Perimeter Intrusion Detection Systems (PIDS)

Introduction
PIDS is a fast emerging application often deployed to prevent intrusion of unauthorized personnel into secure areas such as airports, maximum-security detention centers, nuclear facilities and more. This white paper discusses overall PIDS architectures including requirements for the data communications system and a networking architecture that leverages the unique characteristics of carrier Ethernet to fulfill those requirements. The overall plan objective is to deter, delay, detect, assess, and track, potential or actual breaches of the perimeter in a proactive manner, enhance the efficiency of security personnel in responding to security breeches, and provide a high level of protection for persons and property within the secured areas of an airport.

PIDS Architecture
PIDS is a complex commingling of multiple systems that provides advanced warning and threat assessment within a secure perimeter. Through a correlation of multiple alarms and detected threat contacts, the Command and Control Center operator can quickly identify targets of interest and dispatch the appropriate response to neutralize the threat. PIDS architectures include four basic elements: Sensors Video Detection Equipment Threat assessment and Alarm Correlation/Management Systems Data Communications Systems The following sensors are typically used within the PIDS infrastructure: Barrier Sensors Barrier sensors are a two-in-one security option. They provide both a physical barrier to intrusion and a sensor for detection. Taut-wire systems are an example of barrier sensors. Volumetric Sensors Volumetric sensors generate an invisible detection field that locates and tracks intruders moving through the secure zone. These sensors include microwave systems, RADAR, and electrostatic detection devices. Fence Mounted Sensors Fence and wall-associated sensors are above-ground detection sensors that are attached to an existing fence or wall. In the event that vibration due to cutting or climbing on a metal fabric fence is detected, the detection field is considered compromised and an alarm triggered.

FUJITSU NETWORK COMMUNICATIONS INC.

2801 Telecom Parkway, Richardson, Texas 75082-3515 Telephone: (972) 690-6000 (800) 777-FAST (U.S.) us.fujitsu.com/telecom

For your convenience, a list of acronyms can be found at the end of this document.

Video Camera Detection Video motion detection systems transform the viewing-only ability of CCTV cameras into a tracking and alarm system. Using advanced software to analyze the video output signal, a detection field is created that can locate and track possible threats within the cameras perimeter zone. Moving targets, such as intruders and vehicles, speed and direction can be tracked and logged while anomalous static targets, such as a briefcase or package left by an intruder can be flagged as a threat and the appropriate alarm sent to the operator. Video monitoring also provides PIDS with traditional long-term storage of video for the use of reactive threat analysis. Alarm Management Systems The Command and Control Systems software continually monitors perimeter detection instrumentation and notifies console operators if any unauthorized change of system state occurs. Intrusion typically triggers multiple sensors such as fence sensors, barrier grid sensors, radar perimeter zones, and video motion detection fields. These alarms are correlated and displayed in a simple manner so that rapid threat assessment can be made and the appropriate action taken. Data Communications Systems The Data Communication infrastructure for PIDS provides connectivity between field-installed instrumentation such as sensors and video cameras, Command and Control file-servers, and operator consoles. This infrastructure is critical to the PIDS operation and reliability and typically is designed with 99.999% reliability goal. The entire PIDS system must meet or exceed 99.9% reliability. The networks are usually designed with complete 1+1 redundancy for all Command and Control Center hub elements including operator consoles, file and video servers, core data transport elements, and local LAN switching elements. A fully operational redundant Command and Control Center hub is deployed in an alternate location providing complete Command and Control Center element redundancy. The network infrastructure must be able to react to link and node failure events within sub-50 ms and to any failure scenarios that will force the alternate Command and Control Center Hub to activate within three seconds. The PIDS Data Communication networks require application awareness and strict quality of service. It is essential that all sensor data has guaranteed delivery and minimal network transit delay so that information from multiple sensors can be correlated properly.

FUJITSU NETWORK COMMUNICATIONS INC.

2801 Telecom Parkway, Richardson, Texas 75082-3515 Telephone: (972) 690-6000 (800) 777-FAST (U.S.) us.fujitsu.com/telecom

Network Connectivity PIDS Data Communication Networks are designed with the utmost attention to high-availability. The PIDS software mechanisms reside on a collection of servers that are interconnected via redundant L2/L3 switching devices. This server farm hosts the PIDS Alarm Management System, application specific servers for sensor data, controlling mechanisms for Radar and PTZ cameras, video hosting and recording systems, and Network NMS systems. This entire infrastructure is replicated in an alternate location providing 99.9% reliability at a minimum. The carrier Ethernet Solution developed by Fujitsu is comprised of Ethernet Core/Aggregation and edge platforms from Atrica. These platforms provide a unique connection-oriented approach to Ethernet networking that provides all the security and guaranteed connection performance of technologies like ATM, only with the simplicity, multipoint flexibility, and price points of Ethernet. The Core/Aggregation switchesthe A-8100/A-4100are deployed in a redundant configuration at each of the hub locations. These core and aggregation switches leverage fully redundant Switch/Management/ Cards, 1+1 protected interface cards, and dual power supplies to build a resilient architecture. The field-located sensor and cameras are terminated on Ethernet edge devices using 100 Mb interface ports. These edge devices may be deployed in a point-to-point, ring, or dual homed ring topology to achieve the resiliency requirements. Some installation locations may require the network element to survive exterior environmental conditions. For these locations the outdoor hardened edge switch, the A-2160, may be deployed. This design provides sub-50 ms protection for all link, node, and common card and interface card failures insuring that the highest degree of network availability is provided for the PIDS client/server connectivity.
FUJITSU NETWORK COMMUNICATIONS INC.
2801 Telecom Parkway, Richardson, Texas 75082-3515 Telephone: (972) 690-6000 (800) 777-FAST (U.S.) us.fujitsu.com/telecom

Service Flexibility The connection oriented Ethernet architecture delivers unsurpassed service flexibility insuring that the network requirements for each PIDS application can be provisioned in the most efficient manner. In network architectures that support only PTP logical topologies (such as EoSONET, MPLS, ATM, etc.), it is possible to provide sub-50 ms protection switching between two points in the network but not between multiple points. The PIDS network, deployed with carrier Ethernet technology, delivers 50 ms protection switching between any point on the access ring and the primary and alternate Command and Control Center Hub locations. From an implementation perspective, VPLS is employed to support multiple termination points per application. This unique implementation of VPLS with traffic engineering extensions (VPLS-TE) allows for each sensor or video device to be classified, segregated and connected to both Command Center hubs while supporting sub-50 ms protection switching for all transport network failures. Each termination in the VPLS service can be assigned an SLA congruent with the applications requirements including CIR, EIR, bounded delay and jitter, and protection level. This provides the network operator with the utmost flexibility in provisioning sensor connectivity to the server farm insuring efficient use of network resources and protection against any network failure including the primary Command and Control Center. The video motion detection system consists of CCTV cameras, video encoders, replication and storage servers, and video input analysis software. Video encoders are either unicast or multi-cast capability. When deploying unicast-only encoders, the VPLS service coupled with advanced IP mapping classification, is used to insure that each stream is directed to its proper destination within each Command and Control Center hub and that segregation from other traffic flows is maintained. Multicast video encoders provide a much more efficient mechanism than unicast video since the network itself can replicates the video streams instead of depending upon the video encoder. The carrier Ethernet solution supports multicast utilizing MPLS point to multipoint technologies providing the replication required for each video stream to the four required destinations. Both multicast and VPLS services provide the video system application with desired bandwidth guarantees, bounded delay and jitter, and sub-50 ms protection. Hard SLA attributes coupled with the flexibility of VPLS/ Multicast services insures that the carrier Ethernet network architecture can provide high-quality and highavailability to both Unicast and Multicast based video technologies.

FUJITSU NETWORK COMMUNICATIONS INC.

2801 Telecom Parkway, Richardson, Texas 75082-3515 Telephone: (972) 690-6000 (800) 777-FAST (U.S.) us.fujitsu.com/telecom

Network Management System The PIDS network infrastructure consists of many devices, including carrier Ethernet elements and third party element, that must be monitored at various levels. The carrier Ethernet NMSreferred to as ASPEN provides key functionality in this area negating the need for the Manager-of-Manager NMS including: Southbound Operations ASPEN has the ability to manage through MIBII and collect proprietary traps on any 3rd party device supporting SNMP. Northbound Operations ASPEN using CORBA/XML NB interfaces, or SYSLOG, can aggregate and present carrier Ethernet and third party element faults and alarms to any NMS including the PIDS Alarm Management System. Another key feature that ASPEN provides to PIDS is NMS fault tolerance. The fault tolerance implementation for ASPEN allows for two operational NMS to exist online simultaneously with real-time synchronization occurring between the primary and secondary NMS database. ASPENs simplicity in connection management, its flexible open architecture, and fault tolerant capabilities provides the features and reliability to effectively manage a data communications infrastructure that meets the needs of the PIDS architectural requirements.

Conclusion
PIDS applications are becoming more widespread and are covering a wider range of applications than ever before. PIDS applications require the reliable communications of sensor information from a variety of locations, possibly involving diverse types of time sensitive inputs. The high reliability of a Fujitsu carrier Ethernet solution offers a unique connection-oriented approach for gathering remote sensor data and transporting it reliably and with the appropriate time-sensitivity back to the centralized command and control location.

Copyright 2006 Fujitsu Network Communications Inc. FUJITSU (and design) and THE POSSIBILITIES ARE INFINITE are trademarks of Fujitsu Limited. All Rights Reserved. All other trademarks are the property of their respective owners.

FUJITSU NETWORK COMMUNICATIONS INC.

2801 Telecom Parkway, Richardson, Texas 75082-3515 Telephone: (972) 690-6000 (800) 777-FAST (U.S.) us.fujitsu.com/telecom

Acronym ASPEN ATM CCTV CIR CORBA EIR EoSONET LAN MPLS ms NMS PIDS PTP SLA SNMP SONET VPLS XML

Descriptor Atrica Service Platform for Ethernet Networks Asynchronous Transfer Mode Closed Circuit Television Committed Information Rate Common Object Request Broker Architecture Excess Information Rate Ethernet over SONET Local Area Network Multiprotocol Label Switching millisecond Network Management System Perimeter Intrusion Detection System Point-to-Point Service Level Agreement Simple Network Management Protocol Synchronous Optical Network Virtual Private LAN Service Extensible Markup Language

FUJITSU NETWORK COMMUNICATIONS INC.

2801 Telecom Parkway, Richardson, Texas 75082-3515 Telephone: (972) 690-6000 (800) 777-FAST (U.S.) us.fujitsu.com/telecom