IP based Physical Access Control

Five reasons to adopt this technology now

Organizations of all sizes are migrating from analog to IP-based physical access control solutions, drawn by increased security, increased operational efficiency and better availability. The shift to IP reflects what’s already happened in voice communications and, more recently, in video surveillance.

Shifting physical access control from analog proprietary serial communications to IP provides five main benefits:

  • Protecting access control data;
  • Accelerating response to alarms;
  • Helping to ensure business continuance;
  • Streamlining operations; and
  • Lowering door cable costs.

Protecting access control data. Analog physical access control systems make it relatively easy for someone with a little knowledge and widely available tools to create a working card to impersonate an employee. Most card data is not encrypted, neither over the air nor from the reader to door-control panels. Someone who taps the link can read badge data.

A related issue is that most analog door controllers use the Wiegand protocol, which is one-way only from reader to door-control panel. That means the card reader can’t tell whether it’s connecting to a legitimate door-control panel or a snooping device.

IP physical access control systems use digital encryption technologies to help protect identity information, making physical access control systems less vulnerable to attacks.

For example, new IP-based controllers support a challenge-response function, a secure way to protect card data sent over the link. When you present your card for access, the card does not immediately turn over its data. Instead, it first authenticates to the system by sending a public key and listening for a signed response from the system. The system signs the credential and sends it back to the card. Only after receiving verification that the system at the other end of the connection is legitimate, not an imposter, does the card transmit its encrypted data to the reader.

New standards in access control interoperability will increase security and interoperability while driving down system costs. One is the Federal Information Processing Standards (FIPS) 201 for personal identity verification (PIV). FIPS 201 defines a back-end public key infrastructure (PKI) system to manage public keys and user identities through a certificate authority. Other standards include Physical Security Interoperability Alliance (PSIA) and the Open Network Video Interface Forum (ONVIF). Card-reader vendors, in turn, are moving toward adopting an encryption standard to protect data traveling over the wireless and wired interface.

Accelerating response to alarms by integrating with video surveillance and incident response systems. Traditionally, a security officer who received a forced-door alarm on door 47 would have had to turn to another console to view video feed, look up which camera monitored that door, and then spend valuable time finding the relevant alarm video. Meanwhile, an intruder could cause harm or flee the property.

The process is more efficient when the physical access control and video surveillance systems are tied together. Integrating physical security systems with IP video is far simpler than it is with analog systems because all servers and endpoints connect to the same network.

For example, suppose someone kicks in an exterior door. An IPbased access control system can transmit the forced-door alarm to the IP-based incident response system. Receipt of the alarm invokes predefined policies, such as sending an alert to a security officer’s preferred device—say, an iPhone—along with real-time video or video associated with the alarm. This saves valuable minutes compared with the old situation, where the guard had to weed through alarm screens and search for the right video cameras. In addition, instead of being tethered to the desk, security officers can receive alerts on mobile devices while patrolling the property, helping prevent crime or fear of crime.

The benefits multiply if you add an IP dispatch system. Multiple agencies or teams—physical safety, local police, human resources and others—can join a virtual talk group on any device, including desk phone, mobile phone or any type of radio.

Helping business keep going if the network goes down. If physical access control is essential to business continuity, the traditional physical access control system might be the weak link: If the proprietary network goes down, so does the ability to let authorized people in and keep others out. Business continuity is especially urgent for governments and critical infrastructure organizations such as energy plants.

IP physical access controls give you options to increase availability. For example, instead of placing the intelligence in a central server that connects to all of your doors over the WAN, you can place intelligence at the network edge. This helps the business keep going even if the WAN goes down because of hurricane, tsunami, power outage or another disaster.

This approach is used today by a gasoline distribution company in the Midwest. Truckers present their Transportation Worker Identification Credential (TWIC) to the badge reader, which sends a message to a local system that Chris Johnson is at Gate 2, for example. Then the local gateway sends a URL action to the local system, which sends a work order to the card reader display, such as “Chris Johnson—Fill up on Pump 47.” The benefit to the company is faster truck dispatching, plus increased worker productivity because workers don’t need to wait around for orders.

In general, URL actions are a simple, effective way to integrate disparate systems because they do not require complex programming.

For even higher availability, implement redundant physical access control management servers, either one of which can take over if the other fails. The servers share a common IP address and are continuously synchronized. This practice is much cleaner than implementing tiered databases—for example, at the local, regional and national levels.

Streamlining operations by integrating with the IT or HR database. Many organizations separately maintain databases for network access, HR records and physical access control. The drawbacks are data duplication and redundant processes. Separately maintaining the database used for employee access control also can create an unsafe situation if terminated employees or vendors with limited-time access are not promptly removed from the system.

With an IP-based physical access control system, changes made to your central Microsoft Active Directory or SQL databases can be automatically propagated to the access control system.

Here, too, IP gives you choices. One option is to implement oneway communication between the central database and door gateways. The other is using a Web Services API. A public university in the South uses a Web Services API to allow building administrators to set their own lock schedules on a webpage. The API also is useful for organizations that give out large numbers of one-day visitor badges.

Lowering door costs. Traditional physical access control systems require bringing power to each door reader and lock. Some IP gateway readers, door locks and readers can receive PoE from network switches over standard Cat-5 or Cat-6 cabling. This can reduce installation costs by up to several hundred dollars per door.

A single unified physical infrastructure and managed cabling system can also increase availability, because you can use commercially available uninterruptible power supplies for backup power. The central UPS eliminates the need to install batteries by each door.

The right IP-based physical access control system can reduce risk and help the business continue to operate in the event of a disaster. Look for a solution that:

  • Encrypts credentials and identity in the server, over the air and over the wire;
  • Unifies your security system with IP video surveillance and IP incident response systems;
  • Provides high availability, both at the edge and on the network;
  • Integrates the network edge with local systems, using URL actions;
  • Takes advantage of your existing IP network with networked controllers and a common database;
  • Reduces door cabling costs by connecting to Cat-5/Cat-6 cabling; and
  • Supports network power such as PoE.

This article originally appeared in the October 2011 issue of Security Today.


  • Cloud Adoption Gives Way to Hybrid Deployments

    Cloud adoption is growing at an astonishing rate, with Gartner forecasting that worldwide public cloud end-user spending will approach $600 billion by the end of this year—an increase of more than 21% over 2022. McKinsey believes that number could eclipse $1 trillion by the end of the decade, further underscoring the industry’s exponential growth. Read Now

  • AI on the Edge

    Discussions about the merits (or misgivings) around AI (artificial intelligence) are everywhere. In fact, you’d be hard-pressed to find an article or product literature without mention of it in our industry. If you’re not using AI by now in some capacity, congratulations may be in order since most people are using it in some form daily even without realizing it. Read Now

  • Securing the Future

    In an increasingly turbulent world, chief security officers (CSOs) are facing a multitude of challenges that threaten the stability of businesses worldwide. Read Now

    • Guard Services
  • Security Entrances Move to Center Stage

    Most organizations want to show a friendly face to the public. In today’s world, however, the need to keep people safe and secure has become a prime directive when designing and building facilities of all kinds. Fortunately, there is no need to construct a fortress-like entry that provides that high level of security. Today’s secured entry solutions make it possible to create a welcoming, attractive look and feel at the entry without compromising security. It is for this reason that security entrances have moved to the mainstream. Read Now

Featured Cybersecurity

New Products

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3