Is P2P just as secure as VPN??
- Thread starter blake
- Start date
looney2ns
IPCT Contributor
Nope, not at all.
P2p is running your data through some server who knows where.
P2p is running your data through some server who knows where.
aristobrat
IPCT Contributor
- Joined
- Dec 5, 2016
- Messages
- 2,983
- Reaction score
- 3,180
I've always been curious about P2P. It uses third-party servers, so no doubt it's less secure than someone's personal VPN, but I just couldn't believe that Dahua/Hikvision/etc would offer a free service that relayed everyone's video directly through their servers. The bandwidth costs to do that seemed like they'd be insane. That, plus when I played with Dahau's P2P (back when I ran one of their NVRs), it was quick/responsive. Definitely did not have the lag I'd expect if the video was being relayed through a third-party server.
From what I read today, most P2P (peer-to-peer) services arrange for a direct connection between two devices. Once that connection is made, the two devices exchange data directly between each other, using their own bandwidth... the P2P service is out of the loop at this point. OK... so if P2P services don't have to use their own bandwidth, this is starting to make a little more sense how they can be offered for free...
But how can a P2P service connect a device outside of your home network to a device inside your home network when you don't have port forwarding setup? Most use a technique called UDP hole punching or STUN. You can google those terms for more info.. UDP hole punching has more easier-to-understand explanations IMO. Those techniques work with most routers/firewalls. In the off chance that a router doesn't allow it, then some P2P services will act as a relay, while others will say "connection failed", and tell you to try again.
UDP hole punching sounds like a bad thing, but its how TeamViewer (an app some folks here will use to remotely control another's PC to help them out) and Skype get devices behind firewalls to directly connect without port-forward (or having their servers in the middle of the conversations). I think Skype might actually be on to something else now, but they used this method for a very long time.
My concern with Dahua's P2P service would be around how safe they keep everyone's P2P account info. If that ever gets hacked, then it could be used to connect to other people's cameras/NVRs. But for folks where running their own VPN isn't an option (for whatever reason), I'd think Dahua's P2P service for remote access would still be better than port-forwarding.
From what I read today, most P2P (peer-to-peer) services arrange for a direct connection between two devices. Once that connection is made, the two devices exchange data directly between each other, using their own bandwidth... the P2P service is out of the loop at this point. OK... so if P2P services don't have to use their own bandwidth, this is starting to make a little more sense how they can be offered for free...
But how can a P2P service connect a device outside of your home network to a device inside your home network when you don't have port forwarding setup? Most use a technique called UDP hole punching or STUN. You can google those terms for more info.. UDP hole punching has more easier-to-understand explanations IMO. Those techniques work with most routers/firewalls. In the off chance that a router doesn't allow it, then some P2P services will act as a relay, while others will say "connection failed", and tell you to try again.
UDP hole punching sounds like a bad thing, but its how TeamViewer (an app some folks here will use to remotely control another's PC to help them out) and Skype get devices behind firewalls to directly connect without port-forward (or having their servers in the middle of the conversations). I think Skype might actually be on to something else now, but they used this method for a very long time.
My concern with Dahua's P2P service would be around how safe they keep everyone's P2P account info. If that ever gets hacked, then it could be used to connect to other people's cameras/NVRs. But for folks where running their own VPN isn't an option (for whatever reason), I'd think Dahua's P2P service for remote access would still be better than port-forwarding.
That's what I was thinking also. For people whom are not technically sound, the P2P option on their nvr setup makes life real easy without having to hire an it person to help them setup a vpn. Question, when logging into BI from outside your home network, do you first have to go thru the open vpn app on your phone then the blue iris app?
SouthernYankee
IPCT Contributor
tangent
IPCT Contributor
- Joined
- May 12, 2016
- Messages
- 4,428
- Reaction score
- 3,669
If you don't want to deal with setting up a full blown VPN server other options like VPN.net – Hamachi by LogMeIn and ngrok exist.
These are more practical when your're running blueiris or other software vms. These services are similar to p2p but you can be a but more confident they're reasonably secure.
These are more practical when your're running blueiris or other software vms. These services are similar to p2p but you can be a but more confident they're reasonably secure.
Last edited:
What I'm looking at is this. I have people who are up there in age. They want a set it and forget it setup. They're not going to want to have to log into two apps to view their camera, neverless me sit and explain VPN. They want to push one button and be done. I think I'll stick with the P2P and be done.
tangent
IPCT Contributor
- Joined
- May 12, 2016
- Messages
- 4,428
- Reaction score
- 3,669
If P2P is used in commercial environments, it's best to enforce some external security though managed switches and firewalls. You could simply hand them some guidelines and encourage them to have someone else set up the network security.
tangent
IPCT Contributor
- Joined
- May 12, 2016
- Messages
- 4,428
- Reaction score
- 3,669
NAT traversal is a simpler, more common term. There was a thread a while ago about a vulnerability that allowed other people's cameras and NVRs of a particular brand to be viewed via a P2P service. It's more difficult to pull off, but it's possible for vulnerabilities in the p2p system (on the server) and in the nvrs and cameras to be used to turn cameras into a bot net or to target other devices on the network (computers, servers) just like with port forwarded cameras. P2P is still better than port forwarding.
I've also been interested in better understanding these cloud based systems but with some IT skills I've always avoided them. Firstly, the NVR's need to constantly ping/report their status to the cloud server and there will be constant upload traffic (probably not much but I would still prefer my network without it). If there is any outage in the Cloud system then large number of customers can not access their devices.
The other bigger issue is once the 2 devices/networks have decided on a connection path, how is the login information passed/exchanged on the app ?. Depending on how each vendor does it there is no guarantee of confidentiality, perhaps with username and passwords being sent in clear text (same applies for Port forwarding set ups). At least when using VPN your login credentials will be encrypted regardless of how the app/client does it.
The other bigger issue is once the 2 devices/networks have decided on a connection path, how is the login information passed/exchanged on the app ?. Depending on how each vendor does it there is no guarantee of confidentiality, perhaps with username and passwords being sent in clear text (same applies for Port forwarding set ups). At least when using VPN your login credentials will be encrypted regardless of how the app/client does it.