Features Business & Marketing
Ask the Expert: Is it really an IP-at-the-door future?

ImageIP edge is the generic term for placing devices at the outer boundaries of the corporate network infrastructure, often using power over Ethernet (PoE). There is little doubt that this methodology serves some applications extremely well, such as IP cameras for CCTV surveillance. Advocates of the concept for access control hold out for the promise of labour and material savings. However, the adoption of IP edge and PoE devices for security and access control applications remains a questionable idea at best.

July 3, 2008
By Steve Dentinger


Consider the following: many IP edge/PoE access control systems
essentially require intelligent readers to be installed at each and
every door, and the relay used to energize the door strike or magnetic
lock is located right at the door. This is the equivalent of placing
your spare house key under your front mat. Anyone with minimal
technical savvy could defeat this type of access system, gaining access
to “secured” areas. Some manufacturers of IP readers provide
anti-tamper switches in an attempt to mitigate this risk. However,
despite the added tamper switch, many in the industry recognize this as
a significant security risk and avoid these products for this reason
alone. More prudent integrators prefer to have the door strike,
magnetic lock activation device or relay secured some distance away
from the door on the secured side of the installation — as is the case
with traditional panel based access control products, which continue to
dominate the market.

IP edge/PoE access control equipment, by its very nature, is 100 per
cent dependent on the corporate network. Many will argue that network
availability for today’s network equipment runs at 99.99 per cent
uptime. Impressive. However it should be noted that network maintenance
in most organizations takes place at night or on weekends — the very
periods when facilities are at their most vulnerable, and security is
most needed!

PoE additionally has strict power limitations that regulate power to
the access controller which are further complicated by cable voltage
drops, due in part to cable lengths and other pertinent power related
issues with PoE. As a direct result, driving a quality strike or
magnetic lock can be problematic since both strikes and magnetic locks,
when activated, can severely drop the line voltage, causing
intermittent door activations and malfunctioning access control
hardware. Manufacturers of this equipment will advise that a costly
line power injector is recommended to ensure line voltage and wattage
ratings are maintained at the PoE load.

Another critical flaw with PoE in relation to its use with security and
access control applications: PoE has a power-up protocol or routine
that leaves nodes (in this case readers) un-powered until a power up
sequence and load impedance check has been satisfied. Manufacturers
frequently recommend the addition of a PoE UPS to mitigate power
fluctuations and interruptions. Considerable unforeseen costs are
incurred when an IP edge/PoE based access control system is moved from
theoretical to actual implementation. One should not underestimate the
hidden costs of such systems.

Some advocates reference the convenience of piggybacking IP edge/PoE
access control solutions on the existing corporate network. Although
tempting, just as with Internet-based access control products, IP
edge/PoE access control solutions open the enterprise’s access control
equipment and software to nefarious activity, such as hacking and
hardware tampering. The age of the cybercrime gang is here, and no
longer are these groups satisfied with just obtaining sensitive
information. They now aim to take control over PCs and their connected
infrastructure. While it is not desirable to have someone hack into and
view or disable a CCTV surveillance system, imagine how much more
damaging it would be if a hacker were to unlock a door, or enable or
disable access control cards at will.

Security directors or managers that truly understand the security
vulnerabilities that IP edge/PoE present to their enterprises will
adopt a hybrid access control panel solution. That is to say, a strong
preference will be given to multi-door access control panels that are
TCP/IP equipped and strategically positioned throughout the facility to
reduce cable runs. This results in reduced cabling costs, leveraging of
current network infrastructure, reduced points of failure and lower
total cost of ownership over the life of the system. As well, some
access control panel manufacturers support secure WEB tools for remote
system management.

Simply put, the emerging technology of IP edge/PoE for security and
access control applications presents significant security risks, and
hidden “not as advertised” costs. In the end, a hybrid approach with
multi-reader TCP/IP equipped access control panels provides the most
cost effective and security robust solution in the access
control/security market place.  

Steve Dentinger, CET, is the marketing manager for Keyscan Access
Control Systems
and has been in the electronics industry for 14 years.