Routers to market

Internet Protocol (IP)-based networks are an amazing communications medium, and one of the fastest growing technologies in the world today. They allow us to surf the Internet, conduct banking transactions, communicate via e-mail and purchase goods online.

As such, commerce is now almost entirely dependent on IP. Even our military defence systems run on it. However, within the UK security sector we are in danger of scaring ourselves that this is an unsound technology not suitable for our industry.

In last December's edition of Security Management Today (SMT), BT redcare Fire and Security's chief executive Steven Alton raised doubts about the use of IP for alarm systems (‘Alarms-over-IP: an alternative vision for users', Opinion, pp13-14). While conceding that IP delivers "wonderful flexibility and versatility", Alton adds that "in doing so it also presents an enormous security headache".

Does this mean that the billions of daily credit card transactions are unsafe and insecure, and that the multi-million pound investment banks have ploughed into these commercial systems has been wasted as it is too risky for them to even run alarm systems across these networks?

I suspect that anyone in the security industry reading the BT redcare view on life might well consider Steven's opinion on the future as yet another piece of shroud waving. Moreover, this shroud happens to be a little frayed at the edges, and - it can be argued - has some rather large holes in it.

IP is already far too important to our private and business lives for such a misleading viewpoint to be propagated. The security industry - and the discerning readers of SMT - deserve a balanced appraisal such that they might reach a sound conclusion on their own.

Cost-effectiveness is key

The security market is ready to adopt IP as a medium for alarm signalling, but if we as communications providers are to meet this opportunity then it must be achieved cost effectively. In my view, an extension of expensive, centrally-controlled and monitored systems will not be acceptable to end users in trying to attain this goal. I would be the first to admit that, as a provider of IP security products, I'm just as biased as Steven Alton in promoting security systems, but at least let us have a reasonable discussion about IP.

It's true that there are areas of concern with this communications medium we all need to be aware of, but a reasoned view of the technology will quickly identify that other industries have already solved these problems. We need to be conscious of these aspects, not scared off by half-truths and apocryphal stories of network hacking. After all, are our high security banking and defence industries really so wrong to be using IP?

In his original article, Steven Alton appears to have overlooked the fact that there are many companies offering managed network services. Ironically, one of the largest is BT, which designs and manages networks that many of our major organisations use in the UK. BT sells this technology on the basis of its security, speed, reliability and cost-effectiveness.

Let us look at some of the points raised in last December's edition, but with a reasoned perspective of what is really happening in the IP business world (and for the security industry outside of the UK).

IP aspects in detail

The Opinion article suggests that IP networks require "minute and ongoing network management (and change control) to keep them secure and up-to-date against the latest risks and thefts." However, most large and medium-sized companies have already installed such management systems, or have employed network management companies like BT to provide such assurances.

Banks, retail organisations and many others have invested heavily in IP, including the required management systems, and now rely on them for their commercial and financial transactions. Millions of these transactions are passed across IP networks every day, with a high degree of reliability and security. If the network infrastructure was not secure and reliable, then business would not use it.

Does BT redcare really believe that our major institutions did not evaluate IP risks before committing all of their business on it? And does BT redcare seriously believe that those of us that have spent many years developing IP security products have not considered the risks involved, and built appropriate measures into our systems?

The December Opinion article cites the risk of denial-of-service attacks. Has nobody mentioned that there are procedures in place within most networks to prevent such actions, and that these are being constantly refined and improved? IP networks can also deal with this threat by using alternate routing of alarm signals (for example, via traditional ISDN/analogue paths or optional GSM/GPRS). It is actually far easier to launch a denial-of-service attack on a PSTN line to an alarm panel or an ARC (monitoring station) receiver than it is on an IP equivalent!

Business sectors such as banking and retail are not just happy with the reliability of their IP networks and their day-to-day management. They are actively looking towards IP for other applications (including security). With the important issues of security and reliability having been adequately addressed, businesses are interested in recouping their investment in IP infrastructures by adding value to the networks they already use.

The myth about routers

Comparing the UK with the rest of Europe (where IP is an already established communications method), we seem to be frightening ourselves away from this technology. For example, there is an apparent preoccupation among those looking at the requirements for use of IP in British security applications that is not a concern in the rest of Europe. This centres on the dubious concept of where the ‘router' should be.

In analogue alarm systems using PSTN phone lines, the power that comes from the BT line provides a route into the alarm panel (enabling the subscriber STU to operate, using battery back-up in case of mains power failure). IP is different in this respect, yet some of those examining IP have concluded that the ‘router' should be housed within the panel.

This conclusion is based on a number of misleading points. For example, what is a ‘router'? Is it the ADSL modem, the DHCP server or a simple IP switch? This may seem trivial, but questions like this have important implications. If the wrong definition is selected, insurers will be accepting a less-than-ideal situation in the future.

To clarify this point, if the end user has an ADSL line then an ADSL modem and a DHCP server would be required within the system. If the user has a digital IP network via cable or fibre, then an ADSL modem would certainly not be required and probably not a DHCP server either. Finally, if an IP network such as GPRS is used then neither an ADSL modem nor a DHCP server is needed.

Rather than a preoccupation with site power, and misleading concepts of what constitutes a router, is it not better to look at the IP network in its totality?

Many companies have very secure networks with resilience, power back-up and managed network security (even managed by BT). These are perfectly adequate for IP alarm systems. In other cases, it is far more efficient to use alternate routing via a path such as GPRS rather than employ complex and expensive special ‘routers' for IP alarm systems which will probably need extra telecom lines ( defeating the objective of using existing networks).

We must stop setting up more committees as talking shops to prevent progress, and most certainly cease putting up what appear to be specious barriers to adopting new technologies

According to Steven Alton, central to the whole security debate is the fact that most IP signalling solutions do not control the complete signalling path, end-to-end, from customer STU to Alarm Receiving Centre front end. He adds that the IP ‘bit in the middle' is actually operated by a whole variety of different, independent service providers.

Finally, Steven also states that IP signalling solutions providers tend to like to position themselves as alarm transmission system (ATS) providers when, in truth, they are little more than alarm transmission equipment (ATE) providers. Once again, there are some rather large holes in this shroud that BT redcare appears to be waving in an attempt to make clients use only its service.

There are three aspects where its basic premise is questionable. The deregulation of telecomms started many years ago in the UK, of course, and our networks are not all operated to BT exchanges. A ‘BT redcare only' solution will not only be unacceptable but unavailable to many organisations in the future.

If BT redcare expects its own IP service to be based only on BT lines, then it will have minimal commercial value as the market today needs (and must have) a more generic solution independent of BT. If, however, BT redcare's IP offering is an open IP solution then Steven's arguments on control fail for the future.

Control of signalling paths

BT redcare claims it has a special benefit as it ‘controls' the network rather than ‘monitors' it. How true is this statement? While BT redcare has a special benefit on BT lines, not all of us have these today.

What about the GSM links that Steven Alton claims as a benefit? Does BT redcare really have ‘control' over all the radio paths of a network that BT does not now own, or does it really just monitor (as do other systems)? Although BT redcare claims to control lines, as an ATS provider, in effect it will only report failures - just like other systems which Steven appears all-too-quick to criticise.

Surely, in reality BT redcare can only claim to be the same as other systems being offered by independents like Chiron in that it provides similar end-to-end monitoring, with some benefits only for those who use BT lines. The high ground of trying to differentiate between ATS and ATE for alarm monitoring is in the past.

End-to-end monitoring

BT redcare claims it is the only system to provide end-to-end signalling. This is disingenuous to the alarm industry and companies such as ours, the developers of monitoring systems which meet the EN Standards for true end-to-end monitoring. Again, this would seem to be BT redcare waving a lace shroud, claiming it is the only one to provide full services.

While I agree with Steven Alton's reservations about those who say they meet the relevant EN Standards but are not independently evaluated, there are noted absences in his claims of approvals. In his separate Letter to the Editor (‘There is much cause for alarm with IP', December 2005, pp16-19), it's interesting that Steven only mentions BT redcare's approvals to EN 50131/PD 6662 and not the more detailed EN 50136. Within this latter specification there are other elements in terms of defining encryption systems and response times. He also notes that BT redcare is rated only to ATS 5 on the primary (landline) path and ATS 4 on the secondary (radio) path. This is not the highest standard.

EN 50131 and EN 50136 lay out parameters for all security monitoring systems. By this means, IP network providers can offer systems - such as IP over corporate LANs, private ADSL, GPRS and Virtual Private Networks - that both conform to these standards and work across PSTN and ISDN routes.

Steven's Letter To The Editor also comments on the lack of an obvious way in which to establish the EN Grade of the Internet part of the signalling process. He states that it has become common practice to assume - for the purposes of the Grading process - that the IP network element of the signalling path will always be performing at 100%.

To answer this significant point, that is why IP systems provide a high level of built-in and cost-effective security using alternate routes. No network is 100% safe or reliable. Even BT redcare is prone to the odd JCB digger or a burglar with wire cutters! The only way to ensure security is to build in alternate routeing and, in doing so, that is why IP system providers are Graded as ATS and not just ATE.

However, such tit-for-tat point scoring of who has what is not doing our industry any good. If the security sector is to move ahead we need a level playing field on approvals and what they mean to our industry. Surely we should be looking for a clear and fair lead on this matter from BT redcare, our largest monitoring company?

In Europe there is a clear system of insurance approvals, and the EN Standards are there as a benchmark. Should BT redcare not be calling for adoption of the current standards and a clear approvals regime by recognised bodies that clarifies rather than muddies the concepts of security monitoring?

Only by having a level playing field can we keep up with the trends in Europe. Manufacturers across Europe are developing a variety of products. In the UK we have a stark choice. Do we keep denying that IP exists and label it as a risk, or embrace this new technology and work positively to exploit its operational advantages?

IP has well and truly arrived

We should recognise that IP has arrived and that industry is run on it. We must stop setting up more committees as talking shops to prevent progress, and most certainly cease putting up what appear to be specious barriers to adopting new technologies. Europe is ahead of us, so surely BT redcare should offer a positive lead in obtaining a level playing field in the UK, alongside our insurance businesses, to introduce new technologies that meet accepted EU Standards?

While all standards can be improved, the current versions of EN 50131 (in conjunction with the latest issue of EN 50136) offer a good starting point for the adoption of IP security systems. We do, however, need to work actively on developing these ‘blueprints'.

Let us now recognise the benefits of IP networks for alarm transmission, and forge an agreement within the security industry that uses IP as its base point - as has already happened in the rest of Europe.

Ian Tredinnick is managing director of Chiron Technology