Is it safe to keep using old Axis cameras even though support and updates have expired?

ipcdal

Getting the hang of it
Joined
Nov 14, 2021
Messages
93
Reaction score
61
Location
US
Hi guys - I bought some old Axis cameras (don't have model handy, but I believe part of the M30 series) and when I checked the Axis website, I discovered the hardware is discontinued and support expires pretty soon too. So I won't be getting any security updates for the firmware soon. I was wondering if it will still be safe to use these with Blue Iris once the firmware will no longer get patches, etc.? If so, how long can I keep using them without security concerns about vulnerabilities, etc.?

Right now I plan on installing them on their own subnet on my LAN, and I will check the firewall to make sure nothing else can access them except for my Blue Iris machine on the same subnet (obviously), but is that all I need to do to keep using them? Would be a shame to get rid of them so soon when they seem to work just fine right now. I was hoping to get several years of service out of them.

Thanks for any advice you can share on this! I'm still pretty new at this, and definitely not experienced with EOL with Axis products.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
If they aren't touching the internet then it isn't a problem.

Many of us are using cameras with firmware from 2019 or older.

A theme around here is don't fix what ain't broke so most of us don't update firmware if the camera is working for our needs as we have blocked them from the internet by either VLAN or dual NIC in the BI computer.
 

ipcdal

Getting the hang of it
Joined
Nov 14, 2021
Messages
93
Reaction score
61
Location
US
Thank you for that feedback! I'm still fairly new to Axis products, and definitely don't want to tempt fate and open up a big security problem.

As for never touching the Internet... the subnet that my cameras are on technically CAN touch the Internet, since I have my Windows/Blue Iris machine on it. I haven't looked to see if any of my Axis cameras have sent outbound traffic to the Internet, but I believe I have the firewall set up correctly to prevent inbound traffic to them. The only device that can access the Internet from that submit is just the Blue Iris machine. That's the theory, anyway.

Do you think that's adequate? Or do I need to lock things down even more?
 

ipcdal

Getting the hang of it
Joined
Nov 14, 2021
Messages
93
Reaction score
61
Location
US
P.S. BTW, very interesting idea about dual NIC approach on the BI computer... I might look into that.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,549
Location
USA
Without knowing exactly what you did it may or may not be enough.

But for $20 or so you can get another NIC card and install in BI computer and have all the cameras go to that and assign it an IP subnet different than your LAN and thus ensure and keep all video traffic off your LAN.

 

ipcdal

Getting the hang of it
Joined
Nov 14, 2021
Messages
93
Reaction score
61
Location
US
Okay, that's very helpful. Thank you.

I have pfSense set up in front of all my computers, and inside pfSense, I've divided up the computers into groups in their own VLANs/subnets (apologies if I'm mixing incorrect terminology). I have one VLAN dedicated to the cameras and BI.

So in theory, if I set that up correctly, which I'll have to go through and double-check, then maybe that will be enough. As long as I set up the firewall to block all incoming and outgoing Internet traffic to the cameras, that should lock them down sufficiently, right?

And I will also look into the dual NIC idea too. Seems like one more level of protection, and might be the ideal way to do it. The downside of that approach in my case, is that I have various VLANs mapped across various managed switches. So I'd probably have to buy two more PoE switches to isolate the separate network just for the cameras, and tweak some wiring. It's doable, but the hardware cost and complexity for me goes up. I like the idea though.
 
Top