Dual NIC setup on your Blue Iris Machine

While I agree that the Dual NIC method is effective at isolating the cameras from being able to access the internet (and thus preventing them from "phoning home"), has anyone ever given serious consideration to the possibility that the camera firmware itself might contain code that could compromise the B.I. computer (and ultimately your whole network)?
I have seen this brought up occasionally (at least once in this thread), but have never seen a serious discussion about this attack vector. Anyone care to alleviate my perhaps paranoid fears here?

Yes, which is why I have strict firewall rules (In Windows Firewall) between the cameras and BI
 
Yes, which is why I have strict firewall rules (In Windows Firewall) between the cameras and BI
Interesting, but I'm not clear on what that would achieve: in effect, we are already isolating them from direct internet access by setting up the dual NIC configuration with no default gateway on the camera side, and of course a handful of ports do need to be open to the B.I. machine for the camera streams to function. I suppose it would help to insure that only those known ports can communicate to the B.I. computer, and I suppose that machine itself could be locked down tight so that only the ports needed for viewing streams could get "out".

As others have pointed out, in reality this is really no different from plenty of other devices we have decided to trust on our networks (whether they all deserve that trust is another matter entirely). At some point, if we want certain functionality from those devices, we accept the potential security risks.
 
Last edited:
  • Like
Reactions: sebastiantombs
While I agree that the Dual NIC method is effective at isolating the cameras from being able to access the internet (and thus preventing them from "phoning home"), has anyone ever given serious consideration to the possibility that the camera firmware itself might contain code that could compromise the B.I. computer (and ultimately your whole network)?
I have seen this brought up occasionally (at least once in this thread), but have never seen a serious discussion about this attack vector. Anyone care to alleviate my perhaps paranoid fears here?

Along those same lines, if they wanted to be devious, they would probably write code that would compromise a VLAN as that is how most are probably going about it. Any devious code is going to be written to attack the masses and the most popular option. And they would probably go after the most popular managed switch as it would be difficult to write it around every switch.

At the end of the day, a VLAN switch simply keeps stuff on each VLAN from not talking by code It is a switch with all the ports connected and able to talk to each other just like an unmanaged switch, except the managed switch allows you to isolate ports by software. The stuff is all physically connected to the same switch. At least with a a dual NIC, there is some physical distance between the two IP address systems. Not quite an air gap, but it is isolation.

If you are really that paranoid, then you should completely isolate the cameras on a complete closed system and thus true CCTV as it was originally intended where nobody outside of the building can see it because it is physically impossible to see anything unless directly connected to the VMS platform that has zero internet access.
 
Along those same lines, if they wanted to be devious, they would probably write code that would compromise a VLAN as that is how most are probably going about it. Any devious code is going to be written to attack the masses and the most popular option. And they would probably go after the most popular managed switch as it would be difficult to write it around every switch.

At the end of the day, a VLAN switch simply keeps stuff on each VLAN from not talking by code It is a switch with all the ports connected and able to talk to each other just like an unmanaged switch, except the managed switch allows you to isolate ports by software. The stuff is all physically connected to the same switch. At least with a a dual NIC, there is some physical distance between the two IP address systems. Not quite an air gap, but it is isolation.

If you are really that paranoid, then you should completely isolate the cameras on a complete closed system and thus true CCTV as it was originally intended where nobody outside of the building can see it because it is physically impossible to see anything unless directly connected to the VMS platform that has zero internet access.
Thanks to all for your input, an no, I am not all that paranoid (I mentioned that in jest in my original post), I was simply looking for some additional viewpoints on this subject as I hadn't seen much discussion on this point. So many sources (both vendors and "other" IP camera sites) make such a big deal of how "their cameras" aren't on the banned lists, unlike Dahua and Hikvision. I know these are arbitrary separations, as most are still made in the same countries.
 
That ban is crazy government thinking they are eliminating the potential of hacking by the Chinese government without addressing the real issue.

Hacking vulnerabilities are the same regardless of who makes the cameras...or any IoT for that matter...and that is why most of us here isolate our cameras from the internet...it's just irony that they are surveillance cameras...it flows better saying security cameras are not very secure but many here do not consider them security cameras as they are for surveillance!

And our wonderful government decided to ban Hikvision and Dahua from government installations due to being partly owned by the Chinese government and the potential to be hacked...yet fail to recognize the real problem are the cameras can be breached and then they get exploited with other manufacturer cameras because they failed to isolate them from the internet. End result is people/governments that shouldn't see the camera feeds are now seeing them...

Yep, instead of our government forbidding public agencies from using Chinese brand cameras like Dahua and Hikvision because they could be used to be spied on by the Chinese government, they should have been looking at what the real issue is, and it is this issue that will be same regardless of who makes a camera. You need to get the cameras off the internet period.

We have already seen countless examples where governments facilities that installed expensive AXIS cameras that are NDAA compliant were hacked into...

And of course other camera companies are now going to try to use this ban to their advantage, but as a consumer, you need to decide what marketing nonsense to believe and which one to pass on.

Regardless of who makes the camera, it should be limited in its ability to reach the internet. So at that point, go with the camera that is going to give you the best chance of a good capture.
 
What FIREWALL rules do you have set? Can you please share and I can quote you and info in main thread.

Thanks
 
While I agree that the Dual NIC method is effective at isolating the cameras from being able to access the internet (and thus preventing them from "phoning home"), has anyone ever given serious consideration to the possibility that the camera firmware itself might contain code that could compromise the B.I. computer (and ultimately your whole network)?
I have seen this brought up occasionally (at least once in this thread), but have never seen a serious discussion about this attack vector. Anyone care to alleviate my perhaps paranoid fears here?
This is certainly possible. There could be a Windows vulnerability we won't know about. If this vulnerability is known by a Govt sponsored cyber organization, they could potentially share that vulnerability with a camera manufacturer (that is heavily controlled or influenced by said Govt).

An example exploit was EternalBlue, which took advantage of an unknown Windows SMB vulnerability. EternalBlue was an exploit that was hidden and used on Windows systems for 5 years before it was leaked. Once leaked, it caused billions of dollars of damage (WannaCry, NotPetya).

So perhaps there is a unknown Windows vulnerability (or one in the future). There are so many processes running within Windows. Coders are humans and they make mistakes (Microsoft coders did not intentionally create the SMB vulnerability). And perhaps a hacker knows about this vulnerability (or learns about it in the future) and publishes a "new improved" firmware to take advantage of it.

Having a firewall to monitor/inspect traffic to/from cameras and BlueIris can future locked down your network. It's part of a Zero Trust architecture.
 
^And as I mentioned with VLANS, or a vulnerability in the managed switch could happen just as well. If it is happening in a Windows platform that is constantly being updated, scrutinized, etc., who is to say that some VLAN switch that probably isn't having its firmware updated often isn't as vulnerable either?
 
  • Like
Reactions: sebastiantombs
Bottom line is to do what you can and feel comfortable with. The only real way is not to have any physical connection to the internet for the cameras. Unfortunately that sort of defeats a big feature of video surveillance, remote viewing.
 
^And as I mentioned with VLANS, or a vulnerability in the managed switch could happen just as well. If it is happening in a Windows platform that is constantly being updated, scrutinized, etc., who is to say that some VLAN switch that probably isn't having its firmware updated often isn't as vulnerable either?
Sure it's possible. This is why many enterprises use multiple vendors and multiple layers of security.

Also, Windows is more complex than a managed switch. There are so many apps that you can run on Windows. Surely Windows has more potential vulnerabilities. Just check the CVE database. There are over 9000.
 
From the first post in this thread, I'm confused by the following:
-enter the IP you want to use for your cams. Choose one that will not conflict with anything else like
"192.168.55.10"
Now you can make the cam IPs 192.168.55.xxx - the only number you cannot use is .10. Example of 4 cams would be:
"192.168.55.20"
"192.168.55.21"
"192.168.55.22"
"192.168.55.23"
It says "enter the IP you want to use for your cams" and gives the example 192.168.55.10 - then it says make the cams [.20 .21 .22 .23].

I understand the individual cams (in this example) will be .20 .21 etc - but what is the .10 for?
 
From the first post in this thread, I'm confused by the following:

It says "enter the IP you want to use for your cams" and gives the example 192.168.55.10 - then it says make the cams [.20 .21 .22 .23].

I understand the individual cams (in this example) will be .20 .21 etc - but what is the .10 for?

Please see what it says above.
After double clicking "Internet Protocol Version 4 (TCP/IPv4)":
Click the "Use the following IP address"

-enter the IP you want to use for your cams. Choose one that will not conflict with anything else like
"192.168.55.10"

-------------

The .10 is just a made up number like the rest - you are using that as the main IP address you can make it anything you want as long as it is not the same as another camera.

You have to use .55 for all cameras so it matches. But you can use 57 vs 55 do 192.168.57.11 and then cameras can be 192.168.57.12, 192.168.57.13, 192.168.57.14 etc.

Please let me know what doesn't make sense?
 
Please let me know what doesn't make sense?
This is the part that was not clear to me:
enter the IP you want to use for your cams

(which I interpreted to mean the cameras themselves, not the BI machine), followed by
Now you can make the cam IPs...

which I also interpreted to mean the cameras.


wittaj's reply answered my question so I could understand that the first reference to "cams" meant the BI machine:
The .10 is the IP address of the computer
 
Last edited:
Thanks to this thread, I didn't have to involve anyone in the nonsense of me putting my cameras on a separate subnet. Funny thing is, somehow I knew I was going to need a dual NIC setup when I built this BI server.
 
  • Like
Reactions: sebastiantombs
Thanks to this thread, I didn't have to involve anyone in the nonsense of me putting my cameras on a separate subnet. Funny thing is, somehow I knew I was going to need a dual NIC setup when I built this BI server.
In effect, using dual NICs in this manner is putting your cameras on a separate subnet.
 
In effect, using dual NICs in this manner is putting your cameras on a separate, isolated, subnet.
Fixed it for you.
It's not isolated. Isolated would mean there is no path to the camera subnet from another network (standalone BI system with one NIC connected to cameras and no internet).

In this case you can VPN to your network and RDP to Windows, then get to the camera subnet from there (not isolated).