Roger Hockaday, Director of Marketing, Aruba Networks EMEA, discusses wireless LANs.
From schools to hospitals, from the factory floor to the retail floor, video surveillance has become big business. Commercial organisations and educational institutions are using video surveillance to secure premises, protect employees, and ensure compliance – and increasingly it is implemented over Wireless LANs to take advantage of lower costs, greater security, and new applications not previously available.
Video surveillance running over wired or wireless LANs, more correctly known as ‘IP Surveillance’ has proved it’s value in:
? Providing real time monitoring of premises (public and private)
? Remote asset security and monitoring (both fixed and mobile)
? Ability to record movement in the environment for later compliance reporting and evidence gathering
But the most intriguing aspect of IP surveillance is not even shown in the latest James Bond movie – that of live video streaming to a handheld device.
Following the previous shootings on educational campuses, it has became clear that the ability to see live video streams of what is happening inside a room can greatly assist the emergency services responding to an incident. The ability to stream live video taken from a specific camera over a wireless network to a security officer’s laptop or PDA is of great benefit. It allows them to access the situation remotely before entering a building and has become an essential application combining wireless LAN solutions with IP surveillance. It is a use of IP surveillance technology that is only possible over a wireless LAN.
Why IP and why now?
Implementing an IP surveillance solution over wireless rather than wired LANs significantly lowers the cost of the solution, bringing it within the reach of many organisations that would not have previously considered video surveillance to be cost effective.
The combination of lower cost together with the ability to stream live video feeds to any part of the site – whether it is a railway platform on a station, or a corridor outside a room – makes IP surveillance over WLANs a ‘must have’ application for many organisations.
Third and Fourth generation video surveillance solutions (typically known as IP surveillance) differ from earlier solutions in that they use existing wired – and wireless data networks to transport the video stream, rather than a separate co-axial cable infrastructure. Digital IP video cameras (and analog if fitted with a codec) may be either wired or wireless. If wireless they will invariably support 802.11b/g (in the 2.4GHz spectrum) or more unusually 802.11a (at 5GHz), and a wireless access point can easily support the traffic bandwidth requirements from multiple cameras.
IP Surveillance typically uses digital cameras rather than analog cameras, offering better zoom (hence fewer cameras are required to cover a given area), finer resolution, and sophisticated image capture and processing enabling it to be used for a wide variety of applications from evidence gathering to remote sensing solutions – including the monitoring of motion, sound and temperature.
Cutting costs in half?
Although it is perhaps obvious how a wireless camera benefits from a wireless infrastructure, it is perhaps surprising to many that wired camera implementations also benefit greatly from the installation of a wireless infrastructure and consequent reduction in installation costs.
In existing wired networks, each camera uses an Ethernet switch port usually in a wiring closet, and each camera is installed as an individual component on the network. However, with some wireless networks, wireless access points support multiple wired Ethernet ports, allowing additional device s(in this case a wired IP surveillance camera) to be attached to the access point. Given that it is likely that IP surveillance cameras will be located close to (or next to) a WLAN access point, it is quite feasible to utilise the spare Ethernet port on the access point, saving on a switch port, and required cable.
In an IP surveillance implementation, 20 to 25 per cent of the costs of the solution are typically associated with the surveillance infrastructure (cameras, management software etc), but the majority of costs come from the professional services of installation and set-up. Installing an IP surveillance solution at the same time as a WLAN, co-locating camera and access point, and using a single run of cable back to the supporting Ethernet switch, can cut installation costs in half, bringing IP surveillance within reach of many that otherwise could not have afforded it.
Quality of Service (QoS)
As previously outlined, unlike other real time applications such as voice and video, IP surveillance actually comprises of two applications:
? Recording – consisting of upstream traffic from the cameras to the storage servers, which is loss sensitive. High traffic loss would result in missing data, corrupting the legitimacy of the recording, rendering it worthless for legal or compliance monitoring purposes.
? Monitoring – consisting of downstream traffic from the cameras / servers to the PDA or laptop located elsewhere in the facility or campus. Monitoring traffic cannot tolerate a latency of more than a few seconds.
For all real time traffic (video or voice), QoS needs to be enforced to indicate the relative priority of the traffic to all the network components to prevent data loss and reduce delay and latency.
Encryption and security
Wired IP surveillance cameras typically do not encrypt traffic from the camera to the server. Best practice, particularly when dealing with video images of members of the public or from people who may not have given their consent is to encrypt all images. In practice, however, the nature of a switched network means that point-to-point video flows are unlikely to be compromised while on the network, and many consider encryption of video traffic on wired networks unnecessary.
Unlike a wired camera implementation, in a wireless network the connection from the camera to the network is over a shared medium, and video traffic from the camera to the access point should always be encrypted to prevent unauthorised viewing of the stream. If video traffic is not effectively secured:
? Video may be intercepted by unauthorised people, compromising privacy, and even worse, the very security it was supposed to provide.
? Unsecured traffic entering the network may provide an open port for hackers to ‘hijack’ the data stream compromising the security of the network.
Unfortunately, many cameras only support WEP encryption which is inherently insecure and can be compromised relatively easily. Some cameras support WPA-PSK encryption, which although harder to compromise than WEP, is still significantly less secure than WPA-2. For many users, basic encryption of upstream video (from camera to server) may be adequate to prevent unauthorised viewing. However, a hacker determined to enter the network can use a non-encrypted or lightly encrypted stream to hijack the camera’s identity or credentials and enter the network. For this reason it is essential to terminate any data stream (video or otherwise) on a per-user (or per-device) policy based firewall. Such a firewall identifies the device from which data is received and ensures that only the expected type of traffic enters the network from that device. In the case of a camera, the firewall would prevent any traffic other than H.323 from entering the network – blocking all HTTP, FTP, TFTP and other unexpected traffic types.
A significant benefit of implementing the firewall within the wireless infrastructure particularly relates to the use of mobile cameras – a mobile camera can enter the network from any point (any wireless access point or even a wired Ethernet socket) and the exact same security policy would apply to the camera irrespective of location. This is significantly more difficult to achieve with an external firewall.
The case of downstream traffic – traffic streamed to a laptop or PDA – has significantly different security requirements. In this case, it is very important to ensure that only authorised users can view the stream, and to encrypt the data so that unauthorised viewing of the video stream cannot occur, particularly over the last part of the connection from the access point to the client (laptop or PDA).
With any networked device, but particularly wireless devices, best practice dictates that the clients are authenticated onto the network using 802.1x / Radius (which can be an integral part of the wireless infrastructure, or part of a more widely deployed security infrastructure). WPA-2 encryption of data (rather than the less secure WAP or WPA) should be implemented for all wireless devices, whether or not they are used to receive video traffic. In any case, such a combination is relatively easy to implement and provides the greatest level of security.
The importance of simplicity
Most vendors of IP surveillance solutions recommend the use of VLANs to isolate the video surveillance traffic from campus traffic in an attempt to contain broadcast domains. Using VLANs for broadcast traffic containment is good practice, but depending on the number of cameras and location of the cameras on the network, it can result in a ‘VLAN explosion’ and a major reconfiguration of the edge of the network to extend the selected video VLANs across the entire network. As with many other applications, it is better to extend a single wireless SSID across the network for the video application, (securely) tunnel all the video traffic back to the core of the network (where the firewall resides) and only associate the video traffic to a VLAN in the core. This approach combines simplicity of deployment and management with the highest security.
How much bandwidth is enough?
The advent of 802.11n offering 5-10 times as much bandwidth as conventional WLANs seems to offer the perfect solution for IP surveillance. While it is true that the additional bandwidth doesn’t hurt, it is rarely necessary to support a small number of cameras per access point.
Compression of video traffic is a trade off between the bandwidth and storage space required and the quality of digital video images – and the cost of the compression. Higher compression rates result in low throughput, and storage needs, but also adversely affects picture quality.
For most IP surveillance applications, MPEG-4 is suitable. However where image resolution is essential – for example in evidence gathering – MJPEG is preferred, and also has the advantage of being cheaper in terms of the video camera. Typical bandwidth use of a video stream will take between 8kB per frame (MPEG-4, VGA quality) up to 450kB per frame (MJPEG10 at 2084×1536). Video frame rates of between 10-15 frames per second are considered an acceptable minimum, resulting in typical bandwidth use of between 64kbps to 34Mbps. Clearly a very high resolution video stream would effectively utilise the entire bandwidth available from a wireless access point, but it is much more common to use bandwidths of the order of 1Mbps or less (typically resulting in a day to day storage capacity requirement of 1GB per camera).
Wireless LAN technology is an infrastructure perfectly suited to the deployment of IP surveillance. It dramatically reduces the cost of implementation, it makes the solution more secure, and allows new applications to be deployed that otherwise could not be delivered. For the majority of implementations, bandwidth is more than sufficient even on a network shared with other data and voice applications, and deployment at the same time as the wireless network can bring significant cost savings.
