I feel sometimes there may be a little tendency to lean towards security through obscurity when it comes to access control, meaning access devices are seen as "less sophisticated" or technically robust as surveillance cameras, so therefore not as strong a threat. But a network device is a network device. I believe the newer Mercury boards are linux based as many older devices probably are. Care and caution still need to be taken with these devices.
Dedicated Vs Converged Access Control Networks (Statistics)
Running one's access control system on a converged network, with one's computers and phones, can save money. On the other hand, hand, doing so can present a security risk as well as increase troubleshooting challenges.
On the video side, more than 2/3rd of systems use dedicated networks but how about for access control?
In this report, we examine the responses of 150+ Integrators to:
In the past year, what percentange of your access control installs are on a converged vs a dedicated network? Why?
Yeah, while network vulnerabilities certainly haven't had as high of a profile as the camera systems compromised, they still exist (MicroTrend: HID vuln., Software House vuln, gSOAP vuln effects Axis controllers). You mention Mercury and other Linux based platforms as a concern, but there is also the Genetec Synergis Cloud Link, which is Windows-based - which potentially opens another set of concerns.
Let us not forget the security v. convenience debate. Everyone wants security, but not at a loss of convenience. I think converged networks are a prime example of that with access control. The need to be able to access it easily whenever they desire far outweighs the security desire they thought they had.
Cameras getting a dedicated network has much more to do with bandwidth than security with many customers. They want the camera access, but don't slow down productivity. If productivity will be jeopardized, we better dedicate a network to that.
I don't think I've ever done card access on a standalone network. Always been attached to the clients IT network. Just always been easier and cheaper I suppose. IT is already there, they set up the server on one of the VM's, and vlan their network for the access panel.
I never really ran into a lot of finger pointing. A few simple checks and it's easy to tell who's problem it is. The biggest problem was getting the proper ports open on their firewall. When I first started doing card access for one of my previous employers larger clients, their IT had a tendency to blame our hardware when things wouldn't connect. Once I learned about telnet, that started to change. Turn off the communications manager on the server, telnet on the port. If it works, then IT was right, if it doesn't, then IT was wrong. 9 times out of 10, it was a problem on their end.
I always found if I could prove them to be wrong, IT generally stopped the blame game. They of course would never admit they did something wrong, but the problem always magically got fixed.