How to respond on Tender Specific RFP Questions for the HUB

MOBOTIX HUB FAQ
, , ,
1

In some Tenders it is required to fill out a RFP Checklist in the beginning of the Tender Process to describe general System and/or Company related questions. The follow Questions and Answers are a good examples how to answer in a MOBOTIX HUB related scenario.

ADMIN AND SECURITY related Topics

How does an administrator add or remove an user?
VMS: The administrator can remove, add and change user / user rights via the management client of the VMS. S. Manual . Active directory User can be also deleted over the active Directory. Integrating the VMS with the Active Directory for improved security and enhanced daily operation. This would allow a AD administrator to add or remove a user from a AD group, that is linked to a Role in the VMS software. It would then be the daily IT administrative personnel that would handle access to the VMS application.

How is password maintenance performed? (New, Reset etc.)
VMS: Basic User need the be maintained by Administrator in the management client of the VMS, Active Directory user get maintained over the Active Directory directly and the password policies of the AD would be inherited.

What are your predefined security roles and what actions do they allow the user to perform?
VMS:

  • Administrator: Full Access
  • Operators: only Access to clients (DeskClient, WebClient, Mobileclient) and standard ”read” credentials for Videos.
  • Full List of possible settings can be found here.

Can the security roles be customized to create custom user profiles?
VMS: Yes

Does your system support Single Sign on (SAML) or Federation?
VMS: Yes. MOBOTIX HUB Provides the following Authentication

  • Basic users, authenticated by a user name/password combination and are specific to one system/site.
  • Windows users, authenticated based on their Windows login (Active Directory) specified over several sites
  • Identity Provider app pool (IDP)
  • External IDP
  • Single Sign On (SSO) is supported since MOBOTIX HUB Version 2022R1 and Azure was supported already then. All OAuth2/OIDC identity provider are supported.

Does your system include the ability to re-brand the Web pages? (i.e., use your own logo)
VMS: Yes.

Does your system allow you to view user login activity?
VMS: Yes. The MOBOTIX HUB Management Server provides the following Logs:
System logs: System-related information
Audit logs: User activity
Rule-triggered logs: Rules in which users have specified the Make new action. For more information about the action, see Actions and stop actions.

Do you require strong passwords? (case sensitive, numbers etc.)
VMS: Yes.
Windows User by Active Directory settings
IDP LogIn is defined by IDP Service
Basic User can be defined by administrator. It is possible to configure a individual complex password rule

Do you require that passwords expire based upon a number of days or other criteria?
VMS: Yes

  • Windows User by Active Directory settings
  • IDP LogIn is defined by IDP Service
  • Basic User can only forced to change password on first logIn

Do you store and display password hints to help remind users of their passwords?
VMS: Yes, If the solution is setup with integration to the active directory, this feature is supported at OS level.

Do you provide the ability to audit who has viewed/changed items in the system?
VMS: Yes. The MOBOTIX HUB Management Server provides the following Logs:

  • System logs: System-related information
  • Audit logs: User activity
  • Rule-triggered logs: Rules in which users have specified the Make new action. For more information about the action, see Actions and stop actions.

If any part of the application resides outside customers premises, describe your security architecture.
It depends upon the deployment. By default, no.
However, if the solution is installed at Azure, AWS, Google cloud or similar provider, then Yes. It would be the hosting partner that would describe their security settings in their facilities.

Secure communication between all Servers (Management Server, Recording Server, EventServer etc..)
In MOBOTIX HUB VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).
Recordings can also be encrypted.
The MOBOTIX HUB – Hardening Guide explains all basic and advanced possibilities

Include any significant failures, breaches or issues encountered in the last five years.

  • MOBOTIX HUB Management Server - possible Remote Code Execution by an authenticated user
  • MOBOTIX HUB Event Server - possible Remote Code Execution by an authenticated user

Security patches was provided for both cases.

If data centers are physically secured, explain the method/technology used.

MOBOTIX HUB are not offering any hosting services. This would be done by the system integrator.

Describe the proposed system’s Application level security.
Secure communication between all Servers (Management Server, Recording Server, EventServer etc..)
In MOBOTIX HUB VMS, secure communication is obtained by using TLS/SSL with asymmetric encryption (RSA).
Recordings can also be encrypted.
The MOBOTIX HUB – Hardening Guide explains all basic and advanced possibilities

What is the application authentication process? What methods are used to authorize users?

  1. Log-in Options: Log-in authentication via:
    a. Microsoft Active Directory.
    b. Local Windows user accounts.
    c. Basic user system account (username and password credentials).
  1. Ability for basic user to change password during login.
  2. Ability for system administrator to enforce password change during login.
  3. Ability to enforce password complexity.
    d. Dual authentication, a.k.a. two-person rule, requiring two verified persons to gain access.
    e. Open ID Connect access using the Web Client
  1. Auto-Log-In: Use of last used credentials for authentication, with Auto-log-in and auto-restore of camera views.
  2. Kerberos Authentication: Provide strong authentication via Kerberos support.
    B. User Rights Management: Provide common and central detailed management of user rights across all user and programmatic (SDK) interfaces, using roles, users, and user groups:
  3. Tiered User Rights: Assign partial management of permissions to system administrators using the MOBOTIX HUB Management Client.
  4. User Rights: Define roles, add and delete users, manage permissions for roles, user groups and users, generate user rights management reports. Tiered user management rights shall enable differentiated administrator rights per administrator role.
  5. User Rights Inheritance: Create sub-management domains where management of a specific set of devices can be assigned to a specific system administrator.
  6. Roles: Defining roles establishes permissions (also called “rights”) that determine which system features may be accessed by users and groups. Provide the following security settings for roles:
    a. Role Info:
  1. General: Management Client profiles, Desk Client profiles, evidence lock profiles, dual authorization rights, system log-in time profile.
  2. Applications: Login to MOBOTIX HUB Desk Client, MOBOTIX HUB Web Client and MOBOTIX HUB Mobile client.
  3. Anonymous PTZ Sessions: Enabling anonymous user information for PTZ sessions.
    b. Users and Groups: Users and groups can be assigned to multiple roles.
    c. Overall System Permissions: Globally allow or deny permissions for servers, devices and functions (such as manage, read, edit and delete).
    d. Specific System Permissions: Allow permissions for specific individual devices and functions:
  4. Cameras: Visibility, live view (within time profile), playback (within time profile), search sequences, video search, export, manual recording, bookmark functions, AUX commands, evidence lock functions.
  5. Microphones and Speakers: Visibility, listen to live audio (within time profile), playback audio (within time profile), search sequences, export, manual recording, bookmark functions, evidence lock functions.
  6. Inputs and Outputs: Visibility, activation.
  7. PTZ Control: Manual control, activate PTZ presets, PTZ priority, manage PTZ presets and patrolling, reserve and release PTZ session.
  8. Speech: Speak to speakers, speak priority.
  9. Remote Recordings: Retrieve remote recordings.
  10. Monitor Wall: Visibility, edit, delete, operate, playback.
  11. External Events: Visibility, edit, delete, trigger.
  12. View Groups: Visibility, edit, delete, operate.
  13. Servers: Professional server access and authentication details, MOBOTIX HUB Federated Architecture site permissions.
  14. Matrix: Visibility.
  15. Alarms: Manage, view, disable alarms, receive notifications.
  16. MIP: MOBOTIX HUB Integration Platform plug-in permissions.
    C. Client Authentication: Provide Management Server authentication and authorization of connecting clients (MOBOTIX HUB Deskt Client, MOBOTIX HUB Management Client and MIP SDK clients) and use a session-limited access token for controlling access to the Recording Server.

Does your application allow for global security policies (e.g., number of invalid attempts before reset, time outs)?
Yes

  • Windows User by Active Directory settings
  • IDP LogIn is defined by IDP Service
  • Basic User can be defined by administrator

TECHNOLOGY

What separates your product from your competition from a technology perspective?
MOBOTIX HUB is a truly open platform video management system. It has a published application interface (API), which allows developers to alter its software functionality. The combination of decentralized MOBOTIX IoT Cameras and a flexible VMS such as MOBOTIX HUB is unique in the market. The camera itself processes all images, reacts independently to the decentral configured events and collects all the necessary information. If necessary, alarms and events are transmitted to the VMS, which acts as a control center for operators and processes all data visually or makes it available via forensic search.

MOBOTIX HUB VMS in general:
MOBOTIX offers its customers a flexible, scalable, future-proof video management solution!
Flexible

  • MOBOTIX HUB is a Platform, that can be changed based upon the requirements of the deployment.
  • The MIP SDK has more features and APIs then any competitor.
  • Framework for Access vendors, so multiple ACS is presented the same way.
  • Framework for Cameras, so any camera vendor can make a driver for MOBOTIX HUB
  • Compliant to ONVIF G, S, T and M – no one else is able to list that. This is about metadata and integration with other VMS/NVRs
  • Choose between 13.000 device drivers, which makes invested money in cameras easy to salvage.
  • Install in cloud, install with minimum network connection between sites, install it with Hybrid setup, install it with Multitenancy. Install it the way that fit your company and users.

Scalable

  • A Single management server can handle more than 10.000 cameras.
  • More Management servers can be added to scale beyond
  • A single management server can have more than 500 recording servers connected to it.
  • No build in limits to the number of users.
  • Recording servers can have more cameras connected than any other VMS vendor. The ability to decode and write more than 4.1 Gb/s to the disk is unmatched!
  • Expecting installation with more than 300,000 cameras in the design of the architecture.

Secure

  • It is possible to install the solution in accordance with GDPR – that is the entire suite of MOBOTIX HUB software. Not just a redaction plugin.
  • End-to-end encryption using latest encoding technologies from Microsoft, and AES 256-bit encryption.

Software is used at

  • Leading Internet Service Providers = Able to live up to strict cyber security demands
  • National Railroad companies = can handle multiple network challenges and legacy equipment
  • International Airports = High availability solution that can be scaled. Being deployed for 24 Airports in a single nation.
  • Education institutions = Privacy and Security can go hand in hand.

Integrations

  • Many MOBOTIX HUB Plug Ins and from Partner are available
  • Any new invented feature is possible to be added. The Open Platform philosophy is enabling any developer to add more functionality to the solution.

Future Proof

  • With best performing Software, you get lowest C02 emissions = that is also part of being future proof
  • With Open approach to our tech partners, we invite new technology. We do not close our software around a unified ecosystem.

Describe your system’s ability to have customers “configure” the system vs. having you “customize” the system to meet their needs
MOBOTIX HUB already offers all the necessary functions for operators. Whether it is a classic security application, industry solutions or a central contact point for meta data (created by MOBOTIX IoT Cameras), the system can be configured by the installer to meet all requirements. Functions that not already included in HUB can be added via the API or by using existing integrations of 3rd party solutions.

What is the data center and network infrastructure?
Classic on premise (Windows)server/client architecture.

image
image468×263 52.9 KB

Where is the data center located?
Based on on premise Windows server/client architecture, no official external data center is involved

Where is the backup datacenter location?
Generally, the failover server can be located anywhere or hosted in the cloud or can be backed up via 3rd party integration using cloud services.

What control would we have with making application modifications – screens, tables and fields?
Views and layouts can be adjusted by an administrator or a user with appropriate rights. With MOBOTIX HUB PlugIn features it is possible to add specific Data visualization of external data sources like thermal temperature graph, statistic overview of numberplate/vehicle information. Also it is possible to add standard HTML contend to the Layouts and groups

Outline forthcoming releases over the next three years, highlighting important enhancements scheduled for these releases.

  • A new version of MOBOTIX HUB is released every 3-4 months. Security patches are excluded from the schedule, these are delivered as quickly as possible as required.

  • Constantly Update of the Device Driver packs. Every 2-3 month. Actually, 15k supported devices

  • Security patches are delivered constantly as soon as possible if required. Evaluated by special Product Security incident response team (PSIRT)

  • MOBOTIX PlugIn Releases delivered typically every 3-4 month based on new Camera/application.

  • MOBOTIX Driver development for Deeper integration of MOBOTIX IoT cameras and their metadata and the MOBOTIX MOVE cameras.