EmpireTech Security Settings

[HomeWPoe]

Could use some advice on whether to enable/non-enable the following GUI Security items on our EmpireTech cams:

1. Security->System Service->802.1x, HTTPS

HTTPS was not enabled on our cams. I enabled it and started receiving the "Your connection isn't private" browser warning with "https" in red with a red-dash, on some cams, but not others. Bad certificate?

2. Security->Attack Defense->Firewall, Anti-Dos Attack

3. Security->CA Certificate->Device Certificates, Trusted CA Certificates

4. Security->A/V Encryption->Private Protocol, RTSP over TLS

5. Security->Security Warning->Event Monitoring

Thanks!!

 

[wittaj]

Just leave that stuff at default.

HTTPS as it relates to these cameras only give you a false sense of security and isn't secure and doesn't prevent backdoor exploits.

You should have your cameras not connected to the internet. That is the safest security feature.

 

[HomeWPoe]

When it comes to networks, I'm a complete newb. Any simple check to make sure I'm not connected to the internet? Been tinkering with the GUI presets quite a bit. There's a chance I coulda switched something I shouldn't have. lol! Thx!

 

[wittaj]

Having the cameras connected to a VLAN switch is one way.

If using BI, having the cameras connected to a 2nd NIC in the computer is another way.

If using an NVR and the cameras are plugged into the POE port on the back, the NVR serves as a firewall of sorts to prevent the cameras from reaching the internet (but the NVR still does).

Not having the cameras connected to the router in any fashion is another way.

Giving the cameras static IP addresses that are either a different subnet of the LAN IP address or and IP address outside the range of the router numbers it hands out is another (but probably the least secure).

Probably some other ways as well LOL.

 

[looktall]

Any simple check to make sure I'm not connected to the internet?

Does the camera connect to your router in any way?
If yes, it's on the internet.

 

[HomeWPoe]

The cams are connected to a router via a POE switch (using micro SD's for storage). Don't believe the DMSS iOS app will work with the cams without internet access.

@wittaj, appreciate your suggestions earlier. Not sure which option to pursue---or which one offers the most bang for our situation. All I know at this point is that I'd prefer to not leave the cams totally unprotected.

When I switched HTTPS from off to on I noticed a subtle change in the Google Chrome warning on the 2 of the 5 cams. Have no idea whether this subtle change means anything or not.

All 5 EmpireTech cams produce the same black, "Not secure" warning (in Google Chrome) when HTTPS is NOT enabled on the cams. To be expected, I suppose.

However, when I enable HTTPS, the Google Chrome warning format changes on 2 of the cams. The "Not secure" warning changes to red; HTTPS pops up in red with red dashes through the lettering, plus a huge warning pops up, recommending against accessing the site---a bit more ominous. The other 3 cams retain the same black "Not secure" warning with no reference to HTTPS and no other additional warnings.

In any case, I assume the SSL (Trusted?) Certificate is invalid on all 5 cams?? Certainly get the impression it's a PIA to update these certificates. Any recommend threads? Links? Options? Thank you!

 

[steve1225]

However, when I enable HTTPS, the Google Chrome warning format changes on 2 of the cams. The "Not secure" warning changes to red; HTTPS pops up in red with red dashes through the lettering, plus a huge warning pops up, recommending against accessing the site---a bit more ominous. The other 3 cams retain the same black "Not secure" warning with no reference to HTTPS and no other additional warnings.

In any case, I assume the SSL (Trusted?) Certificate is invalid on all 5 cams?? Certainly get the impression it's a PIA to update these certificates. Any recommend threads? Links? Options? Thank you!

When You use https:// (http over SSL), on the server must be installed valid trusted SSL certificate for domain, in which You use that service.

In case of IoT devices, used mainly by local ip addresses they don't have valid SSL certificates.
Most browsers allows to accept connection to that https site without valid certificate, but display them as untrusted..

 

[HomeWPoe]

@steve1225, thanks for the reply. Without the valid SSL certificates to enable HTTPS this leaves the cameras unprotected from security exploits, correct? If so, how would one go about sourcing a valid SSL certificate for the domain that the EmpireTech cam is operating on? Thx.

 

[wittaj]

Again, HTTPS for these cameras gives you a false sense of security. It won't address the backdoor vulnerabilities. It won't help much if you give the camera internet access and forward ports.

Do not let the camera touch the internet.

 

[bigredfish]

SSL certs on these cameras is I believe window dressing

 

[Rob2020]

I went the dual NIC route, there is a diagram in the archives showing you how to configure and setup if you do a search. Assuming your PC has a slot available to add a PCIe NIC card it is a pretty simple solution.

 

[samplenhold]

This is the diagram that @Rob2020 is talking about. But this assumes you are using BlueIris. You can access the BlueIris PC from outside your network if you set up a VPN type service or use something like Tailscale or Zerotier. The individual cams are unreachable except through the BI PC.

 

[HomeWPoe]

Appreciate the replies/help, @wittaj, @Rob2020, @bigredfish. Thanks for the diagram, @samplenhold! Really helps to visualize future options.

I can certainly see why these EmpireTech cams come highly recommended. Huge potential . . . if you can get them setup properly. Just getting IVS to work in our yard has been a good challenge. The neighbors think I'm crazy walking the yard at all hours of the night--lol! @wittaj, you were right---IVS is a significant improvement over SMD.

We've been tinkering with BI & Pushover using our laptop. Learning a lot. The more we learn the more we realize how far we have to go. Don't think we'll be ready to commit beyond our cams, POE switch, micro SD cards and DMSS iOS app for a few months at best.

In the interim, if we stay with our current setup of 5 cams (soon to be 10), what would be our best approach to somewhat isolate/protect our cams from the internet? I realize nothing is 100% effective; however, looking for a solution that gets us above zero protection as much as possible . . . without taking on a full-blown VMS upgrade right-now.

Thanks everybody!

 

[samplenhold]

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

Newbie Starter Guide to IP Cam System – VPN setup – Computer Hardware – Blue Iris – Dahua Cameras

This is an intermediate / newbie guide for people just starting out looking for a surveillance setup. I know this setup might not be for everyone and there are many options. You can find a lot of this information in the Wiki: IP Cam Talk Wiki | IP Cam Talk A great place to start in the Wiki...

ipcamtalk.com

 

[bigredfish]

This is the diagram that @Rob2020 is talking about. But this assumes you are using BlueIris. You can access the BlueIris PC from outside your network if you set up a VPN type service or use something like Tailscale or Zerotier. The individual cams are unreachable except through the BI PC.

View attachment 203325

Would be identical for an NVR no?
Only difference is if the NVRhad its own switch to put the cameras on an unreachable network

 

[steve1225]

@steve1225, thanks for the reply. Without the valid SSL certificates to enable HTTPS this leaves the cameras unprotected from security exploits, correct? If so, how would one go about sourcing a valid SSL certificate for the domain that the EmpireTech cam is operating on? Thx.

SSL certificate has nothing to do with security exploit...
it's only for encryption between Your browser and Your camera.

Default security settings on Dahua cams are OK.
Use good long unique password.
Don't put your cams/NVR on public IP or don't open ports to cams/NVR on the router...

 

[HomeWPoe]

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

Newbie Starter Guide to IP Cam System – VPN setup – Computer Hardware – Blue Iris – Dahua Cameras

This is an intermediate / newbie guide for people just starting out looking for a surveillance setup. I know this setup might not be for everyone and there are many options. You can find a lot of this information in the Wiki: IP Cam Talk Wiki | IP Cam Talk A great place to start in the Wiki...

ipcamtalk.com

Thanks for the links, @samplenhold! I read most of these about a month ago, but most of it went over my head. Reading it now, it makes a lot more sense. Much appreciate you taking the time to post these links.

Hoping to get a quick answer before we pull the trigger on a new router. As a reminder, we're complete newbs in terms of networking and VPN's. I see the Asus routers get high marks for their VPN ease-of-setup. We have a chance to get a good deal on a Netgear AX4200 which supposedly supports OpenVPN. How does Netgear compare to Asus in terms of VPN ease-of-setup and actual day-to-day performance?

Thanks!

 

[bigredfish]

I’ve used both, and like both. The Asus typically have Wire guard as well as OpenVPN option. I prefer WireGuard as it’s much faster

 

[Rob2020]

Thanks for the links, @samplenhold! I read most of these about a month ago, but most of it went over my head. Reading it now, it makes a lot more sense. Much appreciate you taking the time to post these links.

Hoping to get a quick answer before we pull the trigger on a new router. As a reminder, we're complete newbs in terms of networking and VPN's. I see the Asus routers get high marks for their VPN ease-of-setup. We have a chance to get a good deal on a Netgear AX4200 which supposedly supports OpenVPN. How does Netgear compare to Asus in terms of VPN ease-of-setup and actual day-to-day performance?

Thanks!

Router Security

Router Security Home Page

routersecurity.org

 

[samplenhold]

Would be identical for an NVR no?

Don't know. I never had an NVR. But I suppose so. Is it possible for an NVR to have two NICs?