Our facilities folks are conducting a selection process to migrate away from our current (highly proprietary, they say) HSM/Nexwatch system and toward a system that uses more open/standard readers, strikes, wiring, etc.. The current leader in the process is Brivo. We've had a couple meetings and technical calls where our network security folks (including me) have interrogated them and they seem to be pretty clueful about network security issues.
The summation I recently sent back to the facilities folks on behalf of the network security folks amounted to: While it's not feasible to completely close every possible attack vector and still have a usable system, Brivo seems to have covered all the bases we can think of and is following currently known best practices. Our only concern is with their "web hosted" model (where the system is managed via servers in Brivo's data centers) in that it requires only username/password authentication to access the management UI. We've stated that we would be concerned about using that model without the addition of two-factor authentication, or at least a way to allow access to our admin account only from our known IP addresses. That concern disappears if we're using their "web based" model (where the system is managed via one or more appliances that live within our corporate network). One cautionary note... Brivo provides a way to reduce wiring costs by hanging a controller off the end of an Ethernet cable right at a door you wish to control (as opposed to running the card access system's own wiring all the way from a central panel out to that door). Brivo does say that it has some stability issues when it comes to recovering from loss of PoE and/or Ethernet - it sometimes requires someone to physically go out to the box and press a reset button. For that reason, we've recommended against deploying that piece of equipment in our campus because momentary interruptions (planned or unplanned) are simply part of life. From: [email protected] [mailto:[email protected]] On Behalf Of Steven Tylock Sent: Monday, December 22, 2008 1:59 PM To: Lopsa Discuss Subject: [lopsa-discuss] The door security system you'd choose to install; -) Many on the list have probably spent time supporting the door security system "the other guy" (or gal) installed. There's not much you can do at that point because it's the one you've got to support... But if you had a new office space to move into, and management decided to install a new fob based system, what would you choose to put in? Yes, that's the position I'm in, and I'd love to hear about systems you like, dislike, and would take a flamethrower to if you could. If it matters, I'm looking at securing 3 exterior doors and 3 interior doors (including a couple double doors), and have a population of about 20-30 to consider. Fobs appear to have preference over a swipe or proximity card, and fob plus code or fingerprint does not appear to be a requirement. It should not be an issue to run network or power to each of the doors. (less than 30 meters from a central location for each) I'll be happy to anonymize responses if asked and will post a summary, steve -- Steven Tylock http://www.linkedin.com/in/stevetylock
_______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
