chrispeng [ad_1]
The access control system using the TCP/IP communication protocol has the advantages of fast communication speed, no distance limitation of the network, easy access to network resources, and a large number of controllers that the system can manage. It has become a large-scale access control system project and remote management access control system project. Mainstream products.
The powerful performance and convenience of the network access control system based on TCP/IP communication services are unmatched by bus-type access control systems such as RS485 and CANBUS.
When customers use the network access control system, they only learn about the convenience of using the network access control system management and a good user experience from the supplier, but do not know the risk warning of security problems during the use process, thus planting potential safety hazards.
The TCP/IP protocol is the most widely used network communication protocol, with strong communication capabilities, but the TCP/IP protocol package is very easy to monitor and intercept through special software during the transmission process, and the TCP/IP protocol dialogue in the network is easy to be intercepted by a third party. Eavesdrop or modify. The main danger of this threat is that the access rights in the access control system and the user information and password of the administrator are very easy to be intercepted. The most frightening danger is the possibility of legal communication being modified. The use of modified information for illegal entry and exit, or even interception and blocking of real-time alarm events, will cause immeasurable losses to the safety of customers.
TCP/IP communication packets are intercepted and executed in many ways. For example, changing the direction of information causes hosts on the network to change the address at which they send packets during a network conversation.
A saboteur who is interested in truncating the conversation may use a certain method to set up a relay. A relay damage may occur anywhere in the network, even far away from the client system. The relay machine can adjust the traffic in real time or record the packet for future analysis. The relay machine can also change the content of the communication being transmitted.
The method of obtaining communication content only requires the use of a passive packet monitor (often called a “packet sampler”). The packet sampler can provide the recorded network information to the saboteur by relaying sabotage.
At present, 99% of the products of TCP/IP access control systems used in high-security places such as subways, airports, banks, unmanned computer rooms, enterprises, telecommunications and electricity, military, national government agencies, etc., do not have a network layer anti-intrusion security mechanism Because the customer does not understand the potential risk of illegal intrusion at any time, once attacked, it will directly threaten the normal operation of the customer, and even cause significant personnel and property losses. Therefore, the security problem of the TCP/IP access control system is solved. Become an urgent problem.
The following is a summary of the company’s more than ten years of large-scale network access control system projects and product development experience provided by the 2 types of solutions and lists 3 specific solutions to analyze with cases and diagrams.
Solution 1: Solve by network design method
Case 1: The security solution of using VPN network channel to transmit access control system communication, as shown in Figure 1. This method solves the threat of illegal computer attacks outside the VPN tunnel. The disadvantage is that there is also the possibility of illegal computer attacks from within the VPN tunnel.
620)this.style.width=620;” border=0>
Figure 1. Method of borrowing VPN network channel
Case 2: Equip each controller with an independent VPN device. The advantage is that it has an independent secure channel for each device in the system, which effectively solves the threat of internal and external computer attacks. The disadvantage is that the investment cost is very high and the maintenance cost is high.
620)this.style.width=620;” border=0>
Figure 2. The method for the device to independently configure the VPN
Solution 2: Use high-security network access control products to solve the problem
Case 3: The use of an access control security system with SSL communication encryption, such as Siemens’ SIPASS access control system or Digitalor 2006e access control system and DCU32X series controllers of Digiman’s company are the most secure large-scale network access control security systems in the world. The product communication service adopts SSL encryption technology, and the communication between the communication service software and the management client and the controller is all completed through strict security detection mechanisms such as SSL encryption, decryption, and identity verification. Internet banking security encryption also uses SSL encryption technology. The comprehensive system security mechanism in this type of access control system products guarantees the safety of customers in a complex network environment. The feature of this solution is that it not only meets the customer’s requirements for the high security of the entire system, but also saves relatively cost, and it can also save a lot of use and maintenance costs. It is a very valuable solution. In this case, the Digitalor2006e system has been successfully used for remote deployment between more than 50 branches of the China International Electronic Commerce Center of the Ministry of Commerce and the Beijing headquarters, the Urumqi branch of the Industrial and Commercial Bank of China, the Shenzhen branch of the Agricultural Bank of China, and the Shenzhen branch of China Unicom. Successful applications such as branch projects have been recognized by customers.
620)this.style.width=620;” border=0>
Figure 3. Schematic diagram of a Digitalor2006e access control system with SSL encryption
[ad_2]
