Designing a robust video surveillance system is often full of traps and pitfalls that can leave an integrator frustrated with both performance and overall functionality of the surveillance system. While engineers typically design the VMS platform in a simplified network infrastructure, real-life deployments are anything but simple.
Based on the scale, expected growth, and level of availability systems integrators are facing decisions surrounding network segmentation. Creating Virtual Local Area Networks, or VLANs is not a new concept to the industry. For years integrators have been trying to decide when to segment surveillance networks, thus walking a fine line between increased complexity and improved system performance.
What is Network Segmentation?
As the name suggests, network segmentation is the practice of dividing a computer up into smaller segments, and by doing so, you separate systems and applications from each other. If there are systems that have no interaction with each other, there is no need for them to be on the same network. If they are, it just makes it easier for a hacker to gain access to everything if the perimeter defenses are breached. Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.
Network Segmentation Benefits
- Reduced congestion: Improved performance is achieved, because on a segmented network there are fewer hosts per subnetwork, thus minimizing local traffic
- Improved security:
- Broadcasts will be contained to local network. Internal network structure will not be visible from outside.
- There is a reduced attack surface available to pivot in if one of the hosts on the network segment is compromised. Common attack vectors such as LLMNR and NetBIOS poisoning can be partially alleviated by proper network segmentation as they only work on the local network. For this reason it is recommended to segment the various areas of a network by usage. A basic example would be to split up web servers, databases servers and standard user machines each into their own segment.
- By creating network segments containing only the resources specific to the consumers that you authorise access to, you are creating an environment of least privilege
- Containing network problems: Limiting the effect of local failures on other parts of network
- Controlling visitor access: Visitor access to the network can be controlled by implementing VLANs to segregate the network
The effects of network segmentation on IP Camera Performance
In the early days of networking, IP packets flooded throughout the network, and individual network nodes were responsible for determining if the traffic matched its own physical address and should be gathered in and processed.
Aside from the obvious security concerns, there were performance issues to consider as well. As the number of devices on a network increased, there was an exponential increase in the amount of network traffic processed by those devices, leading to a decline in functionality and performance.
Remember, even if the traffic was not intended for your own physical address, it would still be handled.
Localized broadcast, unknown, and multicast (BUM) traffic generated by the devices will be sent to all network switch ports, in turn being handled by all devices within the VLAN, making communication quite inefficient.
The increase in traffic can lead to an elevation of processing on the CPU of the IP-Camera. As the CPU resource utilization increases, the camera can become less responsive, leading to latent PTZ control, degraded video, or complete loss of communication with the camera.
Often integrators complain about the performance or stability of the VMS platform they are using. They complain about cameras becoming unresponsive, dropping offline, and experiencing degraded video quality. In almost every case, the blame falls toward the VMS vendor or the IP-camera manufacturer, when nothing could be further from the truth.
After months of frustration and open technical support tickets, there is little to no resolution of the issue. The fact is, there are too many cameras on the same network to conduct efficient communications.
A quick segmentation of the network reduces the traffic within the broadcast domain and lowers the stress on the network sub-system. In turn, the CPU elevation at the IP-cameras will dissipate, and performance will stabilize.
In the end, it had nothing to do with either the VMS platform, or the IP-camera, but the underlying logical network infrastructure.
With the introduction of Layer 3 Switching capabilities within the switch chipset (ASIC), the routing decisions can be made in hardware without performance loss and maintain line-rate speed. The benefits of defining or administratively scoping the broadcast domain, far outweigh the overhead of ASIC based routing.
Network Management Is Key
During network congestion periods, Quality of Service (QoS) capabilities in network switches prioritize and reserve network capacity for missioncritical video. Assigning a high priority to video traffic guarantees its timely delivery. Logically separating different types of traffic on a network is another way to optimize video delivery and increase network security. Virtual LANs (VLANs) divide an IP network into different logical segments. You can use a VLAN to separate video traffic from other data such as IP phones and business applications. Video traffic that is on its own VLAN is easy to manage and prioritize.
We defined scopes of the Broadcast Domains Define Failure Boundaries in the Network
Any broadcast storm (flooding of traffic or loop in the network) would result in a complete loss of functionality. Every VLAN you define on a network can be viewed as a containment point for broadcast, unknown, and multicast (BUM) traffic.
In simplest terms, a VLAN can be viewed as a bulkhead on a ship. If there is a breach to the hull of a ship, the bulkheads are put in place to compartmentalize or limit the area that can intake water.
By compartmentalizing the areas of the ship with bulkheads, breaches to the hull are proven to be far less fatal, and the ship stays afloat. Imagine a ship with no bulkheads, a small breach to the hull near the bow would lead to a perpetual intake of water throughout the entire ship until it can no longer stay afloat.
When you implement a single VLAN on your network, you are building a ship with no bulkheads, no safety, no traffic containment. When things go wrong on the network, a loop is induced, excessive broadcast traffic is generated, or network flooding occurs, and it can become catastrophic.
Too often in the physical security world, simplicity is achieved at the cost of functionality. It is tempting to take the switch and cameras out of the box and just plug them in.
But are you really saving money? If you have to roll trucks to the site over the next year trying to resolve video issues that are network related, you might just end up losing money.
While deciding how to segment the network might require some thought and planning, the benefits in both performance and traffic containment are well worth the efforts. As the size and complexity of the surveillance network increase, it is imperative to build an underlying network infrastructure that can support both the growth and anticipated performance.