Sep 1, 1999 12:00 PM
As its sales skyrocketed in the 1990s, from $69 million annually at the start of the decade to $3.2 billion by the third quarter of 1999, Cisco Systems had a formidable security challenge to face. The San Jose, Calif.-based company, one of the world's largest providers of networking products and services for the Internet, needed to secure more than 210 offices worldwide.
Bill Jacobs, manager of corporate security systems for the approximately 18,000-employee company, addressed the challenge by coordinating a team effort among security system integrators and providers. Since the project's inception approximately 19 months ago, the effort has resulted in a highly sophisticated security network that is linked through a master server and regional servers for the United States, Europe, the Middle East, Africa, Asia and Australia.
The system uses enterprise-based technology, in which data is shared across multiple servers and managed by a higher level server, called the enterprise master server. The information is transmitted across local-area networks (LANs) and wide-area networks (WANs).
Cisco serves customers in three major markets. One of them, the enterprise market, targets large organizations with complex networking needs, usually spanning multiple locations and types of computer systems. The type of networking software that Cisco provides includes high-speed routers with multi-protocol support, desktop switchers, and multi-service platforms that can support requirements for data, voice, video and dial access applications, along with high-speed connectivity.
The company's security installation project began with 19 new buildings at the 44-building campus at the San Jose, Calif., world headquarters, according to David Robertson, global program manager for Pinkerton Systems Integration, Atlanta. It has now extended to 48 projects with 33 sites and 523 card readers on the East Coast; 126 projects at 58 sites with 1,211 card readers on the West Coast; 47 projects at 23 sites with 248 card readers in Europe, the Middle East and Africa; and 14 projects at 9 sites with 147 card readers in Asia.
In addition to the San Jose headquarters, the new security installations have been completed at Cisco sites in Research Triangle Park, Raleigh, N. C.; Austin, Texas; and Chelmsford, Mass., as well as at many smaller sales offices. There are installations in all major cities in the U.S., says Robertson, who adds that Cisco is also retrofitting an older access control system at its San Jose campus with the new system.
Pinkerton was the integrator and installer for all of the U.S. and several European projects, along with one in Beijing. HID Corp., Irvine, Calif., provided the DuoProx II and ISOProx II proximity cards and the MiniProx and Thinline II card readers used in the installations. Lenel Systems International Inc., Pittsford, N.Y., provided the access control software and the enterprise database server system with its OnGuard Enterprise Advanced Multi-Site Security Management System.
For security systems manager Jacobs, the good news is that the new system is enabling his department to better manage the security challenges posed by Cisco's rapid growth. Now, when new-hires come on board, when personnel is transferred, promoted or relocated, when employees are terminated or their access levels changed, the information is communicated in a rapid manner throughout the security network.
The San Jose system includes a master enterprise server using OnGuard access control software. The enterprise server is connected to Cisco's corporate Oracle human resources database, through a Universal Interface Server (UIS). The Lenel program is installed in the enterprise server that allows two databases to be linked together, according to Bill Pethick, product marketing manager for Lenel. The system is set up so that critical cardholder information from the human resources database, such as the hiring or termination of employees, will regularly flow into the enterprise server.
>From the enterprise server, the information is downloaded automatically to >the regional servers, into which the OnGuard software has also been >installed.
The flow of information occurs on a real time basis, at regularly programmed intervals. The enterprise server, acting as a central information repository, receives and distributes pertinent corporate-wide access control information to all the regional servers. This information is received both from the corporate-wide human resources database and from the regional servers.
Thus, if an employee has been terminated in a particular location, all locations will receive this information and that employee will be denied access to any Cisco facility.
"The regional servers will initiate the call to the master (enterprise) server to upload access control information that has changed, such as new cardholders, terminations and new access permissions allowed," says Pethick. "The enterprise server will then download this information to all the other regional servers so they are all working on a common database."
"Everything is archived at the enterprise level, but certain information flows to all the servers and certain information does not," says David Robertson of Pinkerton. "Hiring and firing information goes everywhere. Human resources automatically shares certain information with the enterprise server, the parameters of which are set up by Lenel and database administrators at Cisco."
All of the servers are installed in Dell computers, according to Robertson. Pinkerton has built control panels to house the Lenel components in the field, such as the LNL-1000 Intelligent System Controller, which manages the card readers; and the LNL-1100 input modules and LNL-1200 output modules, which manage alarms, lights, locks and other security devices. Data distribution panels are also part of the system. There are two differently sized control panels. A large, three-by-four-foot panel houses the controls for 28 doors, 32 inputs and 16 outputs. A smaller panel houses controls for 14 doors, 16 inputs and 16 outputs.
"Alarm devices may be wired to the LNL-1100 input boards. On-and-off relays for devices such as lights, audible units, and door controls may be wired to the LNL-1200 output control module," Robertson adds.
Card readers and other security devices are wired with low-voltage copper wiring to LNL-1300 reader controllers, small boards typically placed above door locations. The reader controllers are then connected to the control panels by multi-conductor, shielded copper cable with plastic insulation. The shielding prevents interference. In a few cases, reader controllers to which two readers can be connected are used but, "we tended to standardize on single reader controllers, which are about three by five inches and built into Security Junction Boxes (SJB)," says Robertson.
A typical access control door with a card reader will have Sentrol Inc. door contacts and Schlage locks, says Robertson. "The whole concept that led us to this type of installation was to utilize Cisco's worldwide WAN," he said. "If there is a sales office in Denver, for instance, we can install a control panel and plug into Cisco's WAN."
The control panels communicate with the regional servers over a combination of LANs and WANs. A Lantronix Terminal Server modem located within the control panels provides the connectivity between the control panels and the Cisco networks.
The servers, operating on a Windows NT Server operating system, come with network cards which allow them to be plugged into the network. Multiple workstations, operating on a Windows NT Workstation operating system, are connected to the servers.
At Cisco's Security Operations Center in San Jose, for instance, there are three dedicated security workstations, says Robertson. Other workstations throughout the campus can access the Lenel access control software but are not dedicated security workstations. At these workstations, functions related to security would include badging, administration and lobby control, which is accomplished with Lenel visitor logging and control software.
The Security Operations Center also has nine to ten CCTV monitors, along with multiplexers and an American Dynamics switching system. The camera system is integrated with the Lenel server through the matrix switcher and programmed so that an alarm command will automatically call up a specific camera to a specific monitor. The company's West Coast regional server is located at the San Jose headquarters, as is its master Enterprise Server.
Digital recorders which record images on hard drives, manufactured by Loronix Information Systems, Durango, Colorado, are used in place of traditional VCRs.
"A good 95 percent of the cameras can be accessed remotely over the WAN," says Robertson of the cameras which are installed at Cisco's sales offices and other sites. At the San Jose campus, the camera images are transmitted over a combination of copper and fiber-optic cable to the matrix switcher at the Security Operations Center.
Nisca and Fargo badging printers in Lenel badging workstations use Lenel's Identification Management System software to store pictures of employees and contractors to whom proximity cards have been issued. Having a streamlined, worldwide access control system in which data is both regionally controlled and centrally administered would not be nearly so effective without the one-card format designed by HID. Were it not for this format, Cisco would have to juggle different cards with different formats. Notes Jacobs, "The responsibility for programming and distributing cards of various formats, along with all the maintenance problems that go with it, can be overwhelming."
According to Douglas Wood, HID North American sales manager, and John Otters, HID technical support manager, a proprietary format was created for Cisco.
The proprietary format is part of HID's Corporate 1000 format program, a unique data pattern developed with major access control system manufacturers for end-users. The Corporate 1000 format enables end-users to control and use one card format with almost any access control system.
"The common element is the Wiegand data format, with which virtually all access control systems are compatible," says Otters. "This enables the cards to be used around the world." With the Corporate 1000 format, HID can manage the numbers for the cards so there is no duplication. "As Cisco orders new cards we use a program that manages the last card number that went out to avoid duplication," says Wood.
More than a million possible cards can be issued with Cisco's proprietary format, a pattern of data with identifying numbers for individual cardholders. HID delivers the formatted cards to Cisco, which then inputs information and pictures onto them through its badging system.
Most of the cards issued to Cisco are HID's DuoProx II, which have a combination of proximity card and magnetic stripe technology. Card readers are used both on internal and external doors and at parking areas. The MiniProx uses a mullion mount on aluminum door frames; the Thinline II is wall-mounted. Cisco uses the readers internally at a variety of areas where confidentially is an issue, such as in its research and development areas, say Otters and Wood.
Jacobs points to the administrative advantages and cost savings of the one-card system. With more than 1,150 HID readers installed and 1,000 more slated to be installed by the end of the year, he says there has been a considerable reduction in maintenance and administrative costs. "If I had 50 different card formats and systems out there, and had to be knowledgeable about and service all 50, the management of the system and spare parts would be virtually impossible."
To keep up with Cisco's growth, installation of the new security system has had to be "fast and furious," says Robertson, a sentiment echoed by Jacobs, who noted, "Our attitude was that we were going to get this job done, and we were going to get it done tomorrow."
Noting the satisfaction of being part of a team that has worked on a project that might well be unrivaled in complexity and size, Robertson says, "We're all happy to be a part of it."