Showing posts with label apb. Show all posts
Showing posts with label apb. Show all posts

Sunday, March 8, 2020

Security Mantraps on the way

Security Mantraps on the way

Security mantraps came into use during the 16th century and were mechanical devices used for catching poachers and trespassers. Today, a security mantrap is commonly described as a small room, area or compartment that is designed to temporarily hold (trap) an individual between two doors (barriers) so that their credentials can be verified before granting access. Verification may be manual, with security personnel doing the verification, or automatic, with technology doing the verification. Most systems installed today are automatic with various integrated technologies to enhance security, safety and prevent unauthorized entry.

In the 17th century, sally ports were built to control the entryway to a fortification or prison. They often included two sets of doors (or gates) to delay enemy penetration. Today, a sally port used for security applications may include doors, gates or other physical barriers to control access of people (or vehicles) to a secure area. Both security mantraps and sally ports are in widely used for security applications, however, despite some similarities, the terms are not used interchangeably, and only sally ports are referenced in the building codes.
A mantrap is an access control tool designed and restricted to a physical space, which is separated from the adjoining spaces (rooms) by two doors, usually an exit and an entry door that cannot be unlocked at the same time. Mantraps are like a double-door checking system that use either airlock technology or interlocking doors.


Today's simplified automatic mantrap rooms enable access with access cards, key fobs and mobile phones. Since mantraps prevent two persons (unless authorized) to be in the same room, they can be used for shared spaces in hospitals, dormitories and boarding rooms or anywhere else where people have some need for privacy.
Both the International Building Code (IBC) and the Life Safety Code (NFPA 101) describe a sally port as a compartmented area with two or more doors (or gates) where the intended purpose is to prevent continuous and unobstructed passage by allowing the release of only one door at a time. Both codes restrict their use to institutional type occupancies (e.g., prisons, jails, detention and correctional centers) and require provisions for continuous and unobstructed travel through the sally port during an emergency egress condition.

During 2017, the most digital damage from cyber-attacks includes continuous targeting of critical infrastructure, ransomware, government emails being hacked, exfiltration of Central Intelligence Agency documents, and the multinational WannaCry ransomware attack of over 200,000 systems. Gartners’ global information security spending forecast estimates that by the end of 2017, purchases for security products and services could reach $84.5 billion or a seven percent increase since 2016. Defenses have progressively improved and measures continue to be implemented. However, there is one area which lags far behind – that is the physical security of data centers and, specifically, the adoption and employment of mantraps.

According to BICSI, a mantrap is created using two interlocking doors which open only one at a time after the correct credentials have been validated. To physically secure a facility or data center, periodic risk assessment and policy reviews should be conducted. Ideally, drills should be included to engrain the training scenarios and validate policies and procedures. An example of layered security can be found in the TIA-942 where tiers I through IV are used to differentiate each level including Kevlar or bullet resistant walls, windows, doors, closed circuit television (CCTV) monitoring, access control and more.
Despite their widespread use, security mantraps are not referenced by either IBC or NFPA, which has given rise to a plethora of terms and definitions, including, for example: security portals, security vestibules, security airlocks, security booths, security cabins, control vestibules and personnel interlocks. For the supplier, designer or code official, this lack of regulation can result in different interpretations of building code and life safety requirements. Generally, the most appropriate sections of the code are applied and enforced, which may include sections on doors, gates, turnstiles, revolving doors and accessibility requirements. Because security mantraps are unique in their design and operation, the enforcement of code sections intended for other technologies may result in installed systems that are over- or under-designed with added costs and project delays, if accepted at all.

A security mantrap may be manual or automatic, manned or unmanned, pre-engineered or built from the ground up, located indoors or outdoors, and include a variety of technologies to enhance security, safety, aesthetics, throughput, service and overall performance. The systems come in various sizes, shapes, styles and configurations with a multitude of finishes, glazing and door options, including ballistic and vandal resistant. Other options and features include: metal/weapons detection, left object detection, tailgating/piggybacking detection, monoblock construction, wall mount versions, network interface capabilities, video cameras, intercoms, anti-pass back integration, biometrics, manual releases, and inputs/outputs for control and alarm monitoring. most common mantraps work with a system of two interlocked doors, there are solutions that can be implemented on three or more doors, including varied authentication systems. “Real” mantraps typically have two locked doors. Some interlocked mantraps, such as those used at bank entrances, are unlocked to begin with, and only lock when one of the doors is open.
Security mantraps are commonly found in high-security, mission-critical facilities (e.g., government, military, critical infrastructure), but can also be found in many commercial and industrial facilities (e.g., banking, data centers, pharmaceutical, health care, airports, casinos, executive suites, high-end retail, R&D labs). Some of the key drivers for using security mantraps include the ability to detect and prevent tailgating and piggybacking incidents in unmanned locations, satisfying various regulatory compliance standards (e.g., GDPR, GLBA, PCI DSS, HIPPA, FISMA, SOX) by restricting access to critical information systems, and protecting against other security threats that have become more prevalent in the world today (e.g., espionage, terrorism, theft, vandalism, protests, etc.).

When security mantraps are being considered as a countermeasure to mitigate unauthorized entry, it is important to establish clear goals and objectives for the equipment, application and environment. Then, carefully review and evaluate the proposed system based on form, fit and function. When these systems become part of the building infrastructure, provisions for security and safety must be met. This often starts with a security risk assessment for the facility or site.

Two Major Types of Mantraps:
  • Air Lock Control – low-security systems used only for environmental control also referred to as normally unlocked.
  • Restricted Entry and Exit – these are considered the highest security type that is used with normally locked doors. Opening any door keeps all other doors secure. The man trap buffers simultaneous requests for access which prevents any two doors from being unlocked.
Additionally, some man traps may incorporate the use of Request-to-exit (REX) device – typically located on the inside secured door, most are identified as a ‘quick release’ latch.

Mantrap Pros:
  • Allows only one person to enter or exit at a given time
  • Requires proper identification and authentication
  • Restricts movement into and out of the data center
  • Can be used to closed unwanted visitors until authorities are called
  • Provides an audit trail for personnel and visitors
Mantrap Cons:
  • Highly secure doors are more expensive
  • May not permit movement of large boxes, dollies, deliveries, etc.
  • May fail during electrical power outage unless backup exists
  • If not properly implemented according to policy and design, may present a safety risk
The goal of any security risk assessment is to develop a protection strategy that mitigates risk to people, property and information systems, and, for security mantraps, the primary goal is to prevent unauthorized entry. The security risk assessment process begins with asset identification and valuation, followed by evaluation and analysis of associated threats, vulnerabilities and potential loss impact. Finally, security measures are recommended and form the basis of an integrated protection strategy.

Sunday, November 1, 2015

Anti-Passback in Access Control Systems

Anti-Passback in Access Control Systems

The anti-passback (APB) feature is designed to prevent misuse of the access control system. The anti-passback feature establishes a specific sequence in which access cards must be used in order for the system to grant access.

The anti-passback (APB) feature is most commonly used at parking gates, where there is both an “in” reader at the entry gate and an “out” reader at the exit gate. The anti-passback feature requires that for every use of a card at the “in” reader, there be a corresponding use at the “out” reader before the card can be used at the “in” reader again. For the typical user of the parking lot, this works fine, because the user would normally swipe their card at the “in” reader to get into the lot in the morning, and swipe it at the “out” reader to get out of the lot in the evening. So long as the sequence is “in – out – in – out – in – out”, everything works fine. However, if a user swipes his card at the “in” reader to get in, and then passes his card back to a friend, the card would not work the second time when it was swiped by the friend. The attempt to use the card a second time would create an “in – in” sequence that is a violation of the anti-passback rules, and this is why access would be denied.

Picture Left: (1.) First the cardholder enters into the area and then the system will allow them to (*2.) exit.

Picture Right: If a cardholder has already (1.) entered and then before they exit they try (or someone else with their card tries) to enter again, the will be (3.) denied because there is an anti-passback violation because it is impossible to Enter and area when the system thinks you are already Inside.


Anti-passback can also be used at employee entrance doors. This requires that a card reader be installed on both the inside and the outside of the door. Employees are required to both "card-in" when they enter the building and "card-out" when they leave the building. The anti-passback feature is also commonly used with turnstiles.

There is an expanded version of the anti-passback feature called “regional anti-passback”. This establishes an additional set of rules for card readers inside of the building itself. Basically, this rule says that unless a card is first used at an “in” reader at the building exterior, it cannot be used at any reader within the interior of the building. The theory is that, if a person did not enter through an approved building entrance, he or she should not be permitted to use any of the readers within the building.

Depending on the access control system manufacturer, there may be additional anti-passback features in the system. Some of these features could include "timed anti-passback", which requires that a designated amount time pass before an access card can be used at the same reader again, and "nested anti-passback" which requires that readers be used in only designated sequence to enter or leave a highly-secured area.

Denying access when a user attempts to use a card out of sequence is sometimes called "hard" anti-passback. Hard anti-passback means that when a violation of the anti-passback rules occurs, the user will be denied access. Some access control systems also offer a feature known as "soft" anti-passback. When a system is using this option, users who violate anti-passback rules are permitted access, but the incident is reported to the person managing the access control system so that corrective action can be taken - most often notifying the offending employee that the access card should be used in the proper sequence in the future.

The anti-passback feature can also be integrated with the corporate computer system, preventing users from logging on to the network at their desktop computer unless they have properly entered the building using their access card. This feature can also temporarily disable the users remote log-on privileges while the user is in the building - the theory being that if the user is at work, there is no reason for someone from off-site to be logging on to the network using his or her user name and password. When the user leaves the building at the end of the day, his or her remote log-on privileges are turned back on.

Some Typical Situations

A. When someone enters the entry gate following others without his own authentication, he or she cannot get through the exit gate through his own authentication even his authentication is a valid one. It’s the same when someone gets through the entry gatefollowing others without his own authentication, he or she cannot get through the entry gate through his own authentication.

B. When someone gets through the gate, and then he or she “passes back” that card, say through a window or another door, to an unauthorized user, who then uses the same card to access the building, he or she cannot get through. The password authentication is the same.
C. When someone get through the Fingerprint/Card/Password authentication, he or she doesn't access, then he or she cannot get through the gate even the authentication is a valid one.

Set up an Anti-passback SYRiS Controller Exp:-


Set up an Anti-passback Suprema BioStar V1.62 Software Exp:-


Anti-passbackis a security mechanism that prevents a person from passing back her access card to the next person. It is designed to prevent the next person from verifying herself with another person's access card. When using BioStar, you can set up an Anti-pass back zone, which requires users who've already entered an area to leave the zone first before entering the area again. For instance, if the zone consists of two devices (let's call them Device A and Device B here), the user who's been already verified on Device A must verify herself on Device B before verifying herself on Device A again.
You can set up an anti-passback zone by performing the following steps:
1. On the Doors page, click Add New Zone.

2. Enter a name for the Anti-passback zone and choose Anti-passback Zone from the Type drop-down list.
3. Configure the settings of the Anti-passback zone and add devices to the zone by clicking Add Device.
·  APB Type
§  Soft - A user who has broken the Anti-passback rule can enter the area without the administrator explicitly releasing the alarm.
§  Hard– A user who has broken the Anti-passback rule can't enter the area without the administrator explicitly releasing the alarm.
·  In case of Disconnected
§  Door Open– Doors in the zone will get opened when the communication between the master and member devices is disconnected.
§  Door Close – Doors in the zone will get closed when the communication between the master and member devices is disconnected.
4. Choose the devices you want to add to the zone as In Device and click the right arrow button. Perform the same for Out Device.
5. Click Apply to transfer the settings to the devices.