Is two NIC’s to segregate cams from internet a tin foil hat?

[Swampledge]

I have searched a fair bit and not found a satisfactory answer to this question. My router is set to block the cameras from having access to the internet. Wife and I are both retired, so only computer always on our network is the Blue Iris PC. We surf the net using iPads, stream YouTube TV or Netflix via a Smart TV or Roku, and have a variety of IoT devices, such as WiFi thermostat, outside temperature logger, Smarthings hub, Leviton WiFi light switches, etc. No ports are opened on my router for any device; I remote access Blue Iris via OpenVPN. Network speed is not an issue; the cameras are connected to the BI PC via switches, not the router. If I can’t trust my router to block the cameras from Internet access, why should I trust that there isn’t nefarious software running in any of my IoT devices? And, since the Blue Iris PC does have Internet access, why should I believe it is less likely to be exploited by a nefarious actor than my cameras?

 

[sebastiantombs]

Keeping cameras, and IoT devices on a secondary LAN, outside the IP scheme of your router, is another layer of security. Think of it in the same way you have a deadbolt on your entry doors as well as a standard knob lock. It's less expensive than a quality deadbolt and will help insure, not guarantee, that your devices won't be hijacked for a bot net or your PC won't get stripped of critical information.

 

[wittaj]

Any IoT is subject to hijacking.

Your Blue Iris PC is subject as well, but it runs on Windows that almost every computer (except for apple, etc.) runs, so Microsoft is always on the lookout for security vulnerabilities and pushes them out quickly.

That cheap no-name camera - not so much. They pretty much only care about the sale and never push out updates.

But having your cameras go through the router, even if you have blocked them from the internet, still means that traffic is going thru the router and at some point you will experience slowdowns with your devices.

The data demands of the cameras cannot be discounted; the constant streaming of unbuffered data is what brings the routers to their knees. They were not designed for 24/7 data in that fashion.

Streaming devices like Netflix buffer and Zoom type video conferencing uses different coding to try to keep the demands down, but the cameras are full-blast nonstop data feeding machines.

 

[Swampledge]

…..

But having your cameras go through the router, even if you have blocked them from the internet, still means that traffic is going thru the router and at some point you will experience slowdowns with your devices.

The data demands of the cameras cannot be discounted; the constant streaming of unbuffered data is what brings the routers to their knees. They were not designed for 24/7 data in that fashion…..

Isn’t there a difference between “going through the router” and “having access to the router?” As I understand network communications, when my camera streams its feed to the BI PC via one, two, or 3 switches separate from the router, it is doing so via ARP tables in the switch directing the packets to the appropriate switch port, so the router should never see those packets. Am I missing something?

Edited to add: Oops,! I just discovered that I should be referring to MAC tables at the switch level, not ARP tables.

 

[Holbs]

Isn’t there a difference between “going through the router” and “having access to the router?” As I understand network communications, when my camera streams its feed to the BI PC via one, two, or 3 switches separate from the router, it is doing so via ARP tables in the switch directing the packets to the appropriate switch port, so the router should never see those packets. Am I missing something?

Edited to add: Oops,! I just discovered that I should be referring to MAC tables at the switch level, not ARP tables.

find out. power down the router and see what happens

 

[IAmATeaf]

Don’t forget that by having 2 NICs you are also separating the cam network traffic from your normal household traffic.

This was one of the main reasons that I implemented using dual NICs also if by chance your router resets, as mine did recently when my provider decided to remotely rest it then you have nothing to worry about in terms of rules on the router etc.

 

[Rob2020]

Just do a Google search for IOT and home network security. Lots of articles written by techy websites explaining the risk of having IOT devices of any kind on your network.

 

[Swampledge]

find out. power down the router and see what happens

Grandkids were watching TV streaming via WiFi, so I did the next best thing: I unplugged the network cable between my router and the rest of my network. Then I went out to my BI PC, (temporarily located in my workshop in another building), and I can still see my cameras live from one end of my network to the other. So, no, my cams are not connected via my router.

 

[Swampledge]

Don’t forget that by having 2 NICs you are also separating the cam network traffic from your normal household traffic.

This was one of the main reasons that I implemented using dual NICs also if by chance your router resets, as mine did recently when my provider decided to remotely rest it then you have nothing to worry about in terms of rules on the router etc.

Does Netgear provide a back door into their routers for ISP’s? I own my router, they didn’t supply it. They did supply the cable modem, which I promptly set to bridge mode because I didn’t want to use their WiFi or give them that level of control.

 

[samplenhold]

A "tin foil hat" meaning that it does nothing? Or that people that wear that hat think that there is some threat that is not present? Like a crazy person or something?



I understand that you do not have your cams going through the router. That is what we recommend here. Some in this thread may have missed your original statement about that. But those switches go back to the router, no? So the cams do have 'potential' access to the internet. If someone was to gain entry past your router, then the cams are exposed.

Any IoT device is prone to hacking, as has been proven and documented in many, many posts on this and other forums and blogs. A router that blocks access to the internet for specific MAC addresses on your network is one line of defense. But that line has been hacked often, not yours in particular but in general. I have seen numerous 'security updates' for my routers come and go. Of course I take those updates. I have read numerous articles about routers being hacked and it takin the vendor months to do something about it, if ever. So that tells me that NOTHING on the internet is safe from hacking.

So having my cams physically isolated from the internet is another layer of defense that I feel is the best for me. Others use VLANs to achieve isolation, but it is not quite the same thing. They are separated from the internet by software, which has vulnerabilities.

Sure the BI computer is also connected to the internet, but not using the same NIC or the same subnet. I suppose that someone could gain access through my router, then into my BI PC on the LAN, then somehow gain access to my cams. But that still would not allow them to be used in a DOS attack since they still do not have access to the internet. A hacker cannot connect my cams to the router and therefore the internet without physically being in my home. Which means a physical attack on my home and I have other defenses in place to counter that.

Do what you like. But for me it was only $31 for a NIC on the BI PC and use of the second ethernet port on my office PC. Very simple to set up and no maintenance involved. No additional learning about something (VLANs) that I will only use once. No relying on the router and making sure that my settings are correct and maybe having to do it all over again when a new router is needed or a firmware update smurfs up the settings.

 

[Swampledge]

Samplenhold-
That thread title was just a form of clickbait having some fun intended to generate reactions and helpful information. When I wrote “tinfoil hat”, I was wondering if everybody who felt it important to install a second NIC was also setting up a VLAN to isolate all their IoT devices from the rest of their network(s).

I recognize that I accepted security risks when I added my first IoT device. I wonder if people here view the cameras as a greater risk than any other internet-connected device with a microprocessor. I will not use an Alexa due to security concerns, yet I’m aware that a skilled hacker or Apple insider might listen to conversations via the microphone on our iPads or iPhones. Everyone gets to pick and choose how much security they need or want. Then they can go out and run with scissors, ride a motorcycle without a helmet, or go BASE jumping.

 

[Holbs]

is this a 2 NIC card setup? or single NIC card?

 

[Swampledge]

is this a 2 NIC card setup? or single NIC card?

Just a single NIC. I’m evaluating whether I want to go to the trouble of dual NICs or not.

 

[The Automation Guy]

Just do a Google search for IOT and home network security. Lots of articles written by techy websites explaining the risk of having IOT devices of any kind on your network.

Saying something like "having IOT devices of any kind on your network is risky" is like saying "never driving or riding in a car will increase your life expectancy". Both are technically true, but both are impractical and short sighted as there are things you can do to mitigate the risk in both cases.

These articles are also generally written with these things in mind:

1. Their audience is not well versed in IT and networks. If they were, they would already know how to minimize the risk.
2. A "safe" network for IOT devices to reside on should be multilayered and therefore can be complicated. It's generally NOT something that can be adequately taught in a single article/video.
3. The average home owner doesn't even own equipment that can implement some of the most common mitigation methods (like VLANs), so it's easier to say "Don't have IOT devices on your network" rather than tell a person they have to replace their network gear with professional grade network equipment.
4. Content creators are generally looking to monetize their information and the more page views/clicks they get, the more money the make. The more technical an article is to read, the less people are going to actually read it resulting is less revenue for the creator.
5. "Fear Sells"

This results in a lot of articles that at best are trying to "educate" down to the lowest common denominator (ie the least network savvy person with the most basic consumer grade equipment) and at worst are trying to prey on people's fears. The reality is that there are plenty of methods available to minimize the risk of having IOT devices on a network. In a nutshell, you want to deny as much network/internet access to those devices as possible. It's hard for a device to compromise your network if it is isolated from the rest of your network. This is why denying a IOT device access to the internet is a good first step, but it isn't as safe as creating a VLAN or physically separate network for those devices to reside on.

 

[Rob2020]

Saying something like "having IOT devices of any kind on your network is risky" is like saying "never driving or riding in a car will increase your life expectancy". Both are technically true, but both are impractical and short sighted as there are things you can do to mitigate the risk in both cases.

These articles are also generally written with these things in mind:

1. Their audience is not well versed in IT and networks. If they were, they would already know how to minimize the risk.
2. A "safe" network for IOT devices to reside on should be multilayered and therefore can be complicated. It's generally NOT something that can be adequately taught in a single article/video.
3. Content creators are generally looking to monetize their information and the more page views/clicks they get, the more money the make. The more technical an article is to read, the less people are going to actually read it resulting is less revenue for the creator.
4. "Fear Sells"

This results in a lot of "fluff" articles that at best are trying to "educate" down to the lowest common denominator (ie the least network savvy person) and at worst are trying to prey on people's fears. The reality is that there are plenty of methods available to minimize the risk of having IOT devices on a network. In a nutshell, you want to deny as much network/internet access to those devices as possible. It's hard for a device to compromise your network if it is isolated from the rest of your network. This is why denying a IOT device access to the internet is a good first step, but it isn't as safe as creating a VLAN or physically separate network for those devices to reside on.

Agree with what you said. My comment; Just do a Google search for IOT and home network security. Was more intended to make OP aware that IOT devices can carry risks such as being outdated with poor security, default admin passwords, etc

 

[kedens]

I have a separate network (LAN) that is not connected to the internet. It includes a dell PC, a router, an 10-port POE switch, and an outdoor wireles AP on a 20' mask. The PC is connected to the router by Ethernet. The outdoor wireless AP is connect to the EOP switch witch is connected to the router via Ethernet. All cameras are currently wireless (14 each) with their own power source and I plan to install several addition cameras that are POE to reduce cabling requirements for power. Nothing is connected to the internet. When I need to do an update (BI or other) I disable the Ethernet port on the PC, enable the PC wireless port, connect to my home internet connection, download updates and then disable the wireless connection and renable the ethernet port.

 

[Swampledge]

I have a separate network (LAN) that is not connected to the internet. It includes a dell PC, a router, an 10-port POE switch, and an outdoor wireles AP on a 20' mask. The PC is connected to the router by Ethernet. The outdoor wireless AP is connect to the EOP switch witch is connected to the router via Ethernet. All cameras are currently wireless (14 each) with their own power source and I plan to install several addition cameras that are POE to reduce cabling requirements for power. Nothing is connected to the internet. When I need to do an update (BI or other) I disable the Ethernet port on the PC, enable the PC wireless port, connect to my home internet connection, download updates and then disable the wireless connection and renable the ethernet port.

That’s an effective way to provide isolation, but how do you access your camera feeds if you are not at the BI PC? Do you have a WiFi notebook, tablet, or phone that you switch WiFi networks on to connect to the BI web server? And apparently you cannot check on them if you are not at that site.

Prrobably not relevant to this discussion, but do you have the router there only to serve as a DHCP server for your cameras? There is certainly no routing to performed on your isolated LAN.

 

[sebastiantombs]

That is the downside of using two NICs rather than a VLAN to provide isolation, camera management is restricted to the PC. IP addresses are hard encoded in each camera. Leaving them on DHCP can lead to problems during power outages or if you replace a router. If a router is used it needs to be a commercial grade router, not an ISP style router. ISP routers don't normally have the bandwidth to handle cameras.

 

[SouthernYankee]

I have an OLD Asus router RT-N12D1 that is set to access point mode. This is a 2.4 GHZ only access point. It is on the Second NIC camera network. It has a different SSID and channel than my home network. The router cost about $30.00. I only use static IP address on the camera network.

I have in the past had an old desktop that also has two NICS, one for each network, that is not the BI PC.

 

[kedens]

That’s an effective way to provide isolation, but how do you access your camera feeds if you are not at the BI PC? Do you have a WiFi notebook, tablet, or phone that you switch WiFi networks on to connect to the BI web server? And apparently you cannot check on them if you are not at that site.

Prrobably not relevant to this discussion, but do you have the router there only to serve as a DHCP server for your cameras? There is certainly no routing to performed on your isolated LAN.

The wireless AP must be connected to a router to work properly. Wasn't advertised when I researched the AP but I quickly found out after a call to the vendor when it would not work properly. However I must say it works great and I am considering adding a second AP to reach other parts of property. I just have to decide if I want to bury that much cable to reach the router. You are correct I cannot check them when I am away. My take on this is that: (1) My main objective is to get any ill doing on video and (2); I'm in a rural area and by the time a deputy gets here the bad guys would be gone anyway. As you guessed I can access via phone or laptop/tablet by switching networks.