Agree with the OP that placing your video security on the Internet is really a bad idea. If people step back for just a moment and consider how society is today its near impossible to put the genie back into the bottle. Everyone likes easy and when you add in convenience into the mix you get the so called
Cloud First.
Who here can't appreciate the shock and awe of simply taking a phone and scanning a bar code to get up and running?
No network skills and knowledge, no port forwarding, no firewall rules, nothing . . .
The problem lies in the fact since the dawn of man people just like to fuck with other people and take advantage of that ease of use and access.
So, lets ignore the cloud power and everything that's wrong with that whole idea. Now you have people with enough knowledge to open ports and mimic the same WAN access.
Other more crafty people who learn just enough about security and best practices avoid the whole QR Code, Port Forwarding, and move straight to VPN?!?!
Yes, lots of folks reading this reply are going to get really upset as to what I say next!
It doesn't matter what you use to access your network from the outside. This is simply another hole in the network that can be breached and has been done millions of times. If that wasn't the case nobody that has to do with VPN / Encryption would have changed and updated the same!
Everyday I see and walk into a room full of so called network professionals.
These poor bastards fall into several categories from out right stupid, to full on hands tied behind their backs. The stupid ones literally ignore every best practice known to man or simply know enough to be dangerous. Its the poor bastard that knows better and must comply with the wishes of the owners and senior management.
This is where everything is a compromise . . .
All you're doing is buying time and trying to limit your attack surface and potential threats.
For those who have never worked or been involved in a high security video installation. The following are the advanced to basics employed to secure the installation.
- Internet: There is zero access from the outside into the video security room.
- Isolate: The video security system operates on its own dedicated network. So no matter what happens any breach is contained & limited within that isolated network.
- Network: As a measure of fail over, back up, systems are deployed with separate switches, power supplies, VLANS, Subnet, Server racks, etc. Because the system operates on its own network there is zero impact on bandwidth to the main LAN / WAN. All the systems are connected with fiber to insure the highest bandwidth, throughput, while limiting the impact of RFI, EMI, EMF, to the hardware.
All hardware uses a combination of 802.1 X to authenticate to allow a device on the network. Even when this is present video hardware is locked to the MAC address and restricted to a subnet.
- Firewall: As above all network hardware and video security have multiple systems running in parallel. Separate firewall appliances, rules, manage and limit how, where, and when internal traffic is routed.
- Monitoring: Every known Agent & SNMP network monitor is employed to track the state, health, uptime, and tele metrics of this isolated network. Verbose Sys logging captures everything else not possible with traditional monitoring.
- Security: All hardware use complex passwords based on the limitations of the hardware. Passwords are changed every 90 days. Self signed certificates where possible are revoked & regenerated at the 90 day interval. Terminal access is limited to a single internal point within the site. All terminals use the latest biometrics to authenticate, login, and track all activities of the operator.
Access is limited to only a few handful of people on site . . .
- Maintenance: Hardware is reviewed daily, monthly, yearly based on the environment. This spans basic cleaning of the lens, dome, base. Fluke based testing is carried out once a year to validate all cable infrastructure is sound and operating within defined thresholds. As with this article vulnerabilities are scanned by each maker and patched where appropriate. Any hardware that can't be patched and is considered a major threat is simply removed and replaced with a more secure model.
All firmware updates are pretested on like kind hardware. Once installed are monitored for no less than 30 days to insure no unforeseen bugs / issues are seen. All feature sets and video quality is compared to a known target image so all is apple to apple.
- Blue / Red Team: The highest secure sites have dedicated blue / red teams that pen test every facet of the network and organization. Whether it be software, hardware, to social engineering to obtain information / data.
- Compliance: Internal & External audits are conducted to validate all of the above is in place and fully operational. When appropriate outside personal are tasked to review (limited) and restricted areas to affirm everything is indeed compliant.
All of the above in a large and secure environment is very time consuming. But once in place its no different than any other office a person would be in. Almost everything listed up above
Joe Public can do and replicate to their scale and needs.
Now, start with the most important one and easy thing to do: No Internet - The rest is just gravy . . .