PACE -- Physical + Network Access Control
The Hirsch PACE Gateway - Standards Based Event Sharing
The Hirsch Physical Access Control Event (PACE) Gateway ™enables organizations to securely share physical access control system (PACS) information with other trusted systems and applications. Organizations can now create and enforce policy-based network or other system responses to virtually any physical event within a facility or campus environment monitored by the Hirsch Velocity physical access control system, including an individual’s physical presence.
The PACE Gateway is a software-based Velocity enhancement that provides a secure mechanism for importing and exporting events (information) to other trusted systems and devices. The benefit to customers is that any event captured by Velocity can be communicated to other systems and devices. Thus, these events can be used as triggers for policy-based responses by these other systems. Additionally, the PACE Gateway can take events from network security and other networked systems and devices (such as but not limited to SCADA, SIEM, wireless LAN) and use these events to trigger physical access control system responses or enhance situational awareness.
PACE-Enabled Network Access Control (NAC)
The first solution employing the PACE gateway provides converged physical and network access control in a simple, easy to deploy solution. Employee transactions at designated building or area entry points are published by Velocity, and acted upon by the network access controller and policy decision points (PDP). Your network PDP's already validate the User Name, Password, Virus protection, etc before allowing a user to logon to your network. Hirsch PACE adds presence in the building or secure area as one more factor. If the person is not in the building, they cannot logon to the network.
Such an approach provides a host of security and control benefits, to both the physical and network security environments:
- Network Security is Enhanced
- if you are not in the building, internal and external hackers cannot log on using your user name and password, even if they guess it correctly.
- Remote access is enhanced - if you are in the building, remote access can be automatically disabled.
- Log-Off policy is enhanced - presenting a card at an "Exit" reader automatically logs a user off the network.
- Physical Security is Enhanced
- Minimizes Entry "Tailgating" - each user will have to actually use his credential at some entry point, or network access will be denied
- Promotes Use of "exit" Readers - for the first time, employees have a reason to use an "exit" reader, as doing so will enable their remote access and disable their local access privileges.
- Auditing is Correlated and Enhanced - Events from both the physical and network access systems can be published to a common database, making it incident tracking and reporting more accurate and useful.
PACE and the Trusted Computing Group
The PACE Gateway supports the open standard / specification from the Trusted Computing Group: the interface for Metadata Access Points (IF-MAP). The IF-MAP protocol essentially creates / supports event-based communications between various authorized and authenticated (e.g. Trusted) devices. Put in layman’s terms, IF-MAP is twitter for networked devices! Some devices “tweet” or publish information to clearinghouse for events (aka metadata) referred to as the MAP server. Other devices subscribe or “listen” to the tweets (published event metadata) of other devices and take action based upon those event messages.
IF-MAP has several components, all of which are widely embraced by the IT industry. Specifically, this protocol suite includes:
- Mutual Certificate-Based Authentication - establishes trust between devices / systems that share information
- Encrypted Communications (protects data while in transit)
- Simple Object Access Protocol Bindings - SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. In other words, it provides a basic messaging framework upon which web services can be built. It relies on eXtensible Markup Language (XML) as its message format.
- XML Metadata Exchange - (widely used and endorsed format / schema for communicating data between devices and applications in a common manner). XML based protocol consists of three parts: an envelope - which defines what is in the message and how to process it - a set of encoding rules for expressing instances of application-defined data types, and a convention for representing procedure calls and responses.