P2P on isolated VLAN

[H. Swanson]

I know the gold standard is VPNing into NVR. But if the cameras and NVR are on a separate VLAN and only the NVR has trusted LAN and Internet access (not the cameras), what’s the real risk of only allowing P2P so DMSS mobile app can be used more conveniently from the Internet?

 

[wittaj]

The NVRs are notorious for having backdoor vulnerabilities that are easily exploited even with a strong password.

Once in your ISP can be used as a BOT attack.

We usually get a post a month or so where someone got hacked by using P2P - either lots of logins, they can't login themselves because too many bots are hitting the NVR, they have been locked out of their own NVR, etc.

And then of course there are people that use it and have never had an issue (or at least to their knowledge).

Remember by default that the NVR acts as a router/firewall of sorts and any cameras connected to the NVR ports are assigned a different IP subnet (usually 10.x.x.x) than the home LAN.

 

[H. Swanson]

Thanks. Even though the NvR puts the cameras on their own network, do I still need to put the NVR itself on its own VLAN?

I just think about all of the other IoT that we all have that needs Internet access. How is that any different from a risk standpoint? I’m not trying to be a smart ass…I’m just genuinely thinking about the real risk. The example you gave is a good one.

 

[wittaj]

Most of us here don't use or minimize the use of other IoTs and if we use them, they are isolated.

Remember IoTs typically don't have virus protection on them and that is what makes them the threat.

 

[The Automation Guy]

Thanks. Even though the NvR puts the cameras on their own network, do I still need to put the NVR itself on its own VLAN?

I just think about all of the other IoT that we all have that needs Internet access. How is that any different from a risk standpoint? I’m not trying to be a smart ass…I’m just genuinely thinking about the real risk. The example you gave is a good one.

The difference between letting IOT devices have internet access and using P2P to allow remote access is the fact that I can block outside communications from hitting my IOT VLAN while with P2P I have to rely on some cloud server that I have no control over and therefore cannot assume it is not doing questionable things behind the scenes. Neither is super secure which is why you definitely want to put IOT devices on their own VLAN (and I take it a step further and put IOT devices without internet access on one VLAN and IOT devices that need internet access on another).

As you noted in the OP, the more secure option is to use a VPN connection to allow remote connections to the local network instead of relying on the P2P connection. Not only is it more secure, it is more reliable - at least in the sense that if your P2P server has an issue, you have no control over the time frame to fix it. A self hosted VPN connection is 100% under your control and therefore you can fix it if something goes wrong.