GridSiteGridSite Learning Center
Tools of the Trade

Using UniFi for High-Security Facilities—design patterns, runbooks, and guardrails

Build a defensible, highly available physical security stack with UniFi Access, Protect, Identity, and Network—layered controls, strong MFA, anti-tailgating mantraps, remote operations, and cloud archival.

Goal

Show how to build a defensible, highly available physical security stack on the UniFi ecosystem for high-security sites (data halls, NOCs, cages, loading docks, gates). The design emphasizes layered controls (video + access + intercom + identity), strong MFA, anti-tailgating mantraps, remote operations, and cloud archival—without naming specific SKUs beyond UniFi families (Access, Protect, Identity, Network).

1) Threat model & success criteria

Threats we care about

  • Badge cloning and social engineering at exterior doors.
  • Tailgating into sensitive areas (data floor, NOC).
  • Perimeter breach via gates/roll-ups.
  • Insider misuse (over-entitled access, after-hours).
  • Evidence loss (tampering with local NVRs).
  • Single points of failure in WAN, controllers, or switching.

What “good” looks like

  • MFA at the edge: biometric + mobile credential at exterior and key rooms.
  • Anti-tailgate mantraps guarding high-value spaces with hard interlocks.
  • Gate/intercom with distance-friendly cabling and live operator takeover.
  • AI video analytics with alerts and clips for people/vehicle events.
  • Carded roll-ups and dock interlocks with full audit.
  • HA network core: dual WAN, dual gateways, dual cores, diverse power.
  • Cloud assist: remote monitoring and cloud archival for key cameras.
  • Least-privilege identity: groups, time/zone policies, requests with approval.

2) Reference architecture (site level)

UniFi Access (readers, hubs, interlocks) UniFi Protect (cameras, NVR, Cloud Archive) UniFi Identity (directory, mobile creds, Requests) UniFi Network (dual WAN, gateways, cores, LTE OOB) Intercom/gate (operator takeover) Cloud assist (archival, monitoring)

ASCII overview

[Carrier A]      [Carrier B]
    |                |
  [WAN Switch A]   [WAN Switch B]      (diverse entries)
     | \          /  | 
     |  \        /   | 
   [Gateway A]  [Gateway B]   (active/standby, config-synced)
        | \      / |
        |  \    /  |
      [Core A]=== [Core B]      (10G trunks, dual PDUs)
         ||         ||
    Access/Rdr   Access/Rdr     (exterior doors: biometric + mobile)
    Mantrap A    Mantrap B      (interlocked hubs + anti-tailgate sensor)
    Dock Ctrl    Gate + Intercom (long-run ethernet/fiber)
    Cameras (Protect) -> NVR (on-prem) + Cloud Archive (critical)

3) Doors & credentials (policy and hardware roles)

Credential strategy

  • Mobile credentials only (NFC/BLE secure formats). No legacy prox cards.
  • Biometric factors enabled on exterior doors and key rooms (data hall, NOC, MMR).
  • PIN fallback only for break-glass; must alarm and require supervisor approval.

Door classes

  • Exterior doors: biometric + mobile, 2-factor, anti-passback, schedule-aware. Door-facing and overview cameras; after-hours AI alerts.
  • High-security doors (data hall, NOC, MMR): Mantrap with interlock; inner stays locked until occupancy verified; anti-tailgate sensor. Cameras on both angles; cloud archival.
  • Office/general: mobile-only where suitable; schedules; camera optional with corridor coverage.
  • Roll-up/dock doors: badge to arm open; interlocked with pedestrian door; vehicle loop feedback to Access hub; cameras outside/inside.
  • Exceptions via Identity “Requests”: temporary access with approval chain; auto-expire and audit logged.

4) Perimeter, gates, and intercoms

  • Gate station: video intercom calls to operators; relay wired through an Access hub for unified logging and policy.
  • Long runs: long-range Ethernet adapters or fiber from the core for remote gates/turnstiles.
  • Visitor workflow: intercom → operator verification → issue time-boxed mobile/QR credential → open gate.
  • After hours: intercom routes to 24×7 security; no standalone code boxes.

5) Video & AI analytics

  • Exterior detections: person/vehicle (animal where supported or via external analytics + webhooks). Tune rules for fence line, loitering, and no-parking alerts.
  • Retention: standard on-prem for general cameras; Cloud Archive for critical viewpoints (entries, mantraps, gates) to protect evidence.
  • Privacy: mask neighbor properties and public roads where required; publish retention/access policy.

6) High availability & network hardening

  • Dual WAN via diverse demarcs; fan-out switches deliver each provider to both gateways.
  • Two gateways (A/B): warm standby with prewired WAN/LAN and a promote-standby runbook.
  • Two core switches (A/B), separate rooms and PDUs; spread devices evenly for PoE resiliency.
  • VRFs/VLANs: ACCESS, CCTV, NET-MGMT, GUEST, OT; pinholes only via explicit firewall rules.
  • OOB/LTE path for break-glass to controllers and hubs; dual NTP; time drift < 1 s.
  • Logging: syslog/telemetry exported to dual collectors; mirror door events to SIEM.
  • Firewall posture summary: WAN-in deny-all except admin VPN/cloud endpoints; ACCESS/CCTV egress deny by default (allow time/updates); GUEST fully isolated.

7) Mantrap & anti-tailgate logic (implementation notes)

Signals/inputs: outer/inner door contacts, REX sensors, anti-tailgate sensor (overhead or stereo camera), occupancy counter.

  • If outer opens → inner forced locked (hardware interlock), timer starts.
  • If anti-tailgate triggers or multiple bodies counted → Alarm state: inner stays locked; alert operator; manual reset after visual verification.
  • If buffer clear and exactly one person verified → inner may unlock on valid credential. Any door-forced or propped beyond threshold → Alarm and operator review.
  • Commission with staged scenarios (single entry, tailgate attempt, badge-and-prop, REX misuse).

8) Identity, Requests & lifecycle

  • Directory sync from HRIS/IdP; groups map to areas (Exterior, Office, Data-Hall, NOC, Dock).
  • Mobile credential provisioning at onboarding; rotate crypto keys on a schedule.
  • Use Identity “Requests” for temporary access; approvers see purpose/time; auto-expire and auto-log.
  • Visitors/contractors: pre-register; time-boxed mobile or QR; escort policy for sensitive areas.
  • Quarterly automated recertification of entitlements by area owner.

9) Monitoring, alerting, and playbooks

Dashboards

  • Door status (forced/propped/offline), mantrap state, intercom calls, failed biometrics, after-hours.
  • Camera health (frame rate, storage), Cloud Archive state.
  • Gate telemetry (open/close counts, obstruction faults).

Alerts

  • P0: mantrap Alarm (inner inhibited) → operator must verify video and reset.
  • P1: exterior forced/propped beyond threshold; repeated biometric failures.
  • P2: critical door camera offline; NVR storage degraded; WAN A down.
  • P3: cloud archival backlog; time drift > 1 s.

Runbooks

  • Mantrap Alarm: verify video angles, clear occupancy, reset interlock, document reason.
  • Lost device: revoke mobile credential, flag account, check last entries.
  • Camera/NVR loss: fail to cloud clips for critical views; dispatch if tamper suspected.
  • Gateway promote: follow promote-standby steps; confirm door/video unaffected.

10) Commissioning & acceptance (don’t skip)

  • Doors: direction, strike/mag function, REX, contact polarity verified.
  • Readers: biometric enrollment quality; mobile credential latency; offline behavior.
  • Intercom: audio/video clarity; relay actuation; logging of open events.
  • Cameras: face capture FoV, IR at night, privacy masks, tuned AI rules (day/night).
  • Network: dual-WAN cutover; gateway promote test; core A/B failure impact (no total loss).
  • Evidence: export as-built, door schedules, entitlement matrix, golden test clips.

11) Privacy, safety, and compliance considerations

  • Publish policy on video access/reasons/retention; notify on biometrics and mobile credential use.
  • Retention: separate general vs critical cameras; enable Cloud Archive for the latter.
  • Accessibility: ADA-compliant entry modes; avoid “dead-man” conditions in mantraps; emergency egress wins.
  • Life safety: fire panel integration must override interlocks as required and be logged.

12) Common pitfalls (and fixes)

  • Keeping legacy prox cards → retire; mobile + biometric only at sensitive doors.
  • Single reader on mantrap → both sides require MFA with interlock.
  • No operator reset for tailgate → enforce human verification before re-arming.
  • Intercom on separate island → integrate via Access hub for unified audit.
  • No cloud archival for critical angles → enable at entries/mantraps/gates.
  • One core switch, one PDU → always dual-home across A/B cores and PDUs.

13) Example policy snippets (copy/paste)

Exterior door policy

Factors: Biometric + Mobile (both)
Schedule: Employees 24x7; Contractors business hours only
Anti-passback: Enabled
Alerts: 3 failed biometrics in 5 min -> P1 to security + clip

Mantrap policy

Outer open -> inner hard-lock
Alarm on >1 detected body (anti-tailgate)
Manual operator reset required
Attach entry clip to every mantrap access log

Dock / roll-up

Require badge to arm open
Interlock: interior pedestrian door locked while roll-up open
Alarm on forced open; log vehicle loop and door contact state

14) GridSite tie-in

Deploy with your team—or use the GridSite ecosystem to accelerate and de-risk selection, commissioning, and day-2 ops: reader mix, mantrap hardware/logic, intercom/gate wiring over distance, dual-WAN/gateway failover, AI rule tuning, cloud archival, quarterly access recertifications, and evidence packs for audits.

For help, contact us to discuss templates, commissioning drills, and co-managed ops.