Best practice IT-security design

Pernod · Feb 25, 2018

Just a quick question to see if anyone has any 'best practice' guidance for the IT-security setup of new cameras.

My current thinking on how best to set up my new system is:

Cameras locked down at a firewall level for no external internet access.
Blue Iris running on a machine with limited outbound access (for sending alerts).
VPN into the local network for remote viewing etc.

How has everyone else got theirs set up? Any opinions on the above principles as a starting point?

Q™ · Feb 25, 2018

Best practice is to start by ususing the Search Threads and Posts | IP Cam Talk and reading the results @Pernod ...not by asking everyone to repeat what has already been written 100’s of times.

Pernod · Feb 25, 2018

Fair enough then...
Mod's please feel free to delete this thread - I'll back myself to design a security flow and will come back with detailed questions if/when I have them.

aristobrat · Feb 25, 2018

Pernod said:
Any opinions on the above principles as a starting point?

I've seen a couple of good threads about your bullet points. Using a VPN is a popular topic around here. User @nayr wrote a VPN Primer thread that's floating around (I think in the Dahua forums?) that's used as a reference for folks who aren't familiar with the technology. It's helped a lot of folks get one setup that probably wouldn't have otherwise tried.

I've seen other threads where folks have created a separate VLAN for their cameras, and blocked that VLAN from being able to get the Internet (per your first bullet), but they also configured it so that VLAN can't initiate connections back to the main VLAN. This lets them connect to the cameras from their PC without an issues, just wouldn't let a camera try to connect on its own to anything back on the main VLAN.

I'm kind of interested in that last approach, but my switch doesn't support VLANs, so ... that's a future upgrade!

Q™ · Feb 25, 2018

VPN Primer for Noobs

Pernod · Feb 25, 2018

Q™ said:
VPN Primer for Noobs

I probably should have said I already run a VPN and firewall. As a security nut I was mainly interested in any initial advice on how people have theirs set up, and also any specifics like ports to unblock on blueiris etc.

I might actually just go the route of setting up a dedicated DDWRT router for the security system on a separate subnet with a dedicated raspberry pi VPN/firewall...

But it doesn't matter, I'm confident I'll get it all sorted and locked down; I'll ask on one of the security forums if anything really fishy comes up.

alastairstevenson · Feb 25, 2018

Pernod said:
I'm confident I'll get it all sorted and locked down

Stating the obvious - watch out for UpNP doing stuff you'd rather it didn't while you are not looking.
Best squish it.

Pernod · Feb 25, 2018

alastairstevenson said:
Stating the obvious - watch out for UpNP doing stuff you'd rather it didn't while you are not looking.
Best squish it.

Good call. I use upnp on my main network so this adds weight to the approach of having a secondary network that's locked down tight...

Search

Best practice IT-security design

Pernod

n3wb

Q™

Pernod

n3wb

aristobrat

Q™

Pernod

n3wb

alastairstevenson

Pernod

n3wb