Video Surveillance Solution Over the Aruba Infrastructure

Tech Brief |

Thenu Kittappa

Enterprise

Video Surveillance Solution Over the Aruba Infrastructure

Introduction Video surveillance is the term used to describe the use of cameras and video equipment for surveillance and security. This design guide offers recommendations for deploying third- and fourth-generation video surveillance solutions, which are alternatively known as IP surveillance. Video surveillance as an application has proved its value in:

Providing real-time monitoring of a facilities premises Remote asset security and monitoring Ability to record movements in the environment for delayed viewing

With increases in security threats, the need to visually monitor and secure valuable assets and campus premises has become ever more important. In addition, the current generation of cameras is capable of detecting changes in motion, sound and temperature, servers are capable of sophisticated video processing, and advanced camera control allows administrators to tilt, zoom and control resolution remotely. With advancements in such features, video surveillance is gaining popularity in non-traditional areas like measuring traffic flow, detecting accidents on highways, monitoring pedestrian congestion in public spaces, compiling consumer demographics in shopping malls and amusement parks, logging routine maintenance tasks at nuclear facilities, and counting and monitoring endangered species. There are also numerous military applications include patrolling borders, measuring the flow of refugees in troubled areas, monitoring peace treaties and providing secure perimeters around bases. Video surveillance has also become easier to deploy. The current generation of video surveillance equipment supports IP. These devices can communicate over any standards-based IP network without requiring a dedicated infrastructure. In contrast, analog systems use dedicated point-to-point cabling from the camera to the viewing/recording station. Aruba Networks’ converged, secure networks meet the IP deployment requirements of the video surveillance application. Aruba’s application continuity also applies to video applications. With the system’s ability to support data, voice and video on the same network, infrastructure convergence provides management simplification and cost savings. Aruba network architecture for video surveillance has the following advantages:

High reliability High system availability Multi-vendor best of breed solution support Guaranteed QoS Secured transmissions Secure mobility Easy of management Reduced operation costs.

Aruba Networks Video Surveillance Solution Page 2

Components of the IP Surveillance Solution

Network Storage

Data Recording

Video Management Software

IP Network

Wired / Wireless

Input devices Monitoring devices

Figure 1: Components of the IP Surveillance solution.

An IP surveillance solution basically comprises:

Input devices (i.e., cameras): The cameras can be IP or analog cameras with the appropriate servers to enable management and communication to the cameras.

Output devices (i.e., laptops / handhelds / desktops): These devices have the appropriate management clients installed on them. The clients communicate with the management server to facilitate remote monitoring and management.

Video Management Software: The video management software offers the following functionality – remote camera management, video monitoring, recording and event management. The management software also facilitates recording functions, remote viewing, etc.

Data Recording and Storage: The surveillance data may need to be recorded and stored for future reference based on usage. With network video recorders and digital data storage devices, the recording and storage functions can be decoupled for more efficient deployment. The storage devices can exist in a different location than the recording and video surveillance equipment, providing greater flexibility and redundancy in the deployment model. Alternatively DVRs can also be used to record and store the video feed collected.

IP Infrastructure: The success of an IP surveillance deployment depends on the IP infrastructure as much as it does on the components on the surveillance solution itself. Being a real-time application, video is sensitive to delay and jitter. The infrastructure has to guarantee the level of QoS requested by the application.

Page 3 Video Surveillance Solution Aruba Networks

IP Surveillance – Open Ecosystem vs. Closed Systems Once the decision of enabling video surveillance on the network is made, the first questions that most IT and security managers are faced with is, “Should the solution be open standards-based or a single vendor solution?” The open ecosystem standards-based solution has the following advantages:

Best-of-breed products Latest technology updates Standards-based and hence guaranteed and predictable behavior. This

extends to not only the various components of the IP surveillance solution, but also to interoperability between the infrastructure and the equipment.

Flexibility to choose solutions that best meet the needs of the deployment on a location-by-location basis rather than modify the requirements to work around the limitations of the closed system products.

IP surveillance is also an attempt to move towards a converged infrastructure capable of supporting the various networked applications running effectively. To accomplish this, the infrastructure should:

Be capable of not only supporting video surveillance, but also other applications like voice, RFID, etc.

Be capable of offering the capacity and connectivity models that the video surveillance applications demand

Be standards-based Offer the right security levels to ensure that the network and the devices are

not vulnerable to security attacks.

Understanding the Infrastructure Needs to Support Video Surveillance QoS and Traffic Patterns Unlike other real time applications like voice and video, video surveillance comprises two applications

Monitoring: Monitoring is normally downstream traffic and is delay- and latency-sensitive. Monitoring normally cannot tolerate a latency of more than a couple of seconds.

Vide recording: Video recording is upstream traffic from the cameras to the servers and is loss-sensitive. High traffic loss would result in missing data, rendering the recording useless.


For all traffic, QoS needs to be enforced to indicate the relative priority of the traffic to the network components to prevent loss and to reduce delay and latency. On the Aruba system, QoS is enforced based on the traffic type or the device type.

Video Management

Aruba Controller

Video Recorders / Storage

Traffic from the cameras to the server is primarily upstream.

Application traffic to the management devices from the servers is primarily downstream

Figure 2: Traffic Patterns.

Wired QoS is enforced by setting the ToS and CoS bits on the video traffic to indicate the priority levels required for the video traffic Wireless QoS is enforced using strict queuing mechanisms for wireless cameras that do not support WMM, and WMM/802.11e for WMM-complaint devices. Bandwidth Requirements The number of cameras that can be deployed per connection or per AP depends on the following factors:

The connection of the link (wired port or wireless AP) The bandwidth allocated for the non-video surveillance applications Per camera bandwidth requirement.


Bandwidth required for the

video application

Bandwidth allocated For other

applications like voice or data

Bandwidth required for the

video application

Bandwidth allocated For other

applications like voice or data

Type of application

Number of devices

Number of Cameras

Bandwidth required per camera

xResolution

Frames per second

Compression

Frame size

Bandwidth available

Per port or per AP

Figure 3: Bandwidth Requirements

VLANs and Networking Most vendors recommend the use of VLANs to isolate the video surveillance traffic from campus traffic in an attempt to contain the broadcast domains. Using VLANs for broadcast traffic containment is a good practice, but depending on the number of cameras and the location of the cameras in the network, this could result in VLAN explosion and a major reconfiguration of the edge network to extend the selected few video VLANs across the entire network. A more graceful approach is the use of Aruba’s APs and access concentrators. When using these devices, the video surveillance VLANs need not be configured on the edge. These VLANs reside on the Aruba Mobility Controller sitting in the core along with the NVRs and the storage devices. The APs and the concentrators tunnel all the video traffic back to the Controller where it is switched or routed out as required. Security – Securing the Camera and the Client Security is of prime concern in the case of video surveillance due to the sensitive nature of the traffic being transmitted. Often, dedicated VLANs are used in an attempt to secure traffic. Using dedicated VLANs is advantageous from a broadcast domain containment perspective.


Some common methods to secure traffic: Connection Type Security Enforcement Aruba Solution

Wired LAN Limit access by device type

Treating the cameras as un-trusted users and limiting access based on MAC auth. Role enforcement

Wireless LAN Enabling the highest level of encryption and authentication supported by the cameras. Limiting access based of device

Wi-Fi Encryption and Authentication. Limiting access rights based on the authentication state based on roles

Wired WAN Securing traffic from the AP that the camera is connected to all the way to the head office core network where the traffic is destined

Mobile APs are capable of encrypting the traffic across the WAN from the AP to the controller (across the WAN)

Wireless WAN Enabling the highest level of encryption and authentication supported by the cameras. Limiting access based of device type

The traffic encrypted at the client is decrypted at the controller. So if the AP communicates with the controller over the WAN traffic from the camera connecting to the AP is decrypted at the controller residing at the operations center.

Voice Voice-over-IP (VoIP) and Voice-over-Wi-Fi (VoWiFi) also form a crucial part of the surveillance solution. With the right equipment, voice expands the horizon on the usage of the IP surveillance solution. With voice, emergency broadcasts can be issued. Based on the images captured users may choose to make announcements at particular locations. The Aruba infrastructure is capable of providing different levels of QoS based on the application demands. The application-centric design allows infrastructure convergence resulting in voice, video and data using the same network for transport, but being handled differently based on the QoS requirements of the specific application. Connectivity Models The infrastructure needs to be versatile enough to meet the connectivity requirements of the video surveillance application. With Aruba Networks’ focus on application continuity and user-centric networks, extending the network to meet the diverse connectivity


needs of the application while still maintaining the QoS, security and bandwidth requirements of the application makes Aruba the ideal IP infrastructure vendor of choice for such applications.

Data Center / HQ

Small Sites / Remote Locations

Surveillance Clients

Warehouses / Large Branch Office Sites

WAN

Video Servers

Aruba Controller

Video Recorders / Storage

Warehouses / Large Branch Office Sites

GRE Tunnel

IPSec Tunnel

Figure 4: Sample Network Topology

In the case of the Aruba solution, the traffic is tunneled from the AP to the Controller and across the WAN or LAN connection. The APs can communicate with the Controller over a L2/L3 network and can use the existing addressing scheme without there being a need to extend new VLANs. The user presence is on the Controller, hence any user VLANs that need to be created can exist only on the Controller with the appropriate routing details added to the core router. This is also a very secure solution since all the client traffic is encrypted and decrypted on the Controller.


LAN Connectivity Models

LAN

GRE Tunnel

Wired Camera Connectivity over LAN

LAN / WAN

WAN

IPSec Tunnel

Wired Camera Connectivity over LAN using the Aruba Access Concentrators

Wireless Camera Connectivity over LAN / WAN

Figure 5: LAN Connectivity Models.

Wired camera connectivity can be established using certain AP models (like the Aruba AP70 with dual Ethernet ports) and Aruba 2E and 800E access concentrators in the LAN environment. All AP models can be used to provide Wi-Fi connectivity to the cameras. WAN Connectivity Models

WAN

IPSec Tunnel

Wired Camera Connectivity over WAN Network

WAN

IPSec Tunnel

Wired Camera Connectivity over WAN Network

LAN / WAN

Wireless Camera Connectivity over LAN / WAN Network

LAN / WAN

Wireless Camera Connectivity over LAN / WAN Network

IPSec Tunnel to the master controller

IPSec Tunnel to the master controller

Figure 6: WAN Connectivity Models.

In the case of the WAN solutions, the traffic has to be secured over the WAN/Internet leg of the network. One option is to use Aruba’s mobile AP which creates an IPsec tunnel back to the Aruba Mobility Controller over the WAN/Internet connection. The other is to locally terminate the traffic on the local Controller and then create an IPsec tunnel between the local and the master Controllers to tunnel the traffic securely over the WAN/Internet.


The former solution is used in smaller offices with 10 or fewer devices connecting to the network and the latter solution is appropriate for deployment in a medium to large branch office. Outdoor Connectivity Models / Warehouse / Wireless Office

EVDO

Wired / Wireless Camera Connectivity over an EVDO backhaul

EVDO

Wired / Wireless Camera Connectivity over an EVDO backhaul

LAN / WAN

Wired / Wireless Camera Connectivity over Indoor / Outdoor Mesh Network

LAN / WAN


LAN / WAN


LAN / WAN


Figure 7: Outdoor Connectivity Models.

Outdoor deployments are different than indoor enterprise deployments in that: The environment is more dynamic There is a limited wired network Coverage required for larger areas.

Aruba supports mesh solutions for point-to-point backhaul, point-to-multipoint backhaul and multi-hop connection in locations with little or no wired network. An additional connectivity mechanism unique to the Aruba solution is the use of EVDO as the backhaul. An Aruba Mobile AP can communicate with the Aruba Controller over the EVDO network while providing wired or wireless connectivity to the cameras. Monitoring Client Support Monitoring clients are mobile devices that run the video management clients and receive downstream traffic from either the server or the camera itself depending on the configuration. The main purpose of these clients is to help the user visually and audibly evaluate the data transmitted by the IP surveillance cameras and microphones at a


particular location. The monitoring applications are jitter- and delay-sensitive, and the devices running the applications need to be secure due to the sensitive nature of the data transmitted in most deployment scenarios. The user-centric design from Aruba allows the devices to be secured effectively using the latest authentication and encryption methods. Most of these devices are converged devices capable of voice, video and data. The Aruba Controller is capable of identifying the traffic based on the application type and prioritizing it such that voice receives the highest prioritization followed by video followed by data. Redundancy Network redundancy is very important in cases where loss of data due to network failure is not accessible. Aruba supports redundancy at multiple levels:

Controller Redundancy: Controller redundancy can be achieved using an active-standby configuration wherein a Controller is dedicated as the backup for the active system, ready to take over in case of system failure. Alternatively, an active-active configuration can be used wherein two active controllers can serve as backup to each other in the case one of them fails.

AP Redundancy: Aruba’s Adaptive Radio Management (ARM) takes care of coverage holes that result from AP failures. In an Aruba-recommended design, when an AP fails, neighboring APs will increase their signal strength to compensate for the failed AP and prevent coverage holes.

Mesh Redundancy: In mesh deployments, backup wireless paths and parallel mesh cluster deployments help ensure that all mesh points have alternative routes back to the controller.

Conclusion The Aruba infrastructure is versatile enough to meet the stringent and demanding needs of a video surveillance application deployment without compromising the QoS, bandwidth and security that this application demands. With a healthy partnership ecosystem, the Aruba infrastructure supports the use of multi-vendor camera and server deployment with easy manageability and troubleshooting abilities.


Appendix A – Video Surveillance Basics and Terminologies

Compression Compressed video can effectively reduce the bandwidth required to transmit the digital video over an IP connection. Video compression is a tradeoff between the bandwidth and storage space required and the quality of digital video and cost of compression.

Higher compression rates result in low throughput and storage needs but also adversely affect picture quality. Picture quality improves when no compression or low compression rates are used. The throughput and storage needs are higher for lower compressions.

Some of the common compression formats used in the industry are MJPEG and MPEG-4

Depending on the application and throughput available the ideal compression rates should be selected that will deliver the right picture quality while not exceeding the available bandwidth.

For most video surveillance applications MPEG-4 compression is optimal. MPEG-4 has lower storage and low bandwidth requirements.

MJPEG is used for applications where image resolution is a priority. that require frame-by-frame replay like court evidence where MPEG-4 can be challenged. MJPEG cameras are also cheaper.

Frame Size The size of the frame depends on the resolution required. Some of the common frame size based on resolution are:

MPEG-4 MJPG(40) MJPG(20) MJPG(10) No

compression320*240 (QVGA)

2kB 9kB 12kB 15kB 226kB

640*480 VGA

8kB 34kB 46kB 58kB 770kB

704*576 4CIF PAL

11kB 45kB 61kB 77kB 1189kB

2048*1536 3MP

42kB 170kB 290kB 450kB 9217kB

Frames per second (fps)

Frames per second transmitted is the number of frames transmitted per second. This has a direct bearing on how smooth the video appears. Higher frames per second result in TV like video quality. Higher fps also means higher bandwidth.


Calculating Application Throughput and Storage Requirements

Total Throughput = (Frame size (kB) * fps * No. of cameras) * 8

For most IP/video surveillance applications the frame per second (fps) can be a value anywhere from 10 – 15 depending on the required continuity in motion. If the cameras are motion-sensitive, then the cameras can be configured to transmit 1 – 2 frames per second under normal operations and increase the fps to a higher value if motion is detected or an alarm is generated. The resolution can be set to the lowest compression required that meets the needs of the application. For viewing applications, the fps can be set based on the motion continuity required, but on average, the QVGA resolution (320*240) suffices as most video applications are viewed on computer monitors with a similar resolution.

Net Bandwidth = (Frame size (kB) * fps * No. of cameras) * Max time the data needs to be archived Note: The time period needs to be converted to seconds before applying to the formula above.


About Aruba Networks, Inc. Aruba securely delivers the enterprise network to users, wherever they work or roam, with user-centric networks that significantly expand the reach of traditional port-centric networks. User-centric networks integrate adaptive WLANs, identity-based security, and application continuity services into a cohesive, high-performance system that can be easily deployed as an overlay on top of existing network infrastructure. Adaptive WLANs deliver high-performance, follow-me connectivity so users are always within reach of mission-critical information. Identity-based security associates access policies with users, not ports, to enable follow-me security that is enforced regardless of access method or location. Application continuity services enable follow-me applications that can be seamlessly accessed across WLAN and cellular networks. The cost, convenience, and security benefits of user-centric networks are fundamentally changing how and where we work. Listed on the NASDAQ and Russell 2000® Index, Aruba is based in Sunnyvale, California, and has operations throughout the Americas, Europe, Middle East, and Asia Pacific regions. To learn more, visit Aruba at http://www.arubanetworks.com.

© 2007 Aruba Networks, Inc. All rights reserved. Specifications are subject to change without notice. Aruba Networks, BlueScanner and RFprotect are trademarks of Aruba Networks, Inc. All other trademarks or registered trademarks are the property of their respective holders.

TB_VIDSUR_US_071217


http://www.arubanetworks.com/

1322 Crossman Ave. Sunnyvale, CA 94089-1113Tel. +1.408.227.4500 | Fax. +1.408.227.4550 | [email protected]

http://www.arubanetworks.com

© 2007 Aruba Networks, Inc. All rights reserved. Aruba Networks, BlueScanner and RFprotect are trademarks of Aruba Networks, Inc. All other trademarks or registered trademarks are the property of their respective holders. All rights reserved. Specifications are subject to change without notice.

Documents

Video Surveillance Solution Over the Aruba Infrastructure