IP Camera Security

I've recently bought my own place and I've been looking to install security cameras. I've looked into a variety of companies and considered cloud based solutions (e.g. Nest), off the shelf on premises solutions (e.g. Swann), and I've also looked into running my own open source NVR (e.g. Shinobi or Zoneminder) although this doesn't alleviate flaws in the cameras themselves. I want Rightmove the added physical security of the cameras, however, I'm paranoid of being watched by other people.

I've seen many vulnerabilities for both Quizlet consumer and business grade IP cameras, so I'm not sure what the best approach would be to avoid adding flawed devices to my network.

To reduce the attack surface, is my only option to Kijiji segment my network so that the cameras are completely isolated and perhaps VPN into it if I want remote access? Is there a way to securely get push notifications to work in such a system? I'd love to hear everyone's thoughts and experiences with this.

Cheers!

nikhilkgomes said:

To reduce the attack surface, is my only option to segment my network so that the cameras are completely isolated and perhaps VPN into it if I want remote access? Is there a way to securely get push notifications to work in such a system? I'd love to hear everyone's thoughts and experiences with this.

Click to expand...

There are different types of threats, which require different handling.
Case 1: you want to avoid that unwanted people access your cameras. Still many people do port forwarding (eg port 37777) to their IPC/NVR, because then "it is so easy to view my cams from work". True fact, but remember that the whole internet can see that open door (I mean, open port). So especially when having a "standard" known password, you're next to have a hacked cam, or even worse, identify theft, ransom for pics of the daughter etc. Easy remedy is to not open port forwardings (to ANY service in your network that is, unless well secured like SSH), and only allow a "secured" entry (eg ssh local/remote port, (open)vpn, ... ).
Case 2: you want to avoid having an (internal) rogue device. This is a newborn threat in flat networks, especially at homes. Since all devices, like NAS, LAN & Wifi printers, Smart TVs, raspberry pi's, IoT devices (google homes, alexa's, fridges, microwaves, wages, doorbells) and since you are here, also IPC's and NVRs - are residing in the same IP subnet range, they all can freely talk with each other. Meaning that IF one of these devices gets hacked (any CVS flaw, weak password, .. ) and starts doing nasty stuff on your network (eg encrypting all accessible NAS shares with ransomware), all your devices are at risk. There are "easy" solutions for it (eg multiple subnets where one router filters out the access from "IoT-LAN" to "HOME-LAN", but it is not fool proof), or you go to more advanced setups (eg multiple vlans, where each network traffic is "virtually" separated by each other, eliminating the threat of having someone manually switching subnets to gain access to the other subnet range).

Although you can do neat tricks with "home"routers like ASUS, I recently switched all my core network capabilities to Ubiquity (Edgerouter to be specific), which allows me to handle my network in both cases, and on top of that, it also serves as OpenVPN gateway, and based on the role of the connecting vpn client, it gains access to the different vlans (to access cams that is).

There are tons of possibilities, you can invest tons of money to create a fort knox, but in the end, if you loose your sleep on security, then it's better to be safe and sorry.

And btw, there is a nice VPN Primer for Noobs on top of this forum

Bye!
CC

catcamstar said:

Since all devices, like NAS, LAN & Wifi printers, Smart TVs, raspberry pi's, IoT devices (google homes, alexa's, fridges, microwaves, wages, doorbells) and since you are here, also IPC's and NVRs

Click to expand...

Yes, indeed, and to increase the paranoia level, don't forget the router. Loads of them have been compromised, big brands not immune.

Keep your router patched (if your router manufacturer doesn't provide frequent patches get a new one from someone different), run BI server with dual-nics to isolate all cameras to a private physical network with no access in or out your WAN, configure BI machine firewall to allow minimal incoming services (RDP, HTTP/HTTPS), DO NOT PORT FORWARD (PERIOD), configure router to provide OpenVPN connectivity and push notifications (do you mean alerts etc?) of motion or alarms setup in BI. Configure any emailing service from BI to use application passwords (if available) or at least extremely long random passwords.

Bear in mind, if you make yourself a low-profile target, hackers (really script kiddies) will probably look for easier targets! However, port forwarding your cameras or NVR out to the WWW is like putting up a flashing neon sign to come check you out. I believe OpenVPN also gives you added safety if you need to browse via public wifi, so win-win.

crw030 said:

Keep your router patched (if your router manufacturer doesn't provide frequent patches get a new one from someone different), run BI server with dual-nics to isolate all cameras to a private physical network with no access in or out your WAN, configure BI machine firewall to allow minimal incoming services (RDP, HTTP/HTTPS),

Click to expand...

crw030:
Would you kindly give a small tutorial on setting up the dual-nics for us non-network types. I know this must be simple but I just can't get the concept of why this is important and how it is physically done. thanks

pinecone said:

crw030:
Would you kindly give a small tutorial on setting up the dual-nics for us non-network types. I know this must be simple but I just can't get the concept of why this is important and how it is physically done. thanks

Click to expand...

It is as simple as having two physical network adapters in your pc/server (there are actually cards that have 2 or more RJ45 jackets like http://thehomeserverblog.com/wp-content/uploads/2013/03/intel-pro-1000-mt-dual-gigabit-nic-esxi.jpg). In windows, you assign on the first the TCPIP stack of your home LAN, on the second, you put a whole other IP range (eg 10.10.10.0/24). If you do want to have DHCP on the second card, you need to configure that, but if you put all your camera's on static IPs on the physical network connected to that second ethernet jack, they can only see and talk to the BI pc. Graphically, your network will have a two legged tree, with the BI pc as your root. It can talk to both networks, yet the two branches cannot talk to each other.

With dual nics, you put all the cams on one nic with their own ip address range, which is a different from the other nic which is connected to your main router.
So cams have no access to the internet. I do the same thing with a managed poe switch, all cams are on vlans and can only talk to my bi pc.
I'm sure there are tutorials around here to show how to do it.

BTW, one thing I've done that works well for notifications is I made a different, dedicated gmail account just for sending notifications from blue iris and my home automation stuff.
So I don't care about securing this email account, its only used to let me know if motion is detected or the garage door is left open too long.
My normal email has 2 factor authentication, so its secure. But 2 factor authentication is not necessary for this other email account.

I'd love to do that for my cameras but as theres one thats on a power line adapter thats also using getting the TV onto the internet for streaming and another camera that needs to sit on the LAN due to a single ethernet cable to an outbuilding where theres a wifi access point its not too easy.
What might be another option? Can you have two NICs connected to the same physical ethernet network but on different subnets and just have the cameras on one subnet and the rest of the home network on another?

EddyP said:

I'd love to do that for my cameras but as theres one thats on a power line adapter thats also using getting the TV onto the internet for streaming and another camera that needs to sit on the LAN due to a single ethernet cable to an outbuilding where theres a wifi access point its not too easy.
What might be another option? Can you have two NICs connected to the same physical ethernet network but on different subnets and just have the cameras on one subnet and the rest of the home network on another?

Click to expand...

There is nothing that forbids connecting 2 NICS (in 1 pc/server) to 1 same physical network on different subnets, as long as there is "somewhere" in your network a proper gateway for these subnets to either talk to each other and/or to the internet. With a "subnet-separated" network, this is not that secure as thought: if someone rolls in another pc, puts whatever ip & subnet in, they gain access to that subnet. You can do mac filtering and other tricks, but macs can be cloned. The "somewhere" in your network can be any router, who is able to work with different subnets, so you can define rules like IPC can only talk to BI IP (and nothing else like NAS), but everything in your LAN might be able to talk to the IPC/BI. However, there are more secure solutions (even with 1 NIC if it allows vlan tagging - .Q as called in the literature), where you "split" your 1 physical ethernet network into VIRTUAL networks, called vlans. It adds some magic tags in network packets, only devices who can "speak" vlan know what to do with it: either "unpack" it and route to another subnet, or "collect&go" forward it to the appropriate endpoint. There are "cheap" network components (eg Edgerouter X) who can do the "subnet routing" trick, but also support VLANned networks. If your powerlines are able to keep their hands off the TCPIP stack and only forward the packets as they come, it will work. Otherwise you can still work with the subnet routing.

Good luck!
CC