Need security recommendations for IP camera setup

[NetWorker]

I'm adding more and more cameras and security has become more of a concern as I do so. With cameras setup indoors I want to protect the stream as much as I can. How can I accomplish that?

My thoughts are :

1. For MJPEG stream cameras use a random port within the range of 80 - 65535 and assign a different random port to each camera
2. Use a different and unique username and password for each camera
3. Use HTTPS access when available - should I use port 443 for this?
4. Use a different RTSP port other than default 554 - if this is recommended, which range should I use?

I realize this seems like a hassle to maintain but if it's worth the extra effort, I don't mind investing the time.

 

[bp2008]

1 and 4 are security by obscurity and can be defeated by a simple port scan.
2 is probably good practice, as long as nobody finds where you have written down the user names and passwords.
3 This would only help if someone was sniffing your network traffic. The port number does not matter in this case, so leave it default for convenience.

Of course for any of the above to apply, the attacker would need access to your local network or you would need to have port forwarded to the cameras directly (which is a bad idea since most cameras have serious security flaws). Most cameras these days have methods for pulling live snapshots and video without authentication, or they have hard-coded backdoor logins and other security holes.

If you want to protect your indoor cameras from random strangers on the internet, then just don't make the cameras internet accessible and you should be fine. If you are still concerned, you can always put the cameras on their own separate network that only connects your cameras to your NVR, and then you don't have to worry about each individual camera and only worry about securing access to the NVR.

Lastly, there is some good advice here: http://www.ipcamtalk.com/showthread.php?1143-Network-Security-Primer

 

[NetWorker]

..

As usual, bp2008 to the rescue! I understand what you mean about security by obscurity and while it probably won't hurt, it's obviously more of a hassle than it's worth since it can be defeated easily. I guess the idea is don't put myself on the radar with port 80 but like you said, since it's behind a LAN it's really not an issue.

I do have sniffing concerns but mainly because my life has changed from someone entering our home and now I'm paranoid about everything. That feeling will probably fade over time so I'm not going to go overboard. I'm not ready to go down the road of separating my network but it's constantly growing so I'll have to consider it. I think the safest option for me that will bring piece of mind is to access the streams through BI over a VPN when I'm away from the LAN.

Thanks for your input and the link. I'll digest that and go from there.

-N