Hi, I'm here because I want to upgrade...

M

mm83

n3wb
Sep 9, 2023
5
2
Germany
Hello together,

I'm here because I have two installations and I want to upgrade both and hope to get a few tips here.

Site A:
My status qou is:
Recorder: Synology Surveillance Station on a DS1621+; I would keep it temporarily for cost reasons, even though I am not completely satisfied with it

#CameraPositionSatisfaction qualitySatisfaction featuresRequirements
A(1)Dahua IPC-HDBW4431E-ASOutdoor, 2.4m hight, entrance dooracceptableno: 99% of alarms are false positive (moving trees, leaves, animals) but also persons crossing without detectionvandal-proof, person detection
A(2)Dahua IPC-HFW4431R-ZOutdoor, 5m height, drivewayCar license plates are often not readable (day and night), picture quality too bad at nightno features used, zoom not requiredperson and car detection
A(3)Dahua SD1A404XB-GNROutdoor, 2.5m height, Entrance gate (only persons, no cars)good (day) to acceptable (night)yesperson detection
A(4)Dahua SD1A404XB-GNROutdoor, 5m height, rear side of building (Garden)good (day) to acceptable (night)yesperson detection, could be replaced by two fixed focus cameras
A(5)Dahua IPC-HDW3841TMP-ASIndoor, garagegood to acceptable (backlighting)yesmovement detection, difficult lighting conditions due to windows with backlighting
A(6)Dahua IPC-HDW3841EM-S-S2Indoor, cellar entrancegoodyesmovement detection

Site B:
  • Recorder: UniFi UCK
  • Camera: 3x UniFi G3 Flex (outdoor), 1x UniFi G3 instant (Indoor)
What I want to change:
  • Everthing :): planing to use Dahua cameras as well
  • Recorder: Planing either a Dahua NVR, not sure which will be the right one (if NVR 4XXX would be working or if I have to go to NVR 5XXX series) or Blue Iris would also be an option, where i tend to Dahua, because it should work more out of the box on this object
  • In total, it will probably be 8-10 cams

Both sites:
All cameras have to be powered by poe, I have lan cable to all locations, but no powerplugs outdoors.
On both sites I can not install any cameras with natural light without getting into discord with other residents or neighbors, also all cameras must have a privacy filter, so th. On the other hand, it is too dark in many places to do without IR. On the sides of the building there is hardly any light from the street and the object borders are planted with high hedges.

After reading here since two days, a version of IPC-Color4K-X / DH-IPC-HFW5849 without full color (b/w at night would be fine for me) and IR LED instead of warm white leds would be the thing I'm searching for, I guess this ones would be usable for various positions.

Do you think I should try out an IPC-Color4K-X / DH-IPC-HFW5849 without using the LED? Are there other models that you can recommend me for optimization? After there are some cameras to replace lining up I can approach me quite well to a better solution...
 
Last edited:
  • Like
Reactions: Rob2020 and mat200
5442 as above..
They have big 1/1.8" sensor for 4Mpx (most lower / cheaper cameras have something like 1/2.8" or even smaller).

They works very well at night (if there is any light). If there is no light at all they have good IR.
They have SMD 3.0 (human/vehicle detection) and IVS.

They are available with many chassis options (bullet, turret) with many zoom options (fixed 2.8/3.6/6.0mm, zoom 1-4x or 3-12x).
There are variants with white LED's (usually called 5449 but sometime also 5442).

You will find tons of discussion about different models of 5442 on this forum (search function).

Don't buy 8Mpx - even 5884 have 8Mpx in the same 1/1.8" sensor - so each pixel is 2x (usually even more) smaller and see 2x (typical 3-4x) less light per pixel.

Where to buy:
Cheapest European reseller (with EU invoice and guarantee) from Spain"
www.orbitadigital.com

Search results for "5442"

www.orbitadigital.com www.orbitadigital.com

Or even cheaper from Andy @EMPIRETECANDY, who sends from USA or Taiwan/China (2 weeks no tax delivery):

Network Camera | EmpireTech

EmpireTech is dedicated to providing top-tier technology and goods, including multi-sensor dual lens cameras, ePoE with 800m transmission via Ethernet cable, AI Codec to enhance encoding efficacy and conserve bandwidth, and precise, reliable, and exact deep learning algorithm.
empiretech01.com empiretech01.com

PS. PTZ check SD4A425DB-HNY
PS2. Don't try 8Mpx - normal models have much worst light performance, IPC-Color4K-X with even bigger 1/1.2 sensor and big aperture F/1.0 have big problems with depth of field - it is very hard to have all things in frame sharp. That big sensor/aperture create Bokeh effect which if good for weeding photography but not for security videos...
 
  • Like
Reactions: Rob2020, mm83 and JDreaming
For NVR, Dahua (and most others) they mostly rely on the camera to be intelligent and handle most of the data processing and heavy lifting, so camera selection is key. With Blue Iris, the intelligence can be put back in the PC itself, or it can use what's built into the camera - so you can select something with a good sensor and lens and ignore the other built-in features if you want. It's far more flexible, with the caveats that you must 1) Configure the software correctly, 2) have a powerful enough system to handle any detection or other logic you're bringing back onto it (a Quadro K2200 is invaluable in my setup) and 3) it's a full Windows PC and needs to be managed as such, with patches, hardware selection, etc.

#3 is the biggest caveat of BI from reading threads here. I have expertise in Windows as a managed OS, so for me the choice was clear - for you, it may not be so. The BI guides on here for configuring the underlying Windows PC are pretty abbreviated and still leave a lot of gaps if you expect appliance-like reliability and uptime.
 
  • Like
Reactions: mm83
jec6613 said:
#3 is the biggest caveat of BI from reading threads here. I have expertise in Windows as a managed OS, so for me the choice was clear - for you, it may not be so. The BI guides on here for configuring the underlying Windows PC are pretty abbreviated and still leave a lot of gaps if you expect appliance-like reliability and uptime.
Click to expand...
This is just false. Simply install windows clean and you are done. Choose to disable windows updates if you wish. Your uptime will be just the same as any dahua nvr.

Moreover the PC does not have to be managed as you claim it does.... By that logic to the dahua would need to be managed as well but they don't provide any security updates even to known security vulnerabilities in cams and nvrs.
You also Don't need any dedicated video cards for almost all applications unless you're running some crazy number of cameras... Every single one of my systems that is utilizing code project does not have a video card and operates just fine..
 
  • Like
Reactions: Swampledge, Rob2020, looney2ns and 1 other person
For NVR - actual models are 4xxx-EI and 5xxx-EI..
The biggest difference: decoding capability (8 vs 16 streams of 4Mpx), network bandwidth (256 vs 380 mbit), plus some more AI modes in 5xxx (AcuPick for searching the same looking people/vehicles as selected on storage from all AcuPick cameras, Video Metadata)

BlueIris is good if you want to hack many things but requires much more work/knowledge + 24/7 Windows machine with good Intel CPU. Dahua NVR simply works in any closet / rack, integrate very well with Dahua cameras and all theirs functions.
 
  • Like
Reactions: mm83 and JDreaming
^^+1 above.

A Blue Iris/PC can be a very reliable system and much more robust than an NVR and isn't much bigger than an NVR.

Unless you are a fool and run the cameras and NVR on default settings, by the time you dial cameras in for ability to freeze frame, the effort to set up and NVR or BI for alerts and stuff can be comparable.

People wrongfully assume NVRs and are plug-n-play.

I can actually set BI up faster than an NVR with a lot capability than an NVR. But then again the default settings for BI are actually decent and a good starting point for most.

Turn off Windows and BI auto updates and have the computer autostart on a shutdown and run BI as a service and you have a more powerful NVR that is still more secure than an NVR that rarely gets updates.

BI allows for anonymous update of performance data. People have had it running nonstop for over 1900 days, or 5+ years... And I suspect that the last time it rebooted was when they manually did it...I was an NVR user before I made the switch and I never had an NVR last 5 years LOL

1694374859733.png
 
Last edited:
  • Like
Reactions: Broachoski, Rob2020, mm83 and 1 other person
fenderman said:
This is just false. Simply install windows clean and you are done. Choose to disable windows updates if you wish. Your uptime will be just the same as any dahua nvr.

Moreover the PC does not have to be managed as you claim it does.... By that logic to the dahua would need to be managed as well but they don't provide any security updates even to known security vulnerabilities in cams and nvrs.
Click to expand...
Dahua makes an appliance - their security updates (and lack thereof) are on a much smaller platform and attack surface. There isn't a print spooler you need to secure, a bunch of background services to disable (e.g. XBox) and so on. A, "Clean," Windows install comes with a ton of bloat of a general purpose OS. OS updates and telemetry cannot be disabled with a home edition of Windows and it requires an internet connection to work, and the guides here don't cover doing it properly - you're still going to get forced updates. Even LTSC and Server have a whole litany of other things going on. That's before discussing how you're managing it (if you don't want to have a DKM plugged in, that's something that needs to be considered).

And of course, unless the BI system is in its own DMZ (which any NVR really should be but that's another issue) it really needs regular patching that ideally is hands-off. And even if it is in its own DMZ, regular, scheduled patching is still something you should do - it's literally Step #1 for basic cybersecurity, statistically you're much better off having a patched Windows/BI on your local network than a firewalled off no internet unpatched Windows/BI unless you're a specifically targeted organization. There's no mention in the guides here for basic attack surface reduction, how to set up local policy on the OS comprehensively, or anything of the sort.

It's not that it can't be done or done well, it's that it's a non-trivial task compared to a plug and go NVR on Synology or Dahua. It's certainly worth it for many (me included, I'm a huge BI fan), but I'm not going to assume anybody else's competency or comfort level ... too many Apple only users are out there.
 
Having an NVR connected to the internet is a much bigger security risk than the BI computer connected to the internet as the NVRs are rarely updated for security vulnerabilities and the backdoor that exist as well.

If someone goes to the effort to isolate the NVR from the internet, then likely they are savvy enough to set up BI!?
 
jec6613 said:
Dahua makes an appliance - their security updates (and lack thereof) are on a much smaller platform and attack surface. There isn't a print spooler you need to secure, a bunch of background services to disable (e.g. XBox) and so on. A, "Clean," Windows install comes with a ton of bloat of a general purpose OS. OS updates and telemetry cannot be disabled with a home edition of Windows and it requires an internet connection to work, and the guides here don't cover doing it properly - you're still going to get forced updates. Even LTSC and Server have a whole litany of other things going on. That's before discussing how you're managing it (if you don't want to have a DKM plugged in, that's something that needs to be considered).

And of course, unless the BI system is in its own DMZ (which any NVR really should be but that's another issue) it really needs regular patching that ideally is hands-off. And even if it is in its own DMZ, regular, scheduled patching is still something you should do - it's literally Step #1 for basic cybersecurity, statistically you're much better off having a patched Windows/BI on your local network than a firewalled off no internet unpatched Windows/BI unless you're a specifically targeted organization. There's no mention in the guides here for basic attack surface reduction, how to set up local policy on the OS comprehensively, or anything of the sort.

It's not that it can't be done or done well, it's that it's a non-trivial task compared to a plug and go NVR on Synology or Dahua. It's certainly worth it for many (me included, I'm a huge BI fan), but I'm not going to assume anybody else's competency or comfort level ... too many Apple only users are out there.
Click to expand...
How is a dahua NVR a smaller attack surface? Not to mention this is a company that has in the past failed to address known vulnerabilities that were disclosed to them? Many of their consumers are port forwarding their devices - or up until recently dahua was doing it for them by way of auto upnp - god forbid you forgot to disable that in your router. Most of the rest are using dahua p2p which has also been attacked and you then rely on a chinese enterprise to secure your device.
Why do you need to secure your print spooler in windows on a BI pc - dont make me laugh. The print spooler vulnerabilities cannot be executed by a random remote attacker scanning the internet, they must have access to your network or you must install a malicious file or driver.
Windows pro is recommended and free with the purchase of the cheap pc's recommended here.

Why would you need to patch a pc that is not being used to surf the net and the only inbound access is via a vpn/tailscale/zerotier?

There is no mention of attack surface reduction because it is not needed if you dont place the system with direct access from the net.

Again the logic of dahua not providing security updates so its plug and play is ridiculous. Their devices cannot be trusted.
 
  • Like
Reactions: Jim I.
Thanks guys I'm really impressed! Have been reeding here almost the whole weekend and have a lot of information in my head right now. I'll try to get and test one or two of the 5442 IR models...

For the decision between BI and NVR, I will take a closer look at both systems, but maybe I'll start with an NVR and play with BI in parallel, if the 5442 perform like I expect after reading here I'll have some 8 MP cams lying around for testing.
I think I can handle the setup and the system, I am a software developer and work in the field of IT security - I am familiar with network segmentation and security. Even if it is the first "server" application that does not run on unix :lol:
 
steve1225 said:
PTZ check SD4A425DB-HNY
Click to expand...
Will I notice such a big difference from the SD1A404XB here? Both have the same resolution and the same sensor size, clearly the zoom is worlds better, but in the range 1x-5x there are already big differences here?

steve1225 said:
For NVR - actual models are 4xxx-EI and 5xxx-EI..
Click to expand...
I guess for a maximum of 8-10 cameras with 4MP I will need something like the NVR4232-EI to use the features, even if I move the logic to the cameras. The specs are mostly at 30fps, would you run the cameras like that? Currently I work with 10fps, so probably a NVR4216-EI would be enough, but the thing does not always have to be at the limit.
 
I'm going to break this into two specific answers:
fenderman said:
How is a dahua NVR a smaller attack surface?
Click to expand...
Attack surface is a pretty simple concept: it's running less code and has fewer open ports. We know it's insecure for other reasons, but take a look at just how many services are running out of the box on a Win10.x install, and how many ports are open. RPC, a Fax server, XBox services, a whole slew of services related to NLA, SMB, the list goes on, all opening ports and listening on your private network. A perusal of netstat on a clean Win10.x install shows around 15 ports open and listening for traffic; a Windows system is incredibly chatty, especially a desktop OS but Server operating systems are not immune, and has far more and more severe vulnerabilities than a Chinese NVR, they're just not necessarily public yet.

Besides less code to be compromised, assuming you do properly segment your network, there are many fewer ports to be opened and checked. A free L7 scanning package like pfBlockerNG or Snort can much more easily secure a known vulnerable NVR than it can a Windows system. But more on network segmentation below.
fenderman said:
Why do you need to secure your print spooler in windows on a BI pc - dont make me laugh. The print spooler vulnerabilities cannot be executed by a random remote attacker scanning the internet, they must have access to your network or you must install a malicious file or driver.
Windows pro is recommended and free with the purchase of the cheap pc's recommended here.

Why would you need to patch a pc that is not being used to surf the net and the only inbound access is via a vpn/tailscale/zerotier?

There is no mention of attack surface reduction because it is not needed if you dont place the system with direct access from the net.

Again the logic of dahua not providing security updates so its plug and play is ridiculous. Their devices cannot be trusted.
Click to expand...
You're making a large assumption that you can trust every device on the same VLAN with your BI server. If that's the same VLAN you have pretty much anything else on, that's definitely not the case - Android, iOS, and other platforms are routinely compromised, often through the app store, and used for lateral movements into unpatched Windows systems. That's not even discussing the proliferation of IOT devices. While this is also the case for any appliance-type NVR as well, there are many fewer points of attack into it compared to a Windows system, and far fewer vulnerable NVRs are deployed compared to Windows systems. An attacker addressing their payload, "To whom it may concern," is much more likely to find an unpatched Windows XP system than they are a Dahua NVR and almost always targets Windows first.

PS: The specific print spooler vulnerabilities are RCE, an attacker can fully compromise a system with just PrintNightmare if you're running a system not patched since summer of '01 (and it's still not fully patched). There are numerous cases of compromised networks where the vector was a lateral attack into the print spooler. The absolute minimum bar for protecting against this is disabling the spooler on anything you don't intend to print from.
 
mm83 said:
Will I notice such a big difference from the SD1A404XB here? Both have the same resolution and the same sensor size, clearly the zoom is worlds better, but in the range 1x-5x there are already big differences here?


I guess for a maximum of 8-10 cameras with 4MP I will need something like the NVR4232-EI to use the features, even if I move the logic to the cameras. The specs are mostly at 30fps, would you run the cameras like that? Currently I work with 10fps, so probably a NVR4216-EI would be enough, but the thing does not always have to be at the limit.
Click to expand...

There is a big difference in ZOOM between the SD4A and SD1A. 12mm versus 125mm is a big difference. Unless you don't need the extra zoom, go with the larger zoom.

Most here run the cameras at 15FPS. Anything more in most situations is burning thru storage faster.

Sure 30FPS can provide a smoother video but no police officer has said "wow that person really is running smooth". They want the ability to freeze frame and get a clean image. So be it if the video is a little choppy....and at 10-15FPS it won't be appreciable. My neighbor runs his at 60FPS, so the person or car goes by looking smooth, but it is a blur when trying to freeze frame it because the camera can't keep up. Meanwhile my camera at 15FPS with the proper shutter speed gets the clean shots.

Shutter speed is more important than FPS.

Watch these, for most of us, it isn't annoying until below 10FPS




 
jec6613 said:
I'm going to break this into two specific answers:

Attack surface is a pretty simple concept: it's running less code and has fewer open ports. We know it's insecure for other reasons, but take a look at just how many services are running out of the box on a Win10.x install, and how many ports are open. RPC, a Fax server, XBox services, a whole slew of services related to NLA, SMB, the list goes on, all opening ports and listening on your private network. A perusal of netstat on a clean Win10.x install shows around 15 ports open and listening for traffic; a Windows system is incredibly chatty, especially a desktop OS but Server operating systems are not immune, and has far more and more severe vulnerabilities than a Chinese NVR, they're just not necessarily public yet.

Besides less code to be compromised, assuming you do properly segment your network, there are many fewer ports to be opened and checked. A free L7 scanning package like pfBlockerNG or Snort can much more easily secure a known vulnerable NVR than it can a Windows system. But more on network segmentation below.

You're making a large assumption that you can trust every device on the same VLAN with your BI server. If that's the same VLAN you have pretty much anything else on, that's definitely not the case - Android, iOS, and other platforms are routinely compromised, often through the app store, and used for lateral movements into unpatched Windows systems. That's not even discussing the proliferation of IOT devices. While this is also the case for any appliance-type NVR as well, there are many fewer points of attack into it compared to a Windows system, and far fewer vulnerable NVRs are deployed compared to Windows systems. An attacker addressing their payload, "To whom it may concern," is much more likely to find an unpatched Windows XP system than they are a Dahua NVR and almost always targets Windows first.

PS: The specific print spooler vulnerabilities are RCE, an attacker can fully compromise a system with just PrintNightmare if you're running a system not patched since summer of '01 (and it's still not fully patched). There are numerous cases of compromised networks where the vector was a lateral attack into the print spooler. The absolute minimum bar for protecting against this is disabling the spooler on anything you don't intend to print from.
Click to expand...
There are zero open ports to the net on a windows pc behind a firewall. All these ports listening on your private network are irrelevant.

Your entire posts assumes that your network is compromised and someone has access to it, in that case your are completely fucked so who cares of they also have access to your BI pc. Honestly, in your mind you are thinking, oh shit, if someone has control over my cell phone with all my private data and pics, I must work diligently to prevent them from accessing a windows pc on my network??
Even if this is a concern, they can more easily gain access to the Dahua NVR than a windows pc that has been unpatched for years.


PS: the print spooler vulnerability CANNOT be executed on a machine that is not already compromised. You are talking about a machine running blue iris, AI and maybe a time server. How is it getting compromised via the print spooler vulnerability.

Its laughable that you think a dahua NVR is MORE secure. You are talking about a manufacture that IGNORES known vulnerabilities disclosed to it and possibly builds some of them into its code intentionally. Then at the 2 year mark they intentionally stop providing firmware marking the unit EOL....

But if you want to be insane, any windows user can simply allow windows to install updates and it will do so on its own, or you can do so every few months. You can also easily place the BI pc and cams on their own vlan.
That's the beauty of it, YOU as the end user can choose what you want to do with a windows pc. The security updates are available. There is absolute no need to start shutting down services that are running on the other 5 windows machines in the house. That is why there is no guide for it.
However one thing is certain, an unpatched windows xp desktop is 1000 times more secure than any dahua NVR.
 
Last edited:
  • Like
Reactions: mm83
mm83 said:
Will I notice such a big difference from the SD1A404XB here? Both have the same resolution and the same sensor size, clearly the zoom is worlds better, but in the range 1x-5x there are already big differences here?
Click to expand...

Yes, SD1 is a toy with zoom range 1-4x
SD4 have much bigger zoom (2-50x), but it is starting at 2x (5.0 mm, not 2.8mm). It can't catch a wide frame (wider as 51 degree). Also It have working auto tracking which works with good results...

Check: Review-SD4A425DB-HNY 1/2.8" CMOS 4MP 25x Starlight Auto-tracking MiniPTZ

If you need PTZ with wide (1x 2.8mm) start, there are only toys in lower ranges (SD1 etc)..

mm83 said:
I guess for a maximum of 8-10 cameras with 4MP I will need something like the NVR4232-EI to use the features, even if I move the logic to the cameras. The specs are mostly at 30fps, would you run the cameras like that? Currently I work with 10fps, so probably a NVR4216-EI would be enough, but the thing does not always have to be at the limit.
Click to expand...

One more time - 4xxx-EI vs 5xxx - they have different decoding capabilities (8 vs 16 streams 4mpx). So if you want to display more that 8 4Mpx cameras at once (or you buy something with 8Mpx which counts as 2 cameras 4Mpx) You need 5xxx-EI...

Nice to have NVR connected to one of the TV in house. You can put it in closet near to TV or use longer fiber HDMI cable (check amazon) or HDbaseX HDMI<>raw CAT6 cable converter (no switches beetwen, check amazon) to connect any TV with NVR hidden somewhere else. Dahua NVR displays 24/7 selected channels in 4K over HDMI, also have best UI interface to search AI events. You need some mouse (NVR don't support keyboard) - they can be over radio/bluetooth or there are HDbaseX converter called KVM - they provide USB communication with HDMI over CAT6 cable.

For AI functions - they are done usually on modern cameras. NVR only stores events. For that even very old 5xxx-4KS2 will work.
But 4xxx line have limited functions which supports - there is SMD, IVS, Face*. No Video Metadata, No AcuPick - both supported by modern 5442 in WizMind-S S3 series (which is sold from 6 months now and replaced older S1/S2 variants). Read specs on dahua website.

In USA You use 30fps, in Europe 25fps (half of frequency of energy grid - 60/50 Hz ). This way if You use 25Hz in EU, You don't see blinking of street lamps/LEDs.

People with very limited storage or who are using BlueIris, very often are using half of that (so 12 or 15 fps). With Dahua NVR this is not a problem.
 
Last edited:
  • Like
Reactions: mm83
You must log in or register to reply here.
Top Bottom