Cameras on LAN

Discussion in 'Cyber Security' started by dryfly, May 14, 2019.

Share This Page

  1. dryfly

    dryfly Getting the hang of it

    Joined:
    May 25, 2015
    Messages:
    162
    Likes Received:
    8
    I have 2 systems running, both with Hikvision cameras. One is a BI computer, and the other is a Hikvision NVR. On both systems I have the cameras on POE switches connected to the LAN.

    I have seen various posts recommending subnets using 2 nic cards on a BI computer using one nic to feed the cameras directly to the computer, not the LAN. Also, I've seen recommendations on NVR's to run the cameras directly into the NVR and not on the LAN.

    At this time I do not use any remote access devices, and certainly don't have any ports forwarded. My question: is my system safe with the cameras connected to the LAN? If not, how do cameras on a LAN access the internet causing issues?

    Also, once a VPN (Asus router/OpenVPN) is established, is any of this a concern?
     
  2. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,727
    Likes Received:
    960
    Location:
    Houston Tx
    Security is always a concern.

    Your setup will work for now. But I would block the cameras IP / Mac addresses at your router, to prevent the cameras from Calling home. Some routers support this feature.

    All cameras have questionable security.

    On the router disable up uPNP.

    Set up a time service on your network so the cameras can get the correct time locally.
     
  3. Walter Ahlgrim

    Walter Ahlgrim n3wb

    Joined:
    Apr 20, 2019
    Messages:
    2
    Likes Received:
    0
    Location:
    63357
    If you do not need /want remotely view the cameras and have a monitor connected to the HDMI of the DVR for viewing. Then the safest system is “Air Gaped” from the internet. In that all cameras connect directly to the DVR and the DVR has no connections to anything connected in any way to the internet.

    Walta
     
  4. RoCam

    RoCam n3wb

    Joined:
    May 17, 2019
    Messages:
    12
    Likes Received:
    2
    Location:
    Netherlands
    If your router / switch supports is you might consider using vlans. That way you won’t have to use multiple network cards and all traffic can be router through a firewall.
     
  5. thomaswde

    thomaswde Getting the hang of it

    Joined:
    Feb 18, 2017
    Messages:
    44
    Likes Received:
    62
    Location:
    NW, GA
    1st, ALWAYS be sure UPNP is disabled at your router, pretty much every router out there will let you toggle this off, if it won't get one that will.
    Doing that and only connecting to your home network via a VPN would cover a lot of your bases and put you in decent shape.
    2nd, your best option to secure yourself further (which is IMO whatever is the safest & most maintainable for you) depends very much on the network equipment you're running and your personal networking skill level, there are just so many ways to secure your cameras from firewall rules, VLAN, air gap, etc, etc.
     
  6. dryfly

    dryfly Getting the hang of it

    Joined:
    May 25, 2015
    Messages:
    162
    Likes Received:
    8
    Well, my networking skills are pretty basic so I'm relying on info from this forum. UPnP is disabled on my router. The only way I see to block cameras from internet is through "parental controls" where instead of blocking a computer, I enter the MAC address for each camera.

    Again, my basic question is am I better off connecting my cameras directly to the NVR (using it's subnet) instead of having the cameras connected through a switch to the router, thereby having them on my LAN?

    Air gap would be fine for now, but is more trouble if I want to access the camera directly through my network to make adjustments. I'm still assuming when I get an Asus router with OpenVPN upp and running none of this will be an issue. I'm not familiar with how to get a VLAN implemented.
     
    TL1096r likes this.
  7. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,727
    Likes Received:
    960
    Location:
    Houston Tx
    the parental controls is what I use to block the mac address of the cameras.
    the cameras connected directly to the NVR so that they have different ip address range, the cameras are isolated from the home network.

    Asus route is great for openVPN. you can use openVPN to access your NVR.
     
  8. dryfly

    dryfly Getting the hang of it

    Joined:
    May 25, 2015
    Messages:
    162
    Likes Received:
    8
    My LAN is 192/168/.0.xxx and if cameras are connected to NVR the camera addresses become 192.168.254.xxx. In this case should each camera be set up to be blocked by "parental controls" or just block the NVR MAC addresse only, since the cameras are behind the NVR?
     
  9. TL1096r

    TL1096r Pulling my weight

    Joined:
    Jan 28, 2017
    Messages:
    563
    Likes Received:
    115
    great info. looking to try to make a more secure setup and so much information I am trying to get all in one place.

    I was reading that you can remove network gateway from camera
    --allows any device on the same subnet access the device but doesn't know how to get back to internet
    --will not affect remote viewing from blue iris
     
  10. Valiant

    Valiant Getting the hang of it

    Joined:
    Oct 30, 2017
    Messages:
    153
    Likes Received:
    50
    Location:
    Australia
    The MAC addresses behind the NVR are not seen or broadcast on your LAN subnet. Implementing parental controls is pointless. Only the NVR MAC address will be seen by your router.

    If you block your NVR MAC then you'll likely lose any remote access to the NVR.
     
  11. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,727
    Likes Received:
    960
    Location:
    Houston Tx
    Most NVRs have two IP addresses, one for the home network and one for the camera network. This is the case if the cameras are connected directly to the NVR. This is normally done by plugging the cameras into the Poe connectors on the back of the NVR. Some nvrs do not have Poe connectors or support more cameras then the number of Poe RJ45 connectors. In this case the cameras are on the home network.

    For security ALL camera Mac address need to be blocked at the router if at all possible. All it takes is to plug a camera into the home network one time for debugging or testing and you may get hacked. It is better to be very safe then very sorry.
     
    Last edited: Jun 6, 2019