Subscriber Discussion

Shopping For Access Control. Am I Being Too Picky?

UE
Undisclosed End User #1
Nov 20, 2017

Hi. I'm an end user who is trying to install a 7-8 door access control system in a facility that houses sensitive information. No existing systems in place. There could also be a need down the line for 2 doors at a second facility (connected by VPN). My background is Engineering and IT just to give you an idea of my mindset. I started by calling in a large vendor for help and a quote. At the same time I started to do some research. And while I feel I'm pretty quick on the uptake I'm still learning.

The initial system proposed was Kantech. ioProx, KT controllers, and hosted Entrapass. Quickly I discovered this was a 125kHz solution using the Kantech's XSF protocol. Research pointed out that 125kHz proximity isn't the "latest stuff" around and many have been cracked. I eventually found myself at the proxmark community reading how they've appeared to have cracked XSF back in 2014 (or earlier).

This lead me to investigate reader/card tech and that I should be looking at 13.56MHz tech. Specifically iClass SE readers (with SIO Seos cards) or MIFARE DESFire EV1/2. I communicated that to the vendor and now the system includes iClass SE readers, KT controllers, and hosted Entrapass.

I had more questions. Specifically around Wiegand vulnerabilities. The iClass SE readers support OSDP. I'm not sure but I don't believe the Kantech controllers support OSDP, meaning it would probably be installed via Wiegand. That seems unattractive to me considering the security implications of Wiegand and the cost of the controllers. I've not gotten a definitive answer but I suspect I'm right. Meaning if I want OSDP I'm looking for a different controller now as well.

The Entrapass Web software, from what limited info I've watched and demoed, does seem nice. However it looks like the only way to use it is with Kantech equipment. So once I swap the controllers that has to be changed as well. Effectively changing the entire system that was proposed.

I feel like perhaps the problem is that I'm working with a vendor that wants to sell Kantech and/or might not be as aware of the current landscape. Kantech from what I can tell is basically proprietary. I've expressed my desire for open platforms. Perhaps the vendor just doesn't have solutions to meet those needs. But I'm really not sure how to find a company that does. I need a vendor to install and support this and a burglar system. I need to nail down something quickly and since I don't have a lot of experience in this area I don't really know who to reach out to in the area.

This is my list of wants that I've compiled after a week or 2 of research. Probably more but these seem to be the difficult ones;

1) Card/Reader Security (HID Seos or DESFire EV1/2)

2) Reader/Controller Security (OSDP or whatever)

3) Alarm integration (putting in burglar alarm as well)

4) Good video integration options (not doing video right now)

5) Open platform, don't like vendor lock

6) Mobile credentials (user can unlock with iOS and Android phones)

7) Active Directory integration would be big plus (user/group sync)

8) Multi-site support

9) SaaS (hosted) is also nice although not AS critical

This is what I've come up with;

Readers: HID iClass SE

Cards: HID Seos

Controller: Mercury, HID Edge/VertX, Axis A1001 (THIS article was very helpful)

Software: ??? (Genetec, Brivo...)

From what I've gathered Mercury controllers are very popular. OEM panels for various systems and work with a bunch of software. I'm not really sure what software makes the most sense though. If I'm reading correctly it sounds like Brivo has opened up to non-proprietary panels like Mercury. And that they support Active Directory integration. Genetec sounds like it works with all the open controllers, which is cool, and is releasing a hosted solution.

Am I being an annoying customer by picking apart the solution proposed by the vendor?

Does it sound like I'm on the right track for getting a solution that conforms to current industry standard?

Lets say I want a solution with Mercury and Genetec (or Axis and Genetec), how to you go about it? Do I look for Genetec "installers" or "Axis" installers? This seems more difficult compared to calling in a vendor that proposes a "proprietary package".

Sorry for the long winded post and thank you for any help you can impart.

(1)
Avatar
Brian Rhodes
Nov 20, 2017
IPVMU Certified

Genetec sounds like it works with all the open controllers, which is cool, and is releasing a hosted solution.

True. see: Genetec Launches Cloud Access Control (Synergis SaaS)

Am I being an annoying customer by picking apart the solution proposed by the vendor?

No.  If your dealer acts like you're a pain for asking questions and specifically voicing your preferences, tell them to take a hike.  You're paying them, not the other way around.

Does it sound like I'm on the right track for getting a solution that conforms to current industry standard?

Yes, but what you've specified is not typically on low-cost systems.  Even though you have just a few doors, specifying OSDP, 13.56 MHz, mobile credentials, and Mercury or HID controllers is going to rule out a whole class of entry-level systems.

Here are some others, who may be valuable to speak with:

Lets say I want a solution with Mercury and Genetec (or Axis and Genetec), how to you go about it? Do I look for Genetec "installers" or "Axis" installers? This seems more difficult compared to calling in a vendor that proposes a "proprietary package".

In general, call the management software installers (ie: Genetec, Lenel, Feenics, Brivo)  first, not the hardware or controller (ie: Axis, HID) installers.

The software installers will have the generally broader system experience and product knowledge than the hardware experts alone.

Please followup with any questions!

(1)
(5)
UE
Undisclosed End User #1
Nov 20, 2017

Thanks. The way I look at it is PACS tend to be something that sticks for many years. If I'm spending a decent chunk anyway I much rather go with something that is modern and secure then something that is already outdated and cracked. I don't know if it is out of line here to present ballpark cost, but the HID + Kantech + Entrapass proposal wasn't what I'd call cheap (both upfront equipment cost and MRC of the service). And looking at it the Kantech controllers seem to be just as expensive, if not more, then the alternatives (without some of the benefits).

My one concern (again as an end user with limited knowledge) is that I'm to concerned about OSDP and the Wiegand vunerability. Is OSDP the only real solution that exists to guarding against these attacks? And how easy and common are these sort of attacks?

UE
Undisclosed End User #1
Nov 20, 2017

Interesting thing I just found while looking at Feenic. First, it looks like since the review on the site here they release a native Windows client, moved to HTML5, and removed the mobile apps on Android. The software does seem really feature rich. However the RELEASE NOTES state the product is in maintenance mode while they plan to release a new product.

(1)
Avatar
Brian Rhodes
Nov 20, 2017
IPVMU Certified

Interesting find. I'll followup with Feenics and ask about that and post their feedback/ response.

Avatar
Frank Farmilette
Nov 20, 2017
A2 Systems

We have customers active on V3, to the best of my knowledge they are up and running. 

 

Edit: +1 Feenics recommendation. 

(1)
UE
Undisclosed End User #1
Feb 19, 2018

Correction: the release notes page moved here

Last release notes were a year ago and still says keep is in maintenance mode (slower updates) while they work on a new platform.

Brian, if you see this, did you ever hear anything about that? Interested in what they are cooking up over their at Feenics. Hopefully it will be something existing users can migrate to if ultimately a better product at minimal to no cost. :)

 

Avatar
Brian Rhodes
Feb 19, 2018
IPVMU Certified

Brian, if you see this, did you ever hear anything about that? 

Yes, when I first asked, (like you mentioned) Feenics was in the process of moving to an HTML5 client and they were also migrating to AWS for the hosted/datacenter back end.

We've got an update queued on these changes, but I'll ask Feenics for the 'customer upgrade costs', if any, and report back here.

(1)
UE
Undisclosed End User #1
Feb 19, 2018

Ah, ok. I was already aware of the upgrades to HTML5, AWS, MongoDB, and now even a revised mobile app. The way I read it was that "Keep" as a platform was having it's development slowed while they worked on a whole new platform to perhaps even replace Keep.

(1)
Avatar
Brian Rhodes
Feb 19, 2018
IPVMU Certified

I talked with Feenics on the phone just a few minutes ago, and they confirmed the release note about 'maintenance mode' refers to V2 of Keep, not V3 or the most current version.

For existing V2 customers, the change involves re-configuring field controllers to point to the new remote domain.  This may be a cost to end users for a dealer to roll a truck. 

However, that degree of change is atypical for Feenics updates, and there are 'no cost' software version updates.

 

(1)
UE
Undisclosed End User #1
Feb 17, 2018

Just a reply to myself so others don't get confused. Feenics put their App back on the Android Play Store on December 20th 2017. And it looks like it is now "1 app" not 3 (or at least only 1 app needs to be downloaded. I think they updated it.

I see the release notes page was pulled down. Not sure what that is about. Am still a bit curious if they do indeed plan to continue advancing Keep or focusing attention on a new product. And if so what that transition might look like when the time comes (cost and complexity).

I talked with Paul DiPeso from Feenics shortly after posting here. Was very helpful and helped me make a decision, which I will post in a minute as a new comment.

Avatar
Michael Silva
Nov 20, 2017
Silva Consultants

Undisclosed End User #1,

First, I think you have done an exceptional job of learning about all of the available access control system (ACS) options and carefully defining your requirements. There are many who have been the industry for years that probably don't have the understanding of the subject that you seem to have.

The class of system that you are requesting will almost certainly have to be purchased through a systems integrator - unlikely that any of the manufacturers will sell to you direct. To identify some potential integrators, I would start by contacting the software manufacturers (Genetec, etc.) that appear to meet your needs. They in turn can refer you to authorized integrators in your area. 

As Brian stated, your requirements probably cannot be met by most of the  smaller/more economical ACS systems.  This means you are probably looking at an "enterprise class" system, even though you only have a small number of doors to control.

If you are going to spend the additional money to get a ACS that provides a higher-level of security, be sure that the other aspects of your physical security are also being looked at. I regularly see doors that have $10,000 of security electronics on them that can easily be defeated by slipping the latch or using an under-door tool to grab the inside lever handle from the outside. 

(4)
(4)
UM
Undisclosed Manufacturer #2
Nov 27, 2017

I concur with others on this thread that because you want enterprise-class features on a small door system, your best economical bet is going to be Feenics or another Mercury OEM partner.  I'd also recommend Genetec, though that might be slightly overkill for a small system.

I do not work for either of those companies, nor do I sell or resell their products.

FN
Frank Nelles
Nov 21, 2017

Check ISONAS pure IP access contro lto meet all of your requirements.

www.isonas.com

Avatar
Brian Rhodes
Nov 21, 2017
IPVMU Certified

Be specific in describing how/which requirements are met by your recommendation, or it will be deleted as promotional.

VV
Vinod Vyas
Nov 21, 2017

One of the requirements mentioned says "Open platform, don't like vendor lock".

Is it more to do with "like" or there are particular reasons. If the requirement is small in quantity but broad in features, solutions such as Gallagher may give better results in terms of manageability and one stop shop.

Impressive documentation, congrats.

UE
Undisclosed End User #1
Nov 21, 2017

Sigh, see this is the problem I have.

I call another large company that sells Brivo. They sent out someone who honestly doesn't seems to know much of anything about the products they sell. They just want to look at the doors and submit a quote.

I try to talk to them about the readers. They tell me, "we use HID". I ask what model/line..."Uh, HID". Try to tell him I don't want the HID Prox style readers, I want 13.56MHz contactless smart card readers like the HID SE product line. I then try to talk to him about using open Mercury controllers and not the proprietary Brivo ones. Has no clue what I'm talking about and starts talking about a completely unrelated topic.

Get the quote and it's got HID ProxPoint Plus readers, the Brivo ACS IPDC 2E, and burglar equipment I wouldn't even bother installing at my house. He didn't even have the right quantities to cover the number of doors.

I need to find a better installer in the area. It's in Towson, MD (bit north of Baltimore). I'm not from this area and the people I've dealt with in the past don't service this far south.

(1)
PD
Paul DiPeso
Nov 21, 2017

Undisclosed End User #1,

I don't think your expectations are out of line.  After reading your list of requests, I believe Feenics can help you.  We use Mercury field panels, iclass, multi-tech and OSDP reader technologies.  I don't want to use this forum as a commercial, but I happen to live in the greater Baltimore area, and if I can answer any of your questions or you would like to meet with me, I can be reached at paul.dipeso@feenics.com.

(2)
Avatar
Will Doherty
Nov 27, 2017
Liberty Consulting, Inc • IPVMU Certified

Good morning,

Your stated needs 1 through 3 are easily done by almost all ACS platforms on the market.  How you weight the need and what your budget allows for items 4-9 is what will differentiate the manufactures and solutions.  For a system that has less than 16 doors and less than 1000 credential holders I would recommend to keep it contained to items 1-3 only.  It will save you time and money.  Since you put SaaS as the 9th need I would say you already know the pros and cons there as an IT professional.  My opinion of the benefits of SaaS solutions specific for the security industry is keeping the firmware in the controller at the latest and greatest level, database backups, and management through HTTPS without heavy IT infrastructure are the three best benefits.  All of these are easy to implement without SaaS however over time the SaaS solutions save the end user time to implement.  I know it was 9th but SaaS is higher on my list when designing and discussing systems of this size.  

Do your research....sounds like you have

Interview local security integrator companies.... doesn't matter how good a solution is if there is not a local trained and certified company to support it

Decide how much you want to do and how much you want to contract out

Do not take low bid and do not buy online.  Negotiate with the best company.  This is security and critical to business operations.  You will have service issues.  You will want to add to the system over time.  This takes security professionals to design and implement.  I will show you my gray hairs and explain how each one formed...hehehehehe 

Good luck.  You should get a great solution that enhances your business security and operation.  

 

(2)
UI
Undisclosed Integrator #3
Dec 06, 2017

I agree with Will's comment.

Prioritize your concerns. Do not take low bid. Do not buy on-line. Ensure your vendor understands & services the physical hardware (not just the electronics). IF there is a key cylinder, you should make sure that you have a restricted key system in place (if you don't then all the card technology doesn't matter).

While I recognize that technologies and portals exist to hack cards and overcome specific card technologies, I have yet to encounter a single incident of this actually happening in our major SoCal market. Nonetheless, if this is critical to you, and you want the latest technologies (adopted by the fewest end users) then you can expect higher costs, a limited pool of integrators, potential challenges with implementation, proprietary software (likely), and some degree of inconvenience (better security typically is less convenient).

You might want to consider implementing dual-credential (Card + PIN) as a solution that can significantly increase your perimeter security. This can be implemented on Saas platforms like Kantech's.

(1)
UE
Undisclosed End User #1
Feb 17, 2018

I wanted to post a follow up to this to let people know how things went.

I spoke with Paul DiPeso from Feenics and he was very helpful. He helped me find a partner right within my area that was competent about what I was asking. they provided quotes very quickly and in very good detail. They even worked with me to visit the site and gather necessary information while I was on vacation and unable to be onsite. After much reading to make sure Feenics could provide all the little things I wanted and discussion with the reseller I felt really confident this is the solution I want. We are now just trying to get the financial people to do their part and hopefully we will have it in place soon.

One thing that did recently catch my eye which I plan to ask about is the new V3 Mercury equipment. The solution I've been presented with uses an 1x EP1502 and 3x MR52. Sounds like the MR52 v3 models have the same cost so going to be interested in knowing if they will work in Feenics and the EP1502 so I can possibly benefit from Secure Channel.

One thing I'd say I'd also like to see is vendors/resellers/etc embrace more of a "you lease the equipment and we keep it updated when new stuff comes along" approach. I think BluB0X might do that?

Some more information that lead me to finally pick Feenics and the reseller I did. During the same time I was working with Paul and the reseller I also found another local installer that was competent. They primarily sell Lenel but also some of the other Mercury based solutions. They recommended Lenel + Bosch intrusion. Literally the same hardware as the Feenics solution had. The biggest issue I had with their quote was that they didn't listen when I said I'd prefer a "cloud solution". They wanted to either install a server onsite or I'd run it as a Virtual Machine in my existing infrastructure. Running it onsite, to me, means managing greater risk of power outages, hardware failure, and so on. Running it on a single server bothers me when I've made a concerted effort to move everything to VM's in a highly available cluster. When I started reading about how Lenel handles licensing is when I really started to get more annoyed. It's not shocking really, I've dealt with this for a lot of software. Essentially being a VM means you can't really use a USB dongle license key (unless you use USB passthrough). You have to run a USB key emulator software. They also use hardware information to "track" where the license is installed. From what I could tell they use the primary network adapters MAC address. So for anyone that might not know, you want to set the VM where you install Lenel software to a static MAC address (all hypervisors support this). Or else if you try to "migrate" the VM to a different physical host server (and typically on next reboot) the MAC address will change dynamically and your licensing will get messed up. Then their is the MS SQL Server. It seems you can use the free Express edition with obvious limitations. But that leads to another real realization. If you wanted to run a really high available setup with multiple instances (if even possible with the Lenel software) you are looking at MS SQL Server licensing and no doubt more Lenel licensing. Starts to get a bit complex. Not to mention if you want to leverage "multiple sites" you are going to need to make sure your onsite Lenel server is accessible over the WAN from those sites (VPN most likely). I made multiple comments during the quoting process and then again after the quoting process that I'd prefer to see pricing for Lenel OnGuard hosted solution. Instead I got the above and comments that "their clients have experiences issues in the past with the hosted OnGuard" (delays, slow, disconnections). I don't really care what the reasoning is, the Lenel partner didn't want to sell me the hosted solution or OnGuard hosted solution really isn't good, at the end of the day it was becoming a problem. And Feenics was built for the cloud, appeared to work extremely well, and addresses my real issues.

I have a feeling I'll be telling people how much I like Feenics in the future. And I'm a pretty vocal person online and to other companies that constantly ask for my help.

Thanks everyone!

 

(1)
Avatar
Brian Rhodes
Feb 19, 2018
IPVMU Certified

One thing I'd say I'd also like to see is vendors/resellers/etc embrace more of a "you lease the equipment and we keep it updated when new stuff comes along" approach. I think BluB0X might do that?

Brivo recently structured a sales program like this: Brivo Launches 'Hardware as a Service'

(1)
U
Undisclosed #5
Feb 19, 2018

Shot out to the perspectives on Lenel licensing architecture. Go with the Feenics installation and send and update.

UI
Undisclosed Integrator #4
Feb 17, 2018

Its not as easy as calling a Genetec installer. You are making it sound like this is an industry the same as Landscaping, its not (not that Landscapers are bad people) it just doesn't work that way. Whatever you do (looks like you are maybe on the right track) by doing your due diligence, I would suggest that you look into Open Options.

(1)
Avatar
Christopher Freeman
Feb 19, 2018

What level of security are you trying to achieve?

Always get 3-5 bids, options, alternatives so as not to just get Sold 

The Individual Companys all have thier likes, dislikes, standard s 

Weigh it out 

look at the reviews, product sell sheets, options , longivity of the company and who and where did they come from . 

in the world we live in , there are so many Good, or  Bad product lines being sold , rebranded, and changed to look like another s , just for sales 

Be Careful of the proprietary market place where your the client for life picture 

Where are you going to go for repair, service, technicians 

I work both as consultant and Technician for many company's who pay out a fortune for service Just because systems are locked up. 

If i want to charge a fortune , I can. 

Typical ( where it would cost min. 135.00 used for local service , they would pay 1800.00 

I would charge 1200 -2500.00 per service call and That was at a discounted rate compared to the outrageous fee's the other s charged . 

Then there is software support, licensing , fee's ( 5k just to be there for support ) 

I worked on a few systems where the service tech's had to be flown in from only one place in the world and this was the norm . 

spent many hours figuring out how to troubleshoot so I could accomplish the task at hand. 

So as I was on the remote site , I performed service Remotely via Telephone , I did all the work , but the Company I worked for was Charged for phone rates at 300.00 per hour 

I know they were saving a fortune , but Propritary Systems Do Cost More in the long run. 

Research 

Background 

Review, read reviews 

Dont just Trust another Salesman 

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions