Cards, hands, fingers, eyes

Aug 1, 2001 12:00 PM, By Michael Fickes

A company called Fiderus has installed a physical security system that illustrates the emerging capabilities of biometric access control.

Fiderus Strategic Security and Privacy Services provides Internet and network security consulting services to Fortune 500 companies and advanced technology companies.

Based in Cary, N.C., the company maintains a state-of-the-art “white-hat” hacker lab whose goal is to break into its customers' networks and to develop systems capable of warding off unauthorized computer attacks.

When demonstrating its capabilities to prospective customers, the company shows off its own advanced physical and logical security systems.

The physical security system combines a variety of access control techniques, from a proximity card system to fingerprint, hand-scan and retina-scan systems.

These devices not only demonstrate advanced techniques in physical security, they also provide the physical security necessary to a facility that houses sensitive computer systems and data.

“We must secure both our physical and logical infrastructure,” says Dave Morrow, senior vice president of consulting with Fiderus. “While we test our clients' systems by attacking them, we want to make sure we don't admit others inadvertently.”

That's a bigger job than it might seem. The sensitive network connections within the Fiderus facility make it necessary to block unauthorized access to Fiderus's computers by physical intruders, by devices that intruders might install, as well as by remote hackers who might try to get into a customer's system through the Fiderus infrastructure.

Instead of attempting to break into the Fiderus offices, an intruder might attempt to get into the company's systems through the Internet, says Morrow. To prevent this, Fiderus secures its Internet portals and Web pages with firewalls, security architecture and various encryption schemes. “With these techniques, if hackers put a sniffer in our building, for example, they still couldn't read the data they acquired,” Morrow says.

A sniffer is a computer that can connect physically to a network or logically over the Internet. Because sniffers function passively and simply gather data, it is difficult to detect them on a network. Hence, it is necessary to guard against their physical installation.

Sniffers can also help defend against logical system intrusions. “You can put a sniffer on your network and tune it with software to watch for events such as a hacker's keystrokes. The system records that information, which becomes evidence in court. This is one of many logical security techniques that we help our clients develop for their systems.”

The physical line of defense

While Fiderus handles its own logical security, the company has assigned the Raleigh, N.C., office of Sonitrol to provide physical security. In designing the system, Sonitrol focused on security fundamentals. “There are three types of physical security,” says Chuck Harrelson, a partner and co-owner of Sonitrol of Raleigh. “First, there is what you know — an access control code. Second, there is what you have, which might be an access control card. The third type of security is who you are, which involves biometric devices. By making these types of security into levels, you can make it more difficult to subvert the security system.”

Sonitrol has tapped this concept to implement increasingly “hard” levels of security for Fiderus. Level one uses proximity access control. “Harder” levels employ combinations of card and biometric access control. The security design increasingly “hardens” as people move from the entrance of the building, through the Fiderus reception area and into the company's more sensitive interior offices and labs.

Fiderus occupies approximately 15,000 square feet on the first floor of a four-story suburban office building housing multiple tenants.

The landlord had installed a 26-bit Wiegand format proximity access control system in the building, according to Harrelson. The landlord also provides tenants with proximity access cards.

Because the building system was manufactured by HID Corp. Irvine, Calif., Sonitrol recommended an HID prox system as the first level of physical security for Fiderus. “We knew that we could match the new HID system with the existing building card system,” Harrelson says. “We also asked HID to recommend biometric systems for the interior offices” with the goal of ensuring the overall integration of the biometric and conventional devices, as well as with the proximity cards supplied by the landlord.

Within the Fiderus suite of offices, Sonitrol designed a system to control seven doors of varying sensitivity.

A front door leading into the company's lobby and reception area uses a standard HID proximity reader. Another conventional HID reader protects a door leading into a training room — an area Fiderus does not rank as needing higher levels of security.

The remainder of the doors, however, feature “hardened” levels of security.

The door leading from the reception area into an interior suite of offices employs a HandKey II reader manufactured by Recognition Systems Inc., Campbell, Calif. This device compares the geometry of a person's hand to data stored in the system during enrollment. The unit also contains a proximity card reader. When approaching this door, a hand-match activates the prox reader, which reads the employee's card. An authorized card-read then opens the door.

Next, Sonitrol installed readers requiring both fingerprint and proximity card authentication on two doors located in the rear of the facility. One admits employees from the outside, and another leads from a rear hallway into the main office suite. Biometric Identification Inc., Sherman Oaks, Calif., supplied these VeriProx readers. In this case, a biometric fingerprint reading activates the proximity reader, which then releases the locks when the proper card is presented.

Two more VeriProx readers protect the doors to the facility's server room and hack lab. The doors to these sensitive rooms are adjacent, separated by a two-foot section of wall. Sonitrol has hardened security here by using a retina scanner, manufactured by EyeDentify, Inc. Baton Rouge, La., on top of the VeriProx readers.

The retina scanner resides on the wall between the doors. To enter either room, employees first gaze into the retina scanner. An authorized scan releases magnetic locks on both doors — the server room as well as the hack lab. Securitron Magnalock Corp., Sparks, Nev., supplied the mag locks.

The retina scan by itself, however, does not permit access to either room. Additional electronic strike locks provided by HES Inc., Phoenix, Ariz., must be accessed first. The VeriProx readers on each door control these locks and require a matching fingerprint and authorized prox card reading to release the electronic strike on one or another of the doors.

Enrolling an employee in the system requires a retina scan, fingerprint scan and hand scan. Data from those scans is then attached to the number on the employee's proximity card.

According to John Hoffman, co-owner of Sonitrol of Raleigh, the enrollment procedure for the biometric devices is relatively simple. “To program the HandKey, we used the keypad on the device,” he says. “The employee presents his or her hand three times. As the scanner captures the image, the employee presents the proximity card, and the system matches the hand image with the card.

“The enrolling procedure for the retina scanner uses an LCD-driven hand-held device with a keypad.

“To enroll employees in the VeriProx system, we used the reader outside the server room. A step-by-step menu makes it easy. Basically, the employee places his or her finger on the reader and the system grades the image. If it's not good enough, it recommends another scan. Once you get a good read, you type in the employee's corresponding card number.”

Installation of the system proved fairly routine, although there were two wrinkles. The first involved the installation of a Cat-5 data line and interface for the VeriProx system. “The Cat-5 allows the VeriProx system to talk to the system software,” Hoffman says. “We needed that to activate the VeriProx readers and to enroll employees.”

All of the devices use the Wiegand protocol to interface with the field panels, supplied by the Advantor Corp., Orlando, Fla. Advantor also supplies the Advantage access control software that manages the system.

The second wrinkle involved the access control system's interface with the fire alarm system. When a fire alarm goes off, security locks must not prevent employees from exiting the building. With a magnetic lock security system, a fire-alarm system can be set to cut power to the locks and permit the doors to open. “This is a fail safe system,” says Harrelson. “The problem is, when the fire alarm releases the locks, people inside cannot only get out, but people outside can get in. An intruder that understands this system would know that pulling the fire alarm would permit access to the building.

“To prevent this, we used electronic door-strikes on all of the doors, making them fail-secure. You can get out from the inside, but you cannot go back in.”

While the biometric access control devices make it very hard to get into Fiderus, the locks make it easy to get back out.

For the record

About the author

Michael Fickes is a Cockeysville, Md.-based writer and regular contributor to iSecurity.

About the companies

Visit infoLink at www.securitysolutions.com for more information on companies featured in this article.

Advantor — 185
Biometric Identification Inc. — 186
EyeDentify Inc. — 187
HES Inc. — 188
HID Corp. — 189
Recognition Systems — 190
Securitron Magnalock Corp. — 191
Sonitrol — 192

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue