Do you utilize the VLAN settings on your network in conjunction with your Surveillance System?

[Arjun]

Do you utilize the VLAN settings on your network in conjunction with your Surveillance System?

 

[DWW0311]

Yes. The cameras and the server are sandboxed within their own VLAN.

 

[DavidDavid]

As @nayr once said, VLANs are more of use when you don't trust your local network.

Think about if your running a business and don't want one of your employees messing around trying to gain access to the camera or whatever since they have access to your local network.

 

[DavidDavid]

I was serious when I said they all do it, thats why I have mine on a walled off vlan; I dont even trust them to talk to my main network, let alone the internet..

if your going to get a bunch of IoT devices, cameras, or things you dont trust to have access to your LAN then buy a router like the Ubiquiti EdgeRouter Lite with 3 separate interfaces, one is for your internet and setup the other two as separate subnets.. one for trusted devices and one for untrusted, you dont need to do VLAN's just use separate switches and simply put anything you dont trust into the Walled Garden switch, then anything you do trust put on your normal lan and so all your apps/games/sites work without giving you grief.

Trusted: 192.168.1.0/32
Untrusted: 192.168.254.0/32

Anything not on the same network (subnet) will have to connect to the the router and will encounter the firewall rules.. you can put your NAS on your trusted network then open up only the ports your cameras need to connect to your NAS.. or put your NVR on the untrusted network and open up just the ports so your LAN can access streams off the NVR.. the Ubiquiti Edgerouter will transmit Gigabit wire speeds across subnets without an issue while filtering the traffic.. it'll never be a bottleneck and the'll perform like one big happy network with a guard in the middle.. really cant find a better performing router for the price.

Then you run VPN to connect you to your trusted network, its not really all that difficult to do.. just most people simply dont know.. so here you go, thats how you do it..

I use the Ubiquiti EdgeRouter PoE, its worth the extra money for 3 Gigabit PoE ports and plugging in 3 of there dual band AC access points into it.. thats how I get 100Mbit Internet on WiFi anywhere in the house, I can push 300Mbps+ through easy on any device from anywhere.. the access points are on there own subnets/vlans so you have secure guest wifi you can put firewall filters on, different firewall filters for wireless devices, etc.. I run a openwireless.org network with a ton of rules and no crypto, I figure nobody really wants to hack your secure wifi if you give em an open one and I dont have to give guests a password.

if you want to isolate your cameras with external PoE you need a VLAN Capable Switch and Router, or a 2nd router and some static routes defined.

isolating the cameras from the rest of your LAN dont nessicarly provide security, if they are isolated from the internet the threat they pose on your network is dramatically reduced and the attack surface is minimal..

The main reason for isolating your cameras from your LAN is becuase you dont trust your LAN; not the other way arround.. ie, you have employees that should not be able to access the recorder or cameras.

 

[randytsuch]

I have my camera's isolated on VLANs because I don't trust my cameras
Since the cameras work for me, are they considered employees?

 

[Silas]

I have my camera's isolated on VLANs because I don't trust my cameras
Since the cameras work for me, are they considered employees?

sub-contractors