router
Ethernet Serial LineFast Ethernet
DSU/CSU
File ServerPersonalComputer
Modem
VLAN(Color May Vary)
Hub Network Cloud orBroadcast Domain
Circuit-Switched
Line
MultilayerSwitch
Silicon-BasedMultilayer
Switch
Scalability & Availability
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
58/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Scalability & AvailabilityTypical Network for SMB / Enterprise
Dedicated 100Mbps to
EACH End Point (Camera,Badge Reader, PC, etc.)
1-20Gbps links(Switch to Switch)
768kbps - 54Mbps(WAN links)
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
59/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Network-Connected Device BandwidthProfileModest Needs for a Dedicated 100Mb/s Connection.
Badge Swipe:
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
60/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
Common Network PlatformsAmple Bandwidth for Physical Security Needs
Switch ing
Platform PortsMax System Capacity
Recommended Streams**
Catalyst
3750G-48PS
Catalys t 6513
Sup720
48 10/100/1000 po rts4 GbE (up l ink)
576 10/100/1000 po rts
4-21 10GbE por ts (upl in k)
32 Gbps /4,760 Streams
720 Gbps /
57,460Streams
Assumes 3.5Mbps / Stream
64 byte / Packets (typically video payloads would be larger
**
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
61/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
OSI Transport Layer enables applicationconnectivity with reliable and unreliablemechanisms
Routers and switches (L2 and L3) offer a numberof options, tailored for specific deploymentrequirements
Network design provides scalability and highavailability using 2 or 3 tier hierarchy (access,
backbone or access, distribution layer and core)
Checkpoint:Why Physical Security Operations Should Care?
Are you alone or on the bleeding edge? No
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
62/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 63
Multiple waves of systemconvergence
Numerous physical securityoperations run overconverged IP today
Success with large scale video
surveillance operations
Resiliency / Availability
Application and device security
Increased functionality and mobility
y g gIP Convergence Experience & Expertise
Criteria for World-Class Converged Systems
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
63/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 64
Criteria for World-Class Converged SystemsPhysical Security Can Thrive on an IP Network!
SecurityScalability & Availability
Bandwidth Control
Manageability / Control
Accessibility
InteroperabilityStorage
Information Utility
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
64/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 65
Co-existence through SegmentationNetwork Security Toolset #1
Security Officer J Doe, Marketing
SecurityCamera
CollateralDatabase
Out of the box, switches usuallyplace all ports in the same LAN
Consequence: everyone can reacheverything; no policy enforcement
Security Officer J Doe, Marketing
SecurityCamera
CollateralDatabase
Segmenting user groups is thefoundation for policy enforcement
Multiple techniques: VLANs, IPsubnets, mGRE, IPSec, MPLS,
VRF, physically separate equip
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
65/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
Security Protection Against Hacks & VirusesNetwork Security Toolset #2
Device DoS
Network DoS
Address Spoofing
Port Hijack
DHCP DoS
MAC Flood
SysAdmin Spoofing
Command Spoofing
Worm Propagation
Port Security, 802.1X,Disable unused ports
QoS Toolset
AAA, Strong passwords,
Separate mgmt network
DHCP SpoofingPrevention, 802.1X
Device command authorization
Dynamic ARP Inspection,IP Source Guard, 802.1X
802.1X
NOTE: Segmentat ion and f i rewal l ing techniques no t con sidered here as th is design assum es complete physica l separation
Port Security
HIPS / AV / PFW, NetworkAdmission Control
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
66/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67
FirewallsSegmentation and Security
Trusted
Sources
UN-trusted
Sources
FirewallsSoftware or hardware services that enforce access control
policies (rules) or employ filtering to control access to networkresources
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
67/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 68
Video Surveillance on the WANMultiple Techniques and Consideration Points
Use compression
Monitoring
Pull on demand
Push upon a pre-defined event
Use Multicast technology send 1 copy of video, not 2 or more
Transcode reduce frame rate conserves bandwidth
Recording
Consider local facility recording
Retrieval does not have to be real-time
15FPs or less is usually acceptable
Record on motion only or snapshot for 24 x 7 requirements
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
68/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 69
Loc al / Distr ib uted
DVR/NVR
Disks
Management
Storage
SAN
Disks
Centralized
DVR/NVR
Connect iv i ty
Access
Input
Output
Encoders
1 23
4 5 67 8 9
0
Shot
MonProdClr
PHILIPS
A-to-D
Ethernet A ccess Decoders
D-to-A
Transmission
WAN
High Availability
IP Multicast LAN
Video Surveillance RecordingStorage Considerations
Legend:1st Unicast Stream
TranscodedMulticast Stream
A
ssessment
Migrating to IP-Based Video SurveillanceL E i ti I t t & E bl N C biliti
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
69/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 70
Dedicated CCTVKeyboards & Displays
Analog Fixed &
PTZ Cameras
Leverage Existing Investments & Enable New Capabilities
Analog CCTV VCRCisco Integrated Services Platformw/ Strm Mgr S/W (DVR)
Analog Video Fiber
Multiplexers &
DistributionAmplifiers
Cisco Services Platformw/ Strm Mgr S/W (NVR)
Web-based
Monitoring
Add IP cameras Incrementally
Cisco IP Gatwyw/ Strm Mgr S/W
Video Matrix
Switch
Cisco IP Gatwyw/ Strm Mgr S/W
No RetrainingAccess live OR recorded videoSnap Stills
Cisco IP Network
Switch
Cisco IP Phones
Datacenter
Servers
Cisco Stream ManagerMonitoring S/W for Local &
Remote Operations
Cisco on Cisco: Lower TCO and Maximized ROI
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
70/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 71
Converged Physical Security, HR, Finance, Etc.
Cisco Phys ical Secur i ty Ops Resul ts
Central ized S&S op erat ions to 4 g lobal
locat ions
Hybrid Netwo rk of Analog and IP devices
Reduced false alarms by 90% Reduced sto rage requ irements by 50%
and number of servers by 40%
Reduced maintenance costs b y 20%
Decreased MTTR (NVR)
Policy-based access and segmentation QoS prioritization
IT monitors system health, remediate problems,
maintains servers
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
71/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 72
Convergence Today and TomorrowFrom Proprietary to Open, an IP Systems Approach
IP COMMUNICATIONS
Central Monitoring & Control
IP COMMUNICATIONS
INTERACTIVECOMMUNICATION
SYSTEMS
ALARM/ ACCESS
CONTROL
VIDEO
SURVEILLANCE
FIRE
POWER
LIFTS
LIGHTING
HVAC
Multiple Control Networks & Systems
Todays Buildings Disparate Building Networks Proprietary and Redundant Sub-Optimal Information Usage
A Shared Vision Interoperable Efficient and Scalable Multi-use Systems Information Maximized ROI and Lower TCO
Conclusions:
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
72/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 73
Increase information utilityand accessibility tomaximize ROI
Eliminate infrastructureredundancy to increaseproductivity and lower TCO
Organizations that leverage investments inan IP network-centric Physical SecurityOperation will maximize the inherent valueof video, capital and personnel, enhancingthe safety and security of people, and an
organizations assets.
Conclusions:Building Your Own Intelligent Converged Environment
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
73/74
2007 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 74
Questions and Where to Go Next
For all general networking information, see the CiscoWeb site:
http://www.cisco.com
For Networking Training:http://www.cisco.com/web/learning/index.html
For more on Cisco Video Surveillance:
http://www/cisco.com/go/videosurveillance
Partnering is the key to successful deployments
Engage and chat / work with your IT counterpart!
-
7/27/2019 IP Networking for PhysicalSecurity - Cisco
74/74