Easiest Way to Secure Camera System

[randytsuch]

In other words, with VPN setup, you don't have to forward ports to get access to your NVR. A forwarded port is like a hole in you firewall, a bad guy can get in there. So, with VPN, bad guys can't (or at least its much harder) get inside your home network from outside.

Your NVR and cameras can still access the internet. There are ways to stop that, but it is harder to setup and your gear has to support it.

 

[scquestions]

The nvr will have outbound internet access. . unless you block it.... updates are performed locally by you..

In other words, with VPN setup, you don't have to forward ports to get access to your NVR. A forwarded port is like a hole in you firewall, a bad guy can get in there. So, with VPN, bad guys can't (or at least its much harder) get inside your home network from outside.

Your NVR and cameras can still access the internet. There are ways to stop that, but it is harder to setup and your gear has to support it.

How does that make sure other servers don't get random information from the NVR? I've read about NVR's suspiciously contacting servers around the world without explanation. And I've also heard about them being hacked. Is the VPN, along with the passwords, preventing all of that? If there's a security issue and Lorex doesn't fix it will my NVR still be protected? I read somewhere that someone had their NVR for over a year and didn't even get one update.

It's sad that we need to worry about these kinds of things but it's just the world we live in. We need locks on everything, whether it be physically or virtually.


Thank you both for your help!

 

[fenderman]

How does that make sure other servers don't get random information from the NVR? I've read about NVR's suspiciously contacting servers around the world without explanation. And I've also heard about them being hacked. Is the VPN, along with the passwords, preventing all of that? If there's a security issue and Lorex doesn't fix it will my NVR still be protected? I read somewhere that someone had their NVR for over a year and didn't even get one update.

It's sad that we need to worry about these kinds of things but it's just the world we live in. We need locks on everything, whether it be physically or virtually.


Thank you both for your help!

if you have a vpn setup you dont care about any security updates...that is the ENTIRE point.
the vpn will not protect against outbound connections...most routers allow you to block that...nvr's are rarely updated, if you expect security updates forget it..that is why vpn is important...after a year or two they deem them end of life and never get any updates...personally i dont use NVR's at all and prefer pc based vms.

 

[scquestions]

if you have a vpn setup you dont care about any security updates...that is the ENTIRE point.
the vpn will not protect against outbound connections...most routers allow you to block that...nvr's are rarely updated, if you expect security updates forget it..that is why vpn is important...after a year or two they deem them end of life and never get any updates...personally i dont use NVR's at all and prefer pc based vms.

Awesome, that is what I was hoping - not to worry about needing to rely on Lorex for anything other than hardware support. I just don't trust them..

So, basically, all inbound connections to the NVR from any outside source is blocked unless using a VPN client, and all outbound connections from the NVR are allowed..

So, I wouldn't be able to update the time then because it'll send the request but not be able to receive an update back.. That's not a big deal though.

My last concern is that the NVR isn't going to try to send any data out that I don't want released, but I doubt they'd have it set that way by default. Just in case though, you said most routers allow you to restrict outbound traffic. I'm assuming that's an option on Asuswrt. How do I go about doing that? I wouldn't want the NVR to send anything unless it is going through my OpenVPN client (on my phone) or on my internal network.

 

[Mike A.]

Awesome, that is what I was hoping - not to worry about needing to rely on Lorex for anything other than hardware support. I just don't trust them..

So, basically, all inbound connections to the NVR from any outside source is blocked unless using a VPN client, and all outbound connections from the NVR are allowed..

So, I wouldn't be able to update the time then because it'll send the request but not be able to receive an update back.. That's not a big deal though.

My last concern is that the NVR isn't going to try to send any data out that I don't want released, but I doubt they'd have it set that way by default. Just in case though, you said most routers allow you to restrict outbound traffic. I'm assuming that's an option on Asuswrt. How do I go about doing that? I wouldn't want the NVR to send anything unless it is going through my OpenVPN client (on my phone) or on my internal network.

You'd be surprised. Lots of things and particularly cams beacon out to their P2P servers or otherwise try to make various outside connections regardless how you may have things selected under settings.

To restrict a device in the Asus routers, on the default main screen that comes up after you login (or click Network Map) click the circle above where it says Clients: (some number). That will bring up a list of connected devices in the right-hand pane. Find the device that you want (may need to hit refresh to update if it's newly added) and click on the image next to it. That will bring up a box where you can change the name of the device, change the associated image, then down below toggles to block Internet access, set a time schedule for access, and for MAC and IP address binding.

Also under WAN you can turn off UPnP at the router which will keep anything from setting up ports on its own. Under Administration make sure that "Enable Web Access from WAN" (aka remote administration) for the router is turned off, disable SSH and telnet unless you're using them, turn off IPv6 unless you're using it, and set various other things as you want them as far as logging, restricting IP access, etc.

If you want in the cams you also can blank or set to nonsense the values for gateway and DNS. That way they won't have any pathway out regardless what happens with the router/network settings. One catch will be (as will blocking Internet access) that they won't have access to an outside time server so you'd need to either provide an internal time server or sync to something else. Don't know how the NVR you have handles that. May be able to point it there. Also turn off all unwanted services within the cams like P2P, UPnP, etc., if you haven't.

As long as the NVR or VMS is pulling from the cameras and you're accessing them through it then the above shouldn't affect access remotely and you still can access the cams directly by IP when within your network. You will need to permit Internet access to a cam if you need to access it directly over VPN from the Internet for some reason. You can take it down temporarily by accessing the router via VPN and do what you need to do and then switch it back off.

 

[scquestions]

You'd be surprised. Lots of things and particularly cams beacon out to their P2P servers or otherwise try to make various outside connections regardless how you may have things selected under settings.

To restrict a device in the Asus routers, on the default main screen that comes up after you login (or click Network Map) click the circle above where it says Clients: (some number). That will bring up a list of connected devices in the right-hand pane. Find the device that you want (may need to hit refresh to update if it's newly added) and click on the image next to it. That will bring up a box where you can change the name of the device, change the associated image, then down below toggles to block Internet access, set a time schedule for access, and for MAC and IP address binding.

Also under WAN you can turn off UPnP at the router which will keep anything from setting up ports on its own. Under Administration make sure that "Enable Web Access from WAN" (aka remote administration) for the router is turned off, disable SSH and telnet unless you're using them, turn off IPv6 unless you're using it, and set various other things as you want them as far as logging, restricting IP access, etc.

If you want in the cams you also can blank or set to nonsense the values for gateway and DNS. That way they won't have any pathway out regardless what happens with the router/network settings. One catch will be (as will blocking Internet access) that they won't have access to an outside time server so you'd need to either provide an internal time server or sync to something else. Don't know how the NVR you have handles that. May be able to point it there. Also turn off all unwanted services within the cams like P2P, UPnP, etc., if you haven't.

As long as the NVR or VMS is pulling from the cameras and you're accessing them through it then the above shouldn't affect access remotely and you still can access the cams directly by IP when within your network. You will need to permit Internet access to a cam if you need to access it directly over VPN from the Internet for some reason. You can take it down temporarily by accessing the router via VPN and do what you need to do and then switch it back off.

Thank you!

I've been looking at the router interface and see what you're talking about with the Clients and blocking Internet access. It's nice to know that's there!

I'll be sure to work with those other settings when getting the router. I'll probably get everything setup with it before I plug it in to the Internet, that way the router is all secure ahead of time.

My main concern is being able to access something remotely, whether it be the NVR or the cameras, while remaining secure. I just want the data to come to me and back to the NVR, and not to anyone else, for any reason. It's a simple request, but doesn't seem like it's simple to implement.

I didn't see a uPnP option within the NVR. Maybe I missed it.

So, just to make sure I'm understanding you, if I follow the settings you suggest above, I'll be able to access the NVR directly, and it won't be able to send any data to anyone else?

I'm thinking since I won't be able to access the cameras directly that Tiny Cam Monitor won't work, but I could be wrong. I really wanted to use Tiny Cam Monitor but if not I'll try to find another solution.

This is all really complicated. Thank you for taking the time to respond and assist.

 

[scquestions]

I'm trying to sign up for a dynamic DNS and it's saying port forwarding is needed. I've heard port forwarding is not safe to do. Is it alright to do it in this case to get the dynamic DNS to work or is there another way?

 

[fenderman]

I'm trying to sign up for a dynamic DNS and it's saying port forwarding is needed. I've heard port forwarding is not safe to do. Is it alright to do it in this case to get the dynamic DNS to work or is there another way?

you DO NOT need to setup port forwarding for ddns...ddns has nothing to do with port forwarding.

 

[randytsuch]

Are you using the ASUS DDNS? I set that up, and then my router just used it for openVPN. Made it easy.

 

[scquestions]

you DO NOT need to setup port forwarding for ddns...ddns has nothing to do with port forwarding.

I was trying to use No IP. I was reading that was what I should use.

Are you using the ASUS DDNS? I set that up, and then my router just used it for openVPN. Made it easy.

After reading your post, I did a quick search and found this: Asus DDNS - Support | No-IP

Looks like that's what I need..

 

[scquestions]

Are you using the ASUS DDNS? I set that up, and then my router just used it for openVPN. Made it easy.

Wow, just saw ASUS offers it for free. I think that's what you were referring to. I guess I should go through them then, right?

 

[scquestions]

uPnP is on by default, so I'm supposed to turn that off from what I've read.. I'll go ahead and do that unless I'm told different now for some reason.

DoS protection is off by default.. Any suggestions there?

 

[Mike A.]

Yes, turn off UPnP.

DOS protection doesn't do a whole lot either way. It's just a basic filter for some particular common incoming traffic patterns. I generally leave it on. I have gigabit service and it seems to keep up with that just fine so not much if any performance effect. If you're gaming and trying to get every last bit out of your connection then you might turn it off. Not a significant setting that you need to worry much about.

DDNS you can use whichever you want. The built-in Asus DDNS works fine as long as the router is connected directly to the Internet. It won't work double-NATted and with some other more complicated set ups where No-IP's DUC will work. No-IP works fine but you have to confirm every month with the free option. It gives you some more options that the Asus service doesn't.

 

[scquestions]

Yes, turn off UPnP.

DOS protection doesn't do a whole lot either way. It's just a basic filter for some particular common incoming traffic patterns. I generally leave it on. I have gigabit service and it seems to keep up with that just fine so not much if any performance effect. If you're gaming and trying to get every last bit out of your connection then you might turn it off. Not a significant setting that you need to worry much about.

DDNS you can use whichever you want. The built-in Asus DDNS works fine as long as the router is connected directly to the Internet. It won't work double-NATted and with some other more complicated set ups where No-IP's DUC will work. No-IP works fine but you have to confirm every month with the free option. It gives you some more options that the Asus service doesn't.

Thank you!

I'll go ahead and turn on the protection just in case it is helpful.

I'm planning on using the Asus DDNS as of now.

 

[scquestions]

In regards to streaming securely, is there anything wrong with using an app provided by the manufacturer, in my case, Lorex / FLIR Secure, or is it best to go with another app such as Tiny Cam Monitor?

I'll be using it on the home network and when away using OpenVPN. The NVR isn't connected to the Internet.

 

[Mike A.]

In regards to streaming securely, is there anything wrong with using an app provided by the manufacturer, in my case, Lorex / FLIR Secure, or is it best to go with another app such as Tiny Cam Monitor?

I'll be using it on the home network and when away using OpenVPN. The NVR isn't connected to the Internet.

You can use whatever you want. As long as it works anyway. You may end up using various programs/apps since they provide different functionality and/or may be better or worse in different ways. I've not used the FLIR app. Tiny Cam is good but never used it with an NVR so don't know how that works.

I don't think that you'll be able to completely block the NVR from the Internet and still access it given how Asus does the blocking. Even though you have what's effectively an internal IP provided through the VPN, the blocking works at a lower level. It will look at that connection as Internet traffic. Which it is since what's really happening is that you have an external IP which is routed over to an internal IP by the VPN. You should be able to block outgoing access to the Internet by the NVR by not providing a valid gateway address with the same caveats above as far as access to outside time servers and other services.

 

[scquestions]

You can use whatever you want. As long as it works anyway. You may end up using various programs/apps since they provide different functionality and/or may be better or worse in different ways. I've not used the FLIR app. Tiny Cam is good but never used it with an NVR so don't know how that works.

I don't think that you'll be able to completely block the NVR from the Internet and still access it given how Asus does the blocking. Even though you have what's effectively an internal IP provided through the VPN, the blocking works at a lower level. It will look at that connection as Internet traffic. Which it is since what's really happening is that you have an external IP which is routed over to an internal IP by the VPN. You should be able to block outgoing access to the Internet by the NVR by not providing a valid gateway address with the same caveats above as far as access to outside time servers and other services.

Thank you.

Right now I'm trying to get Tiny Cam Monitor to work over our current network. I set it so the system can't access the Internet through the router and I'm not able to view the cameras even on our own network (without connecting using a VPN). Tiny Cam Monitor won't pick it up and if I type the camera's IP address in the web browser it's not coming up either. Tiny Cam Monitor did pick up the NVR earlier and was displaying channel 1 but since I deleted that it won't connect to it anymore.

 

[Mike A.]

Thank you.

Right now I'm trying to get Tiny Cam Monitor to work over our current network. I set it so the system can't access the Internet through the router and I'm not able to view the cameras even on our own network (without connecting using a VPN). Tiny Cam Monitor won't pick it up and if I type the camera's IP address in the web browser it's not coming up either. Tiny Cam Monitor did pick up the NVR earlier and was displaying channel 1 but since I deleted that it won't connect to it anymore.

If you're trying from a device on your network with an IP on the same subnet, then you should be able to access the cams by IP even with things set to block them from Internet access. That only affects traffic through the inside/outside interface of the router, not within. Try from another computer or other device that you're certain is on your local net using a browser just to make sure. If that doesn't work, then it's probably how the NVR is networking the cams behind it (assuming that they're running from it as the switch). If you can see the cams from that other device, then double check that you don't have the VPN running in the background on your phone or are coming in over cell. You should be trying to access them using a local IP address, not by your DDNS host name.

 

[scquestions]

If you're trying from a device on your network with an IP on the same subnet, then you should be able to access the cams by IP even with things set to block them from Internet access. That only affects traffic through the inside/outside interface of the router, not within. Try from another computer or other device that you're certain is on your local net using a browser just to make sure. If that doesn't work, then it's probably how the NVR is networking the cams behind it (assuming that they're running from it as the switch). If you can see the cams from that other device, then double check that you don't have the VPN running in the background on your phone or are coming in over cell. You should be trying to access them using a local IP address, not by your DDNS host name.

I've been on the same WiFi network, and have tried on more than one device and even used the Smart PSS app on a computer. They all find the NVR, but not any cameras.

You mentioned a subnet.. I'm not familiar with that but the NVR and router should both be at default.

Also you mentioned about it running as a switch.. It's also like the NVR is the only thing on the network, and the cameras are all behind the scenes.. I can't connect to any cameras directly even when putting in the IP address..

I'm starting to think a setting might need to be changed within the NVR.

 

[Mike A.]

Don't know the NVR side but that's the issue if the cams are sitting behind it. Likely need to address them through the NVR by port number or in some other way to pull an individual cam or set up the NVR in another way that exposes them. If you don't get an answer here then post a more specific question re that and I'm sure that somebody can help you figure out that part.