Physical Security Software Guide — Frigate NVR & Suprema BioStar 2
This guide covers the software stack JP Technical uses for managed physical security deployments: Frigate NVR for camera surveillance and Suprema BioStar 2 for physical access control.
Frigate NVR
What It Is
Frigate is an open-source Network Video Recorder (NVR) with real-time AI object detection. It runs as a Docker container on your on-site server and processes all video locally — no cloud account, no subscription fees, no footage leaving your network.
Key capabilities:
- Continuous recording + motion-triggered clips
- AI detection: person, vehicle, animal, package
- Optional facial recognition (Frigate+ or community model, v0.14+)
- Real-time event notifications (push notification, email, webhook)
- Web UI and mobile app (via Home Assistant integration)
- Supports virtually all IP cameras with RTSP streams
Architecture
[IP Cameras] → PoE Switch (camera VLAN) → [Frigate Server]
↓
[Network Storage / NAS]
↓
[Home Assistant integration]
↓
[BioStar 2 event correlation]
AI Detection Hardware
Frigate’s object detection requires a supported AI accelerator for real-time performance on 4+ cameras:
| Accelerator | Performance | Notes |
|---|---|---|
| Google Coral USB TPU | ✅ Recommended | ~$60, 100+ inferences/sec, USB 3 required |
| Google Coral PCIe | ✅ Best | ~$80, faster for many cameras |
| NVIDIA GPU (via CUDA) | ✅ High-end | Use for face recognition at scale |
| CPU-only (Intel N100, etc.) | ⚠️ Limited | Suitable for ≤4 cameras at reduced FPS |
Camera Stream Configuration
Each camera is configured with two streams in Frigate:
- Detect stream: Low resolution (640×480 or 1280×720), lower FPS (5–10) — used for AI detection only
- Record stream: Full resolution (1080p or 4K), higher FPS (15–30) — used for recording storage
This two-stream approach dramatically reduces CPU/GPU load while maintaining full-quality recordings.
Storage and Retention
| Retention Policy | Storage Per Camera/Day (1080p H.264) |
|---|---|
| Motion-only clips | 5–15 GB |
| Continuous recording | 50–100 GB |
| 4K H.265 continuous | 30–60 GB |
For HIPAA clients, JP Technical configures:
- 90-day continuous recording retention minimum
- Event clips archived separately for 1 year
- Secure offsite backup of event logs
HIPAA Relevance
Frigate itself is surveillance software, not a PACS. Its HIPAA relevance is:
- Provides video evidence for physical access investigations
- Event timestamps correlate with BioStar 2 access logs
- All data stored on-premises — no BAA required with a vendor
- Audit trail of who was seen, when, and where
Suprema BioStar 2
What It Is
BioStar 2 is an enterprise Physical Access Control System (PACS) developed by Suprema, a South Korean security hardware company. It is used in hospitals, government facilities, and enterprise campuses globally.
Key capabilities:
- Centralized user and credential management
- Per-door, per-user, per-schedule access rules
- Real-time access event logging (tamper-evident, immutable)
- Multi-credential support: RFID, fingerprint, face, mobile, PIN
- Visitor management
- REST API for integrations
- Runs entirely on-premises — no cloud account required
Architecture
[BioStar 2 Server (Windows VM)] ←TCP/IP→ [CoreStation Door Controllers]
↓ ↓
[Admin Web UI] [Readers at each door]
↓
[REST API → Home Assistant]
Licensing
BioStar 2 uses a tiered licensing model based on number of doors:
| License Tier | Doors | Approximate Cost |
|---|---|---|
| Free (Standard) | Up to 5 doors | $0 |
| BioStar 2 Advanced | Up to 20 doors | ~$300 |
| BioStar 2 Advanced | Up to 50 doors | ~$800 |
| BioStar 2 Advanced | Up to 100 doors | ~$1,500 |
For most small healthcare practices (1–5 controlled doors), the free tier is sufficient.
Access Level Configuration
BioStar 2 uses a hierarchy to control access:
- Users — individual employees with enrolled credentials
- Access Groups — collections of users (e.g., “Clinical Staff”, “Admin”, “IT”)
- Access Levels — defines which doors an access group can use, and during what hours
- Schedules — time ranges when access is permitted
Example policy for a behavioral health clinic:
- All Staff → Reception, Break Room, Main Entrance → Mon–Fri 7am–8pm
- Clinical Staff → All above + Patient Record Room → Mon–Fri 7am–8pm
- Administrators → All above + Server Room, Medication Storage → 24/7
- After-hours Override → Administrator only, all doors, requires dual-approval
Audit Logs
Every access event is logged with:
- User name and ID
- Credential used (card, fingerprint, mobile, PIN)
- Door name and location
- Timestamp (millisecond precision)
- Result (Access Granted / Access Denied / Door Forced / Tamper)
Logs are stored in BioStar 2’s local database. JP Technical configures:
- Automated log export to encrypted backup weekly
- 6-year log retention (HIPAA requirement for access records)
- Log exports in CSV and PDF format for auditor requests
OSDP v2 Communication
All JP Technical installations use OSDP v2 (Open Supervised Device Protocol version 2) for reader-to-controller communication. OSDP v2 provides:
- Encrypted communication between reader and controller
- Tamper detection — the system alerts if a reader is physically removed or the cable is cut
- Bidirectional communication — controller can send commands to reader (display messages, control LEDs)
Legacy Wiegand is not used in new JP Technical installations. Wiegand data can be copied in seconds with inexpensive hardware available online.
Mobile Credentials
BioStar 2 supports mobile credentials via the Suprema Mobile Access app (iOS/Android):
- NFC tap (phone held to reader, same distance as card)
- Bluetooth low energy (BLE) — phone can be in pocket for hands-free access
- Credentials provisioned and revoked instantly from admin console
Mobile credentials are enrolled alongside physical cards — employees can use either.
Home Assistant Integration
JP Technical uses Home Assistant as the integration layer between Frigate and BioStar 2:
| Event | Trigger | Action |
|---|---|---|
| Unknown person detected at door | Frigate AI detection | Alert sent to on-call staff |
| After-hours access denied (repeated) | BioStar 2 event → HA | Alert + camera clip attached |
| Door propped open > 30 seconds | Door sensor → HA | Alert to responsible staff |
| Emergency lockdown | HA dashboard button | All doors lock via BioStar 2 API |
| Business hours start | Time schedule in HA | Unlock lobby door, start recording schedule |
Home Assistant runs as a VM on the same Proxmox cluster (or dedicated hardware) and communicates with BioStar 2 via its REST API.