Best network security practices for new Dahua setup

[highground]

Hi all,

I've just purchased a new Dahua based system and are waiting for arrival of my final cameras, but I'm after some clarity on the best setup in regards to internet security.

I have purchased a TL-SG1016PE managed switch with 8 port PoE to run the 8 cameras. I would like to use the remaining ports for the household LAN distribution.

I'm using a DHI-NVR5216-4SK2 NVR for recording. I decided to use an external PoE switch due to excellent advice on this forum.

I also have a Synology 916+, that reports to a DDNS, and if needed could run a VPN.

Ultimately, I'd like the following :

-Ability to monitor remotely via phone (including alarm notifications), in a manner that the wife is approving of.

-No security compromise of a few of the Chinese model cameras in my collection.

-Ability to monitor the NVR on the LAN from a pc

VLANs and VPNs are all new to me, but I'm sure I can work it out - just need a push in the right direction from some of the experts if I may!

Thank you!!!

Sent from my ONEPLUS A5000 using Tapatalk

 

[giel]

If you want to make sure there's no funny stuff going on with cameras you don't necessarily trust (which for me personally is all of them), you ideally would like them to not be able to access the internet or be accessed from the internet at all. In my setup, the cameras are physically on a different network, separate from my home network, with different networking equipment, but you can do the same with a VLAN.

One solution is to put the NVR and all cameras in their own VLAN, so they are not able to reach and are not reachable from any other computer or piece of equipment in your home network, including your internet router. To then access your NVR and from a PC and potentially from a phone outside of your network, you'd set a PC up to be part of this VLAN. You could do this by assigning a second IP and making the PC part of the VLAN _and_ part of the "houshold VLAN", and having the PC act as a router/firewall that only routes traffic TO the NVR, not to the cameras, and no traffic originating from your camera VLAN to anywhere. Using a second network card in your PC would make this a little easier. Using all separate network hardware makes it also easier (and you won't be wasting ports, because face it, you'll get more cameras ), but it works with VLANs too.

Once you have this set up, you can start playing with port forwarding from your router to this PC to the NVR, and maybe using a VPN, depending on what the exact functionality of your NVR is.

 

[looney2ns]

If you want to make sure there's no funny stuff going on with cameras you don't necessarily trust (which for me personally is all of them), you ideally would like them to not be able to access the internet or be accessed from the internet at all. In my setup, the cameras are physically on a different network, separate from my home network, with different networking equipment, but you can do the same with a VLAN.

One solution is to put the NVR and all cameras in their own VLAN, so they are not able to reach and are not reachable from any other computer or piece of equipment in your home network, including your internet router. To then access your NVR and from a PC and potentially from a phone outside of your network, you'd set a PC up to be part of this VLAN. You could do this by assigning a second IP and making the PC part of the VLAN _and_ part of the "houshold VLAN", and having the PC act as a router/firewall that only routes traffic TO the NVR, not to the cameras, and no traffic originating from your camera VLAN to anywhere. Using a second network card in your PC would make this a little easier. Using all separate network hardware makes it also easier (and you won't be wasting ports, because face it, you'll get more cameras ), but it works with VLANs too.

Once you have this set up, you can start playing with port forwarding from your router to this PC to the NVR, and maybe using a VPN, depending on what the exact functionality of your NVR is.

First order of business, do not forward any ports, ever. Use a VPN, easy to setup with a router that supports OPENVPN such as an Asus.

Randy : OpenVPN on a Asus router
VPN Primer for Noobs

 

[highground]

Thank you Giel,

Really appreciate the detailed response.
I think that realistically ImI not worried about someone viewing my cameras - if they want to watch my gardens grow, thats fine.

I will look at doing as suggested, and either use a VPN on that VLAN (provided I can make it accessible quickly to both my Android phone and the wife's iPhone), or alternatively do as suggested but can segregate that LAN from my home network using my routers VLAN to allow internet access.

If I go option B, is there a safer option in regards to setting up access to the dahua app?

 

[Mr_D]

I have a VLAN just for the cameras. The cameras have static IP addresses with no DNS server address. My firewall is configured so that devices on the camera VLAN cannot initiate connections, but they can respond to connections from my main LAN. So I can point my browser to the camera's IP and Blue Iris, etc can see the cameras as if they were on the same LAN. But should a camera decide to contact the People's Army, they won't be able to. The only exception I made was to a single NTP server so they can keep accurate time.

 

[highground]

Thanks everyone.

I think based on your advice l will initially try setting up the VLAN on the switch to contain just the cameras and NVR, and then limit it again at the router at the port level. I should be able to block all external requests to the cameras, and only allow out the NVR (can cameras get time sync from NVR?).

I guess I could also pop a raspberry pi on the same VLAN and use a VPN?

 

[Mjminino]

From what I have read, it isn't so much that they want to watch your garden grow, but they want to use the weak security in the cameras and get into your network using the backdoor in them.

I will use Blue Iris. I am also using OpenVPN on my router and I have OpenVPN set up with Tasker (automation application) on my phone to view my cameras through my home network and not an unsecured network when I am not at home. With Tasker, when I leave my home network it turns on OpenVPN (which then connects back to my home network) and when I come home and my phone physically connects to my home network it shuts off my OpenVPN since I would be viewing my cameras while personally being on my network/computer.

From my understanding doing it this way you are practically always on your home network and not someone else's. If you don't want to be connected to the VPN all the time, you could set up Tasker to open your VPN then open BI then shut off your VPN when you close BI.

I suppose you could do this same route and instead of opening BI, you would open the Dahua app.

 

[catcamstar]

From my understanding doing it this way you are practically always on your home network and not someone else's. If you don't want to be connected to the VPN all the time, you could set up Tasker to open your VPN then open BI then shut off your VPN when you close BI.

I suppose you could do this same route and instead of opening BI, you would open the Dahua app.

I personally already use the same openVPN setup as you, which "protects" your LAN from any inbound and outbound crazy stuff (you can do this routerwise and block mac addresses, or you simply put a non-functioning network gateway in your camera's).
However I am not sure that this setup would actually work with the Dahua i/gDMSS application, as push messages to your cell phone would need to get outside your LAN towards Dahua servers. So you cannot simply block them from the internetz and use the android/iOS notifications through Dahua services. I am not sure whether or not these push notifications would work in a 'p2p' mode within an openVPN secured LAN.
Thanks!

 

[CaliCam]

First order of business, do not forward any ports, ever. Use a VPN, easy to setup with a router that supports OPENVPN such as an Asus.

Randy : OpenVPN on a Asus router
VPN Primer for Noobs

Thank you for providing Randy's OPENVPN info I was able to setup within 10 minutes and everything works flawlessly. Wow no need for me to forward ANY ports with this setup.

CaliChris

 

[jesd03]

i am bit worried as i had allowed my NVR access to the internet through my firewall to get P2P to work which in turn allowed the push to phone work. I was surprised to the number of outbound connections using various port and to various destinations, changed it back with no access to internet.

 

[highground]

Thank you for providing Randy's OPENVPN info I was able to setup within 10 minutes and everything works flawlessly. Wow no need for me to forward ANY ports with this setup.

CaliChris

When you say everything works perfectly... Are you getting mobile push notifications? If so, are you using an NVR or something else, and what app?

Sent from my ONEPLUS A5000 using Tapatalk

 

[jesd03]

When you say everything works perfectly... Are you getting mobile push notifications? If so, are you using an NVR or something else, and what app?

Sent from my ONEPLUS A5000 using Tapatalk

you might find this thread of interest if you using VPN.

How to get push notifications through firewall - working finally

 

[Chase]

Does everyone recommend blocking internet access for the NVR as well? I already have all my cameras blocked from the router it self. Is that enough?