IP Camera Network Options (risk to home network security?)

[Spadowski]

Hi everyone. I’m venturing into the IP camera world as a newbie and I have a few questions. I’m interested in putting a few cameras around my home, not because I need them, but seems like a fun thing to have and I enjoy the hobby of tech stuff. Anyway, I'm considering plans to install up to 4 IP cameras at my home. I'll probably go all Hikvision brand (3 outside, 1 inside). I'm not sure yet what software I'll use. To start, I’ll probably just install the Hikvision NVR on my desktop PC. I do own a Synology NAS, so Surveillance Station could be an option, too.

That all said, right now I'm hesitant to even begin this project because I'm concerned about putting Ethernet lines outside my home. Doesn't this pose a significant network security risk?

I've been learning about networking techniques like VLAN to separate the IP cameras from my home network, but I need some advice. I’m struggling to choose between a few different networking options. Seems like the main tradeoffs deal with security, cost, and network complexity. My biggest concern is the security of my network; I don’t need these cameras, so I don’t want to install these around my home only to leave an “open doorway” into my home network.

Here is my current network.

​

OPTION 1: BUDGET FRIENDLY, SECURITY RISK, LEAST COMPLEX. Install cameras using Ethernet wired directly into a new unmanaged 10/100 POE switch that is connected to my home LAN.

PROS:​

1. 
   [*=1]Least complex; easiest install.
   [*=1]Inexpensive POE switch.
   [*=1]I can access cameras and NVR from any computer on the network.

CONS:​

1. 
   [*=1]Security risk?? Couldn't anyone unplug a camera, hook up a laptop to the exposed Ethernet cable, and then have wide open access to my network? Is there anything that can be done to mitigate this risk? Is MAC filtering a good idea here?

​

​

OPTION 2: LARGER INVESTMENT, MOST SECURE, MORE COMPLEXITY. Purchase a managed level 2 gigabit POE switch that will allow me to create VLANs. The cameras and NVR would be on, say, VLAN 4 and my home network would be VLAN 5. This way the camera network and my home network are isolated; VLAN 4 and VLAN 5 cannot talk to each other.

PROS:​

1. 
   [*=1]Camera network vulnerabilities will not be putting the security of my home network at risk.

CONS:​

1. 
   [*=1]The managed switch is more expensive.
   [*=1]Inability to reach camera VLAN from home network VLAN (note that my current ASUS wireless router does not support inter-VLAN communication). I would not be able to use my home PC to access the NVR or cameras. Actually, I’m not even sure my router would see both VLANs so maybe this isn’t even possible. I also wonder if my wireless devices will be able to reach either VLAN?
   [*=1]Would not be able to use my current desktop PC as the NVR; I would need to build a new PC to be on the camera VLAN and serve as the NVR.

​

​

Other thoughts: In this scenario, why bother with VLANs at all? I could accomplish the same with an inexpensive POE switch and another router. I could just setup a completely separate physical LAN. Although, I’m not sure how I would share my single internet connection between the two to enable me to use VPN to see my cameras.

​

OPTION 3: SIGNIFICANT INVESTMENT. MOST COMPLEX, {UNKNOWN SECURITY LEVEL?} This option involves purchasing a new router that does inter-VLAN routing and use it with OPTION 2 (or maybe I’d just purchase a Level 3 gigabit POE switch that supports VLANs and does routing internally).

PROS:​

1. 
   [*=1]Two separate VLANs.
   [*=1]VLANs can communicate with each other via the inter-VLAN communication.
   [*=1]I can use my home network PCs to view cameras and access the NVR.

CONS:​

1. 
   [*=1]Potentially much more expensive.
   [*=1]Unsure how to configure this network so it works. I’m assuming I can configure my existing wireless router to be an Access Point only , and let the new wired router do all the DHCP assignments when wireless devices connect.
   [*=1]I’m unclear how secure its. This is my big question and I probably should have just asked it upfront. Isn’t this network configuration subject to the same security concern I had for OPTION 1? Couldn’t someone plug into one of the outside Ethernet ports and have full access to my network? I’m not sure what security implementation can be used to address this (MAC address filtering maybe)?

​

​

I’d appreciate any thoughts you have on this. I like Option 3 the best, but it will be significantly more expensive and the setup and configuration will be way more complicated. Option 1 is the easiest and least expensive, but I’m not fond of putting an Ethernet cable outside my house through which one could hop right onto my home network.

How is your network configured?

 

[nayr]

Well the way we handle this in Corporate america is 802.1x Port Authentication, the way it works is your Managed Switch connects to your corporate authentication system (RADIUS Server).. the port can be configure for no network access until authentication is completed, then depending on the user/group they are in depends on what VLan they are put in.. or you can configure a default LAN that everyone is on unless authentication is provided and then the port is dynamically reconfigured to allow access to other network segments depending on the login

This is how prisons and other high security environments prevent people from unplugging a camera and gaining access to the network through the cable... It requires cameras that are capable of Authenticating this way, only one of My dahua's is, here is a screenshot:

But I dont think most residential people need that level of security, but I absolutely admire your attitude.. I would say go find a nice used managed PoE switch, they are always being taken out of production in perfectly working order to be replaced with a Gigabit PoE+ version, and you dont really need that for IPCameras.

Get a nice router that can do VLAN interfaces to pair up with your switch and put all your Cameras into what we call a walled garden, basically default rules are block all cross-subnet traffic so there completely isolated.. they can all talk to eachother but nobody else, even the internet.. run a local NTP Service on this LAN so everything keeps good time then poke some INCOMING rules into that network that allow just minimal access to view streams from ONLY your LAN.. If you wanted to obfuscate things a bit make that network all static IP addresses with no DHCP so nobody gets a network configuration automatically.

Worst case someone uses one camera's port to gain access to all the other camera's streams.. but thats all the further they can get, cameras cant call home, or poke any holes into your network since they are basically forbidden to make any outbound connections.

At least thats how I do it at home, Ive got a handfull of VLAN's, some are entirely isolated, and others are public wifi that still allows most internet access but almost nothing else... I do use 802.1x for access to my WiFi network, but I use x509 TLS Certificates for authenticating both my access points and my client devices.. I run 3 WiFi networks with various levels of security, Hardened x509 Network gives full access to everything, Legacy Guest Network w/WPA2-PSK is on a restricted vlan with website filtering and only access to the local Media Streamers and printers, and then there is an open network with no password that only has filtered internet access.. nothing else.

heck I have one VLAN setup specifically for servicing friends/family's machines, its got a bunch of OS installers and diagnostic tools avilable via NetBoot and only has access to a Web Proxy and a FTP Server with 2 shares.. a read only install media share and a write only drop for backups.. I always presume they are infected.. Once I think I got everything cleaned up I configure the web-proxy and can start updating software.

 

[Spadowski]

Thanks for the info Nayr. I should have known the answer was more complication, not less. Wishful thinking I guess.

I did read some things about port authentication, but yeah, seems like overkill for my home and apparently not wide support on cameras.

I’ll search around for a managed 10/100 switch and router (I did see Ebay is full of stuff like that). Good thought about disabling DHCP on this “camera network”.

Would I connect the camera network (using the Ebay network equipment), be connected to my home network through its router’s WAN port? I’m not clear on how to physically connect the two.

 

[nayr]

if your router supports VLAN's you'll be able to send the vlan's in tagged to your router, and your main network can be on either switch really.. ie, if you want to use some PoE access points or something..

if your router cant do VLAN's its, its unlikely to be able to segment the network out per interface.. you'd have to put a router between the networks and thats just a pain.. would be better to get something like the Ubiquiti EdgeRouter with 3 interfaces, WAN, LAN1, and LAN2.. and in that case I'd setup LAN2 as a tagged vlan interface for both your main lan and your camera network, so the managed switch its plugged into could have untagged ports assigned to either network.

Tagged VLAN = Device plugged into the port can talk to this VLAN if configured to send the tags along.
Untagged VLAN = Port is hard configured to this VLAN Segement, all ports have to have an Untagged configured as the default network

So say your BlueIris server only had one network interface.. it could still be on both networks, you'd just create a tagged vlan interface for the other network and make sure the switch port is setup to match... some pretty cool stuff you can do with the Magic of VLAN trunking; Ive deployed many Routers on a Stick, basically a router with a single network plug..

 

[DigitalPackrat]

I hate to brake it to you but the wireless is probably a bigger security threat than anything else. Someone sitting in their car a few houses down with a good antenna and the right utilities will break in in no time. That being said, just making the cables hard to get to is your best line of defense if your worried. Run all the cables inside metal conduit and keep them up high or better yet run as much as you can in you attic or walls.

It still doesn't hurt to setup some security on the network. There is a fourth option that may be easier and less expensive for you similar to your option 2b. Use a cheep POE switch for the cameras and a connection to the NVR. That would give you an isolated network just for the cameras so anyone connecting to the camera cable won't get anywhere. The NVR computer can have an extra Network Interface Card if you want to access it from within the rest of your network or give it access from the internet through your router. This setup would require manual setup for the network to an extent. NIC1 could be left alone with DHCP from the Asus router configuring the computer for network access. NIC2 which is plugged into the POE switch would have a static IP in a different range than your router hands out. Ie. the router gives you 192.168.0.x then set NIC2 to to another private range like 192.168.1.x. Don't configure a gateway or DNS for NIC2. Configure each camera with static addresses in the same subnet as NIC2.

VLAN's have their place but don't tend to make a lot of sense in a small network that only has 1 or 2 switches in one small building. Think of VLAN's as separate switches. If you had a large network and need to segregate multiple subnets to have your core switch route traffic or you just have multiple services to segregate like cams, ip phones, guest network, payroll, management and ISCSI from your general traffic where you need some or all of these available at each switch but you want to use a common trunk line.

 

[pal251]

If someone takes a camera down and plugs their laptop into the cable I got other things to worry about. Anyhow most people are rolling with wireless only now adays and if they want in they will get in.

 

[Spadowski]

The discussion about wireless does lessen my concerns about the external ethernet cables. I hadn't thought about that. Maybe the best approach in my case is a simple network configuration but a bit more "hardness" on the physical camera installations to make things difficult on anyone wishing to plug in. I should probably look at my internal network security!

I also like the idea about dual LAN ports on the NVR PC. I'm going to think about that one a bit more.

 

[JFire]

I hate to brake it to you but the wireless is probably a bigger security threat than anything else. Someone sitting in their car a few houses down with a good antenna and the right utilities will break in in no time. That being said, just making the cables hard to get to is your best line of defense if your worried. Run all the cables inside metal conduit and keep them up high or better yet run as much as you can in you attic or walls.

It still doesn't hurt to setup some security on the network. There is a fourth option that may be easier and less expensive for you similar to your option 2b. Use a cheep POE switch for the cameras and a connection to the NVR. That would give you an isolated network just for the cameras so anyone connecting to the camera cable won't get anywhere. The NVR computer can have an extra Network Interface Card if you want to access it from within the rest of your network or give it access from the internet through your router. This setup would require manual setup for the network to an extent. NIC1 could be left alone with DHCP from the Asus router configuring the computer for network access. NIC2 which is plugged into the POE switch would have a static IP in a different range than your router hands out. Ie. the router gives you 192.168.0.x then set NIC2 to to another private range like 192.168.1.x. Don't configure a gateway or DNS for NIC2. Configure each camera with static addresses in the same subnet as NIC2.

VLAN's have their place but don't tend to make a lot of sense in a small network that only has 1 or 2 switches in one small building. Think of VLAN's as separate switches. If you had a large network and need to segregate multiple subnets to have your core switch route traffic or you just have multiple services to segregate like cams, ip phones, guest network, payroll, management and ISCSI from your general traffic where you need some or all of these available at each switch but you want to use a common trunk line.

I'm kinda hijacking but I think your reply covers,a question I was going to ask. The poe nvr will isolate the cameras from the rest of the wireless network correct? So if I want to view,the cameras over an app on my phone not via Web browser I can install a wifi dongle to the nvr?

Please respond in dummy speak.

Sent from my SM-N920T using Tapatalk

 

[DigitalPackrat]

Yes, you can have isolation between the cameras and the wireless network if you set it up that way. The NVR with two network interfaces would be your only link to the cameras. So to view video you are only talking to the NVR from your phone.

 

[JFire]

Yes, you can have isolation between the cameras and the wireless network if you set it up that way. The NVR with two network interfaces would be your only link to the cameras. So to view video you are only talking to the NVR from your phone.

So the cameras will be accessible over wifi without having to do anything special?

Sent from my SM-N920T using Tapatalk

 

[pila]

I love complication, but...

Basic premise is valid if there is something to steal from the networked devices worth more than the camera which they can easily unscrew and take away.

Unless they want to send thretening e-mails to some people, leaving trails to you. Which will also be logged beyond their reach. And can be acomplished easier.

If someone connects to my network via LAN cable, they might listen to my music and use my Internet. I think this is a grand total of what they can do. If I was paraonid, it could simply be prevented, too. They can not get to any other stuff on my network without authorisation (router, server, even my Raspberries all ask for paswords). Non default pwds and not for "admin".

So, is it more likely they would steal your 200$ camera from the externall wall or steal something more valuable available at your newtork?

Also, it is much more likely that one may have WPS (Wi-Fi Protected Setup) active (ON) on their AP (Router), which can be broken quite simply.

I beleive this level of complication should not be used in a home network. Unles you do it for fun or learning.

 

[Spadowski]

My wife is a professional photographer and works from home. All client photos and business documents are stored here. Her whole business could be destroyed by someone installing rasomware, a virus, or just deleting files. We do have off-site back-up and all that, but there is a lot of work involved in doing all that. I have "locked down" everything with tough passwords and proper shares, so that will help mitigate the risk. Key files are encrypted.

Several have pointed out that the wifi is likely a much easier target anyway. That has changed my perspective about the risk since I originally asked the question.

But, yeah, in addition to looking at the risk I am a bit intrigued with the fun and learning of it all. I was watching a YouTube video yesterday about subnet masking and my wife just rolled her eyes at me!

I suspect that phase one of this project will be with one or two cameras on the network with everything else. From there I'll decide if that is okay, or if I want to have a seperate physical network or maybe a VLAN.

 

[alastairstevenson]

Our home network also holds a large number of items that are of value to home and family.
The most sensitive documents (who uses paper these days?) are held in an encrypted volume that is only opened when needed, synced up to cloud storage periodically.
All other items are backed up locally overnight - but are still accessible on the same network.
So yes, an intrusion and especially really bad stuff like ransomware would be most unwelcome, and that's one of the reasons why poking holes in the perimeter firewall isn't something I've done.
If external access is ever thought necessary or beneficial I'll architect the network quite differently such that the risks can be properly controlled and managed.

 

[SSNapier]

There was a discussion similar to this on the Security Now podcast recently. The question was how to isolate "internet of things" devices given that a lot of them are sketchy on the security side. The solution was a three router setup in a Y configuration. It would look like this:

 

[MnemonicMonkey]

#2 can be budget friendly. I snagged a Cisco 24 port poe managed switch for $50 off eBay.

Sent by my Trunk Monkey™