IP Cameras for Non Internet Networks??

[PK232]

I own several older Microseven IP cameras that I am thinking of upgrading. One thing that has bothered me over the years is that after the initial purchase, I found it was very hard to use them with no Internet connectivity. First of all there was no way to set the real time clock on the camera manually, and the only choices on the GUI were time servers on the Internet. That was finally cured by finding that I could specify a local time server using the command line through Putty. The second was that even though I configured everything for local use, the cameras kept trying to contact Microseven. I could not see any reason why the camera would need to talk to Microseven, and each packet included the camera’s user name and password in plain text. That was a real security concern and there was no way of configuring the cameras to prevent it. I initially solved this problem by blocking all camera Internet communication using rules on my firewall, but later on I also used a PiHole DNS server that did not resolve Microseven domains. To this day however, all the cameras needlessly continue to query the DNS server once every 6 seconds trying to get an IP address for pnp.microseven.com.

This brings me to my question. Most of the IP camera manufacturers today seem to tout how easy it is to use their facilities for storing camera video, and that is the last thing I want. I am looking for cameras that not only can be used with local storage, but can also be configured to not communicate with the manufacturer for any reason. Can you recommend any manufacturers that make such cameras?

Most camera descriptions are very good at providing information such as resolution etc., but I feel the only way to know about how they truly treat the Internet is from the personal experience of actual camera users. Thanks.

 

[The Automation Guy]

The quick answer is that ALL IP cameras will try to make some type of connection outside of your local network.

Because of this, your question is a moot point honestly. You should never trust a manufacturer to ensure their cameras won't access some unknown server outside of your local network and pass information to it. Even worse, you can't trust that the devices won't have some sort of unknown backdoor that could allow outside connections into your local network. Therefore your local network should be designed to prevent any of the IP cameras from accessing the internet regardless of the brand of camera you use. As you noted, there are several ways to accomplish this. The "best practice" is actually to isolate your cameras from not just the internet, but all other local devices too. Again, there are several ways to accomplish this,

Therefore I would say that everyone is better off spending their time researching ways to isolate their cameras on the local network rather than trying to figure out which cameras won't try to make connections outside of the local network.

PS - by definition, this also means that you shouldn't be able to connect directly to the cameras from outside of your local network either. Best practice is to use a VPN server (or similar solution) to ensure that only "local devices" can access the devices on your local network, including any cameras, DVR, computer, etc.

 

[bigredfish]

While I agree with most of what @The Automation Guy says above, not all cameras reach out to the Internet if not setup to do so

Here are two cameras, a Dahua 4K-T and an Amcrest IP4M-1041W shown on my firewall. They are both assigned LAN IP addresses. They do not reach out at all, zero, nada

Many wireless consumer brands do contact their mother ship or P2P server if you enable that.

 

[bigredfish]

I own several older Microseven IP cameras that I am thinking of upgrading. One thing that has bothered me over the years is that after the initial purchase, I found it was very hard to use them with no Internet connectivity. First of all there was no way to set the real time clock on the camera manually, and the only choices on the GUI were time servers on the Internet. That was finally cured by finding that I could specify a local time server using the command line through Putty. The second was that even though I configured everything for local use, the cameras kept trying to contact Microseven. I could not see any reason why the camera would need to talk to Microseven, and each packet included the camera’s user name and password in plain text. That was a real security concern and there was no way of configuring the cameras to prevent it. I initially solved this problem by blocking all camera Internet communication using rules on my firewall, but later on I also used a PiHole DNS server that did not resolve Microseven domains. To this day however, all the cameras needlessly continue to query the DNS server once every 6 seconds trying to get an IP address for pnp.microseven.com.

This brings me to my question. Most of the IP camera manufacturers today seem to tout how easy it is to use their facilities for storing camera video, and that is the last thing I want. I am looking for cameras that not only can be used with local storage, but can also be configured to not communicate with the manufacturer for any reason. Can you recommend any manufacturers that make such cameras?

Most camera descriptions are very good at providing information such as resolution etc., but I feel the only way to know about how they truly treat the Internet is from the personal experience of actual camera users. Thanks.

Dahua and Amcrest to name 2

 

[bp2008]

You can never really trust anything without verifying. Dahua, Hikvision, and companies that rebrand them, could change their firmware's behavior any time between updates. At the very least they may try to connect to their home servers for "p2p" connection purposes unless you turn that off (or even if you turn that off).

Most who are really concerned about it put their cameras on an isolated LAN (or VLAN) with no way to access internet. I personally just assign static IP addresses in a subnet with no real internet gateway, and then hope the camera doesn't cheat and figure out how to reach the internet on its own (either through IPv4 or IPv6). This works for all my Dahua/Hikvision/etc cameras except for one Hikvision (ezviz branded) doorbell cam which in my experience requires an internet connection or else it reboots itself every few minutes. I don't love that, but I tolerate it.

there was no way to set the real time clock on the camera manually, and the only choices on the GUI were time servers on the Internet

When I encountered a camera with this irritating behavior, I put a custom rule in my router's DNS server to have it resolve one of the time server hostnames to the LAN IP of a time server on my LAN, and that worked.

 

[The Automation Guy]

You can never really trust anything without verifying. Dahua, Hikvision, and companies that rebrand them, could change their firmware's behavior any time between updates. At the very least they may try to connect to their home servers for "p2p" connection purposes unless you turn that off (or even if you turn that off).

This is a key reason why I personally would never trust an IP camera to refrain from connecting to the internet. Plus, unless you are monitoring the IP camera traffic 100% of the time, you really can't be sure it isn't attempting to make connections. Even if a camera isn't actively making connections doesn't mean it doesn't try when it is first powered on (and every power cycle after that), or that it doesn't try once a day at some wierd hour of the day, etc, etc, etc.

 

[bigredfish]

This is a key reason why I personally would never trust an IP camera to refrain from connecting to the internet. Plus, unless you are monitoring the IP camera traffic 100% of the time, you really can't be sure it isn't attempting to make connections. Even if a camera isn't actively making connections doesn't mean it doesn't try when it is first powered on (and every power cycle after that), or that it doesn't try once a day at some wierd hour of the day, etc, etc, etc.

True if you have no way to monitor it or stop it. A simple $350 firewall solves this

Of course I’m still an advocate of VPN or the Dahua P2P

I’m just saying things are different than they used to be and for Dahua IP cameras and the Amcrest I own, they do not and have not attempted to reach out unless I tell them to.

 

[iwanttosee]

True if you have no way to monitor it or stop it. A simple $350 firewall solves this

No need for expensive hardware. Any router that can run OpenWRT can assign DHCP IP address while assign 0.0.0.0 for DNS address and 0.0.0.0 for gateway address. Without a gateway or DNS address, the device will not be able to go to the internet but it still can access your Local Area Network (LAN) devices.

[OpenWrt Wiki] DHCP and DNS examples

openwrt.org

 

[bigredfish]

True. I get a lot more value than just that out of the firewall appliance though

 

[PK232]

I thank all of you who have taken the time to reply, and also for all your suggestions. I guess the important thing is to look for a camera that will the have functionality you are looking for in the absences of the Internet, rather than trying to find a camera that won’t try to use the Internet. Those are indeed two different things. Based on that, I will certainly look at the camera manufacturers mentioned in your replies and question any vendor about their camera’s ability to function without the Internet. I will also use a well known vendor like Amazon that accepts returns in case, despite my research, I end up with a camera like the doorbell camera of bp2008. A firewall as suggested is certainly a good part of the solution, and it doesn’t have to be expensive. I have found my $60 EdgeRouter X has done the job quite well for me over the years in many areas, including camera isolation, and the $8 a month I have saved in not renting a router from my ISP has paid for it many time times over. Thanks again.

 

[luk8899]

Many people consider the best solution putting all cameras on a separate VLAN with no Internet access, but the problem is that you also do not have direct access to them. You have to use a router (or go through the local server) and the cheapest way are routers built into a managed Ethernet switch. The problem with most, even entry level "enterprise" (like mikrotik CRS328) ones is they have no hardware acceleration for routed traffic so you're bandwidth limited. How much is this limiting depends on the number of rules, the type of switch and so on.

Before I bought mikrotik managed switches I had only tenda switches that could route 30Mb (that's megabits) while that is ok for one/two h264 4K feeds that's about it.

So putting them in the same vlan, just giving them your vpn server as the default gateway works much better (assuming you configure the server to only forward vpn traffic), but is definitely less secure.

Unless you have an IDS (which not many people have at home) you'll not detect if there is a backdoor that knows this "trick" and simply tries to discover the default gateway on its own. If I was writing this backdoor I'd make it to try these ips: the dhcp server, the first Ip in the subnet, the last one. Then go one by one across the entire subnet.

So as always we're trapped in a triangle with security, inconvenience and price in it's corners. You can try pushing security, but you you also get inconvenience or high price and so on.