A topic that concerns me - and should concern you?

#&%)@%_@%

n3wb
Joined
May 17, 2017
Messages
13
Reaction score
4
First of all, I'm new to the forum, but not new to DVR's, IP cams and networking.
That said, if this is inappropriate please feel free to move or delete.
With that out of the way........

Has there been any discussion on the security risks of having Chinese made DVRs and Networking equipment in general? They certainly have the know how to put back doors into their firmware and could add one at any time with an update. The Communist Chinese are well known for their propensity to spy and have installed over 500,000 surveillance cameras in China already with face recognition and a host of other means of collecting video information on it's population. They definitely see it as a valuable tool of control and data collection.

How do you know for sure your Chinese made IP cam or DVR does not have a hard coded back door that would allow the Chinese to tap into your video streams any time they wanted to? Imagine you're a contractor or engineer for Lockheed or a defense contractor. There's a lot of intel they could gather from your home or office installed camera system. Maybe even just knowing when you come or go.

Here's an eye opening article I read on the subject.

Is the World's Biggest Surveillance Camera Maker Sending Footage to China?

My home DVR's are behind a relatively expensive professional hardware firewall appliance so I can see every connection coming and going and I restrict access to my DVRs a number of ways. Still, most people don't. This topic intrigues me. What say you?
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,399
Reaction score
321
How does a professional hardware firewall work compared to using something like OpenVPN that is recommended around here a lot?
 

#&%)@%_@%

n3wb
Joined
May 17, 2017
Messages
13
Reaction score
4
When we finally go to war with China all of our iot toasters are going to blow up and kill our families. When we come home to a smoking pile of ruble we shall rue the day we let the Chinese make us toast.
lol.
I notice you said "finally".....I think they're smarter than we are in many ways.
If you read the article it demonstrates how slow guardians of US sensitive and strategic information have been to give it a second thought.
Probably been using Chinese hardware to hold classified information for decades....and still doing it.

"Phone home ET. (We need those tech specs on the F35)"
 

#&%)@%_@%

n3wb
Joined
May 17, 2017
Messages
13
Reaction score
4
How does a professional hardware firewall work compared to using something like OpenVPN that is recommended around here a lot?
They do different things. I'm not the "last word" so other answers may correct what I say here. To the best of my knowledge.....

A hardware firewall appliance is dedicated to preventing unwanted intrusions. All serious IT departments use hardware firewalls from Cisco, watchguard etc.
I do not know of a professional IT department that relies solely on VPNs for security.
You never load software or other programs onto them. And, they sit before any devices and just after the data entry point so packets are intercepted before they even reach a server or other network device.
It's essentially a computer in itself, dedicated to preventing malicious or unwanted traffic...that can't be altered or compromised.

Finally, they are specifically dedicated to one job.....inspecting packets and making tens of thousands of security related decisions per second. Dropping bad packets, allowing good packets.

OpenVPN is dedicated primarily to encryption and not stateful packet inspection. So, OpenVPN won't stop a Chinese or Russian hacker for example from reaching your computer, but it will encrypt
the data you send or receive so they shouldn't be able to decipher it. It is nearly unheard of to hear of a good quality, up to date professional hardware firewall getting hacked.
(That would be a disaster for their business actually).
But with a VPN,
If you should accidentally open the wrong email or go to the wrong site with a VPN, you can still get compromised.
With a hardware firewall, properly configured and updated, it will prevent you from connecting to that site, prevent your system from communicating back to the origin offending machine or neutralize harmful packets before they can reach your machine and network.
They are not affected themselves by malware or viruses because the CPU cannot process those instructions.

I run a server and I see hundreds to thousands of hack attempts daily from nearly every corner of the globe.

A complete security package might utilize both VPNs and a good hardware firewall. Most professional hardware firewalls have VPN capability built in.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
First of all, I'm new to the forum, but not new to DVR's, IP cams and networking.
That said, if this is inappropriate please feel free to move or delete.
With that out of the way........

Has there been any discussion on the security risks of having Chinese made DVRs and Networking equipment in general? They certainly have the know how to put back doors into their firmware and could add one at any time with an update. The Communist Chinese are well known for their propensity to spy and have installed over 500,000 surveillance cameras in China already with face recognition and a host of other means of collecting video information on it's population. They definitely see it as a valuable tool of control and data collection.

How do you know for sure your Chinese made IP cam or DVR does not have a hard coded back door that would allow the Chinese to tap into your video streams any time they wanted to? Imagine you're a contractor or engineer for Lockheed or a defense contractor. There's a lot of intel they could gather from your home or office installed camera system. Maybe even just knowing when you come or go.

Here's an eye opening article I read on the subject.

Is the World's Biggest Surveillance Camera Maker Sending Footage to China?

My home DVR's are behind a relatively expensive professional hardware firewall appliance so I can see every connection coming and going and I restrict access to my DVRs a number of ways. Still, most people don't. This topic intrigues me. What say you?
There are probably 50+ threads discussing this in detail.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
They do different things. I'm not the "last word" so other answers may correct what I say here. To the best of my knowledge.....

A hardware firewall appliance is dedicated to preventing unwanted intrusions. All serious IT departments use hardware firewalls from Cisco, watchguard etc.
I do not know of a professional IT department that relies solely on VPNs for security.
You never load software or other programs onto them. And, they sit before any devices and just after the data entry point so packets are intercepted before they even reach a server or other network device.
It's essentially a computer in itself, dedicated to preventing malicious or unwanted traffic...that can't be altered or compromised.

Finally, they are specifically dedicated to one job.....inspecting packets and making tens of thousands of security related decisions per second. Dropping bad packets, allowing good packets.

OpenVPN is dedicated primarily to encryption and not stateful packet inspection. So, OpenVPN won't stop a Chinese or Russian hacker for example from reaching your computer, but it will encrypt
the data you send or receive so they shouldn't be able to decipher it. It is nearly unheard of to hear of a good quality, up to date professional hardware firewall getting hacked.
(That would be a disaster for their business actually).
But with a VPN,
If you should accidentally open the wrong email or go to the wrong site with a VPN, you can still get compromised.
With a hardware firewall, properly configured and updated, it will prevent you from connecting to that site, prevent your system from communicating back to the origin offending machine or neutralize harmful packets before they can reach your machine and network.
They are not affected themselves by malware or viruses because the CPU cannot process those instructions.

I run a server and I see hundreds to thousands of hack attempts daily from nearly every corner of the globe.

A complete security package might utilize both VPNs and a good hardware firewall. Most professional hardware firewalls have VPN capability built in.
You are conflating two distinct categories.
A good vpn is all you need to properly secure a network device like an NVR. When all traffic from that device is blocked off from the internet to the outside world its as if it is not on your network. This puts you in the EXACT same position as not having the device on your network.

Now the separate and distinect question is do home users need advanced enterprise firewalls? The answer is no. A good AV on the pc is all you need. Place all IOT devices that need internet access (thermostats etc) on the guest network or vlan if supported.

The upper range asus routers with openvpn that folks here recommend also come with asus Aiprotection that does more than many business class routers and is free for life. Most users would not only not benefit from an enterprise firewall but will likely reconfigure to the point where is not secure at all.
 

#&%)@%_@%

n3wb
Joined
May 17, 2017
Messages
13
Reaction score
4
Just my opinion, but I think people latch onto certain things because everyone else is doing it. Not necessarily because they actually know why or the down sides.
OpenVPN is software. That's all. It's "good" software for sure. There are still 1000 ways someone with mal intent can compromise a VPN only protected machine

As far as a firewall being "open". That's not exactly true. While you might accidentally open a hole that allows bad traffic through, that compromises the machines behind it. Not the firewall itself.
But if you're prone to make mistakes configuring a firewall, you \'re also likely to make configuration errors with a VPN as well.
Unlike OpenVPN, a professional grade firewall is not software, like OpenVPN, which is software and can become corrupted.

OpenVPN cannot block millions of IP addresses for example. If there are countries that are hot spots for hacking, do you really need to be open to them at all?

A VPN is indeed a good thing. But, it somewhat reminds me of the US military depending so heavily on high tech alone. Should an opponent figure out how to circumvent or disable all that high tech, it could be disastrous.
On a more humorous note...it reminds me of an episode of StarTrek where I believe the Borg were attacking the crew of the Enterprise and their phazers were ineffective because the Borg were attenuating their defensive frequencies faster than the federation crew could adapt. So, someone pulled out a 1911 handgun and took out the Borg easily :)

Security is best achieved by "layering" imo.
A VPN alone is not enough. You need a VPN, a professional firewall and good AV. They are complimentary. Just an opinion.

Can you still be tracked when using a VPN?

Why a VPN isn't enough to protect your privacy

VPN vs. Firewall vs. Antivirus - What’s the Difference? | CactusVPN
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Just my opinion, but I think people latch onto certain things because everyone else is doing it. Not necessarily because they actually know why or the down sides.
OpenVPN is software. That's all. It's "good" software for sure. There are still 1000 ways someone with mal intent can compromise a VPN only protected machine

As far as a firewall being "open". That's not exactly true. While you might accidentally open a hole that allows bad traffic through, that compromises the machines behind it. Not the firewall itself.
But if you're prone to make mistakes configuring a firewall, you \'re also likely to make configuration errors with a VPN as well.
Unlike OpenVPN, a professional grade firewall is not software, like OpenVPN, which is software and can become corrupted.

OpenVPN cannot block millions of IP addresses for example. If there are countries that are hot spots for hacking, do you really need to be open to them at all?

A VPN is indeed a good thing. But, it somewhat reminds me of the US military depending so heavily on high tech alone. Should an opponent figure out how to circumvent or disable all that high tech, it could be disastrous.
On a more humorous note...it reminds me of an episode of StarTrek where I believe the Borg were attacking the crew of the Enterprise and their phazers were ineffective because the Borg were attenuating their defensive frequencies faster than the federation crew could adapt. So, someone pulled out a 1911 handgun and took out the Borg easily :)

Security is best achieved by "layering" imo.
A VPN alone is not enough. You need a VPN, a professional firewall and good AV. They are complimentary. Just an opinion.

Can you still be tracked when using a VPN?

Why a VPN isn't enough to protect your privacy

VPN vs. Firewall vs. Antivirus - What’s the Difference? | CactusVPN
This last post confirmed for me that you are clueless when it comes to network security.
First openvpn runs on ASUS router firmware just the same way your Enterprise routers VPN runs. There is a Windows version as well.
Second and more importantly the links you provide reference paid VPN servers that mask your location not something like openvpn that creates a tunnel between your PC and the client on your phone. As I explained to you ASUS router has built-in professional-grade features that are normally paid with a yearly subscription. Yes you can get more protection like SSL inspection, which is generally not available unless you're paying silly money for a hardware appliance, or spin your own using something like untangle. Recommending that for the average user is insane. I suggest you go nowhere near in Enterprise firewall because it's evident you don't understand the basics.
 

cuz

Getting the hang of it
Joined
Nov 4, 2018
Messages
124
Reaction score
40
Location
New England
I wonder how many components of your enterprise firewall were made in China?
 

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
Second and more importantly the links you provide reference paid VPN servers that mask your location not something like openvpn that creates a tunnel between your PC and the client on your phone.
^^^this^^^

Conflating two very different "VPNs".
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
16,451
Reaction score
38,164
Location
Alabama

Nevvyn

n3wb
Joined
Nov 20, 2018
Messages
23
Reaction score
10
Location
London
Had an interesting chat along similar lines at a recent installers course for Dahua. The UK staff line on it was, Dahua are not state owned, they are (according to them) the only independent company that "just happens" to be based in China.

I have not fact checked any of this, but when I asked a similar question that was the response I got, fyi.

.. Edit: Having read your article, this was the phrase that stood out to me "Hangzhou Hikvision Digital Technology, a company controlled by the Chinese government, is now the world's largest supplier of video surveillance equipment, with internet-enabled cameras installed in more than 100 countries." which fits with what they explained.
 
Top