Network Security Primer

Discussion in 'Chit-Chat' started by nayr, Sep 23, 2014.

Share This Page

  1. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    Since IP Cameras are network devices, lets have a chat about security and best practices, feel free to ask me anything.. This is my specialty.

    Ive got 3 areas I wish to discuss, I will summarize the areas here and we can have a more indepth discussion as the thread goes along.

    Part 1 - Remote Access
    So you want to view your cameras from anywhere on the internet right? Of course you do, thats a great thing about IP Cameras!
    Consideration #1: Do you trust your remote network? Answer is clearly no you should not. If your using a Public WiFi, Work Internet, Hotel Internet, Friends Internet you should assume that not only can your traffic be monitored by others on that network it can be monitored as it traverses the internet and back into your network.. Its a trivial procedure to monitor packets as they travel over WiFi, Across Routers/Switches and anything that is not encrypted (such as your video streams) is fair game to intercept; infact it is often a policy to do this in work and public environments to keep tabs on appropriate network usage and prevent abuse or policy violations, etc.

    Consideration #2: Do you trust your camera? Vast majority of IP Cameras have backdoors, hardcoded logins, unnessicary services running on them.. Here is a port scan of one of my cameras:​
    Code:
    # nmap 192.168.42.21
    
    
    Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-23 18:52 MDT
    Nmap scan report for 192.168.42.21
    Host is up (0.0023s latency).
    Not shown: 994 closed ports
    PORT      STATE SERVICE
    23/tcp    open  telnet
    80/tcp    open  http
    554/tcp   open  rtsp
    3800/tcp  open  pwgpsi
    5000/tcp  open  upnp
    49152/tcp open  unknown
    MAC Address: 90:02:A9:30:18:BC (Zhejiang Dahua Technology Co.)
    Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds
    We see above its running telnet, which has a hardcoded login, I can tell its a dahua camera and none of these services offer encrypted authentication, so your login credentials are sent in plain text all the way across the internet... NOT GOOD.

    Since we cant really trust our firmware to be 100% secure we should take special precautions with it.

    Consideration #3: Hackers are constantly scanning every IP on the internet they can reach looking for known vulnerabilities to let them into a network, constantly 24/7 your being scanned and its your firewall's job to block most of these. If you port forward your cameras to expose them directly to the internet scanners can find your camera; dont believe me? Google search has a special token called inurl that lets you search the web for specific strings.. for example do a google search for inurl:"ViewerFrame?Mode=" and look at all the cameras you find, the majority of which the owner has no idea strangers are watching.

    Solution: There is really one solution that negates all these issues and that is a Virtual Private Network, aka VPN.. All modern Smart Phones/Tablets/Operating Systems have VPN Clients built in, you just need to setup and configure a VPN Server on your network and forward the ports needed to that.. This will give you full access to your home network while away, from remote desktop, to printers and each and every IP camera's configuration and all the traffic will be encrypted as it traverses the internet so your logins and video streams are considerably more safe from prying eyes.. First place to check is to see if your home router has built in VPN Server support; if so read up on the documentation and get it working.. If not you can turn any reliable machine on your network, such as your BI server to also run a VPN Server.. a google search should yield guides that walk you through this..
    TIP: Create a VPN User account for each device, say Ryan-Android for my phone.. if my phone gets lost/stolen I can always just change that password and not have to change everything.
    TIP: If your up to the task you cant beat TLS authentication, its more complicated to setup and deploy but it uses Encryption Certificates as authentication tokens, no password to break and its as secure as you can keep your authorized devices from physical access.. (ie put a password on your phone thats not 4 numbers)


    Part 2 - Local and Physical Security
    VLAN: Is there anyone on your local network you dont want to have access to the cameras? Employees? Or is there anything on your network so private you need to keep it as secure as possible? The best strategy to this is to segregate your networks and put the cameras on a different subnet (range of ip addresses). You need a switch and router that supports vlans and you can externally firewall off your IP Cameras from your normal network.. opening up access to only those whom should have it.. all the other machines on the network wont even get a login screen or response from the camera.. I would avoid messing with any onboard firewall settings on your IP Cameras; its an easy way to lock your self out without many choices on getting back in.

    Port Authentication (802.1x): Higher end switches can actually authenticate network access at the switch port level; this is great if you have alot of cameras in a public area, dorm, etc.. If setup properly someone cannot access the security camera network by simply taping into a ethernet cable or somehow unplugging the camera and hooking in there own device. My Dahua cameras all support it and on my network if you unplug a VoIP Phone or IP camera and try to use that network port it puts you onto the guest vlan by default; my phones and cameras authenticate with the switch when plugged in and this process grants them access to there own network segments... if no auth is attempted it puts them in a special garden with almost no access. This requires a radius authentication server and some network know how so I wont go into too much depth I just want you to be aware what it is and if you need it.


    Part 3 - Wireless Security
    In my PROFESSIONAL opinion Wireless and Security are two technologies that oppose each-other dramatically; like hitlers WW2 enigma devices tought the world that you can never be sure if your BROADCASTING your communications to anyone in listening range, despite technology advancements.. Its like trying to keep a conversation private between two people with mega-phones a block apart.

    The only acceptable place for a WiFi security device is a portable monitoring device such as your phones/tablets, since your security will not be compromised if those loose connectivity.

    Lets go over our wireless security options:
    WEP = Cracked quite quickly with enough captured packets; and IP Cams generate a constant stream of them.
    WPA = Easily brute forced, if WPS is enabled its basically wide open... Can be hijacked with ease, I can run an access point with same Name/ID and your devices will gladly connect and tell me the password to your network.
    WPA-TLS = Only one left standing hasn't been broken; you cant hijack or man in the middle it because of certificate authentication.. needlessly complex for individual users and few WiFi devices even support this.

    Did you know anyone can send a deauth packet to knock your cameras off the wireless network? despite encryption? Within 30mins I could make a small hand held device that knocks everything off there wifi networks with parts I have laying about.. check this out: http://danmcinerney.org/how-to-kick-everyone-around-you-off-wifi-with-python/

    What good is your security camera when anyone could just make a universal remote to "turn it off" when they approach to steal some shit?

    same can be said for wireless security sensors, I have a 5w handheld walkie talkie that can broadcast on the same frequencies most GE wireless sensors work on.. If I broadcast noise with that transmitter I am basically jamming out all the little 100mW security sensors for a mile or so.. not to mention my 50w HAM radio that if used nefariously could jam out all wireless sensors to the horizon.

    Links:


    Open Source Router Firmware has support to run a VPN Server, checkout:

     
    Last edited by a moderator: Nov 7, 2014
  2. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    Fantastic topic. Double repped!

    Understanding the concept of VPN and protecting traffic the user initiates from a computer to a router and/or individual computer, or network. Computers are a bit more versatile when it comes to network traffic.

    My router can do VPN but of course barely mentions it beyond being a feature and where to find it.

    In light of surv cameras, and network devices, how can one integrate this protection / make this work when it comes to mobile devices and gaining access to:

    - wifi thermostat + iphone/ipad app (check & set home temp,while away)
    - ethernet home automation controller + iphone/ipad app (check & turn on/off some lights)
    - still accessing individual cameras ... don't need to see all of them, just want to tap into the PTZ and check on the cats, or read the clips,from the driveway cam ...

    Does it hinge on vpn user name/pw? And can apps transparently accept those? (just as if it were the device's user/pw)
    Do you create multiple dedicated tunnels?
    Or can everything squeeze through one tunnel? Maybe multiple user names? Then based on user/pw and maybe port or app (?) things get routed transparently to the right device in the lan?

    example: one tunnel + user wantstat -----> tstat, user wanauto ------> home automation box, wannvr -----> nvr, wanptz -----> ptz cam, wannas ----> nas

    Or how would one make it work?
    As these devices just say use port forwarding with username, password. Known not to be safe.
     
    h901 and swcctv like this.
  3. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    >> Looks like the topic is not lost! << :D

    But I guess we lost a day and a half.
     
  4. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    In essence, to recap, my content from the thread, that was lost in the crash.

    VPN was a lot easier to implement than I assumed. You can use one tunnel for all traffic you need. It solves the headache of using a mobile device at home and while away; in that most mobile apps for surveillance, automation, etc allow you to spec one IP address. Each time you switch places, it has the wrong IP. To circumvent this home and away problem, I'd use two apps to do the same thing. One with WAN IP and port forwarding. One with LAN IP. Or a browser bookmark for each.

    With the VPN tunnel in place, the app can keep the LAN IP because it considers traffic through the tunnel local, as if at home.

    One hurdle in getting it setup was vague instructions and a on my iPhone there was the "secret" box for L2TP, which had no matching equivalent in my router. I consider it a shortcoming in my router firmware.

    I was able to set it up with PPTP. Once established. The iphone puts a VPN text icon to the left of the bluetooth and battery icon.

    All in all. On the router side, it was like configuring a wireless network with a specific user & pw; and on the mobile side just adding the same.
     
    catseyenu, nayr and fenderman like this.
  5. catseyenu

    catseyenu Getting the hang of it

    Joined:
    Jun 13, 2014
    Messages:
    325
    Likes Received:
    42
    nayr likes this.
  6. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    7,602
    Likes Received:
    4,206
    Hooray. I use openvpn on my router...
     
  7. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    Peeping into 73,000 unsecured security cameras thanks to default passwords

    Told you guys, Always use a VPN!
     
  8. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    7,602
    Likes Received:
    4,206
    Whats really fun is the cams that open a port all on their own or connect to a cloud service you did not sign up for.

    I don't think I have any of those :)

    And not everybody has the gear and expertise to put cameras on a different vlan without internet access :)
     
  9. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    I have encountered many IP Cameras with hardcoded backdoor logins; the devices them selves simply are not safe enough for being exposed directly to the internet.. this is just one website that shows what some very simple bots scanning the internet for IP Cameras found, nobody was targeted directly.. Security holes in specific software cameras run (Web Server/SSL/Bash/etc) can lead to further problems because those are easy to scan for also.

    Anyone reading my primer is urged to block the internet to/from ANY IP camera and remotely monitor it with a VPN solution, anything less is not really secure.. Setting up a VPN is not that difficult, if you can forward ports you can setup a VPN.. just follow instructions online carefully, every Operating System and SmartPhone has VPN capabilities now days.. there is little excuse other than being ignorant.

    An IP Security Camera without any IP Security isint much of a Camera
     
  10. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    I also want to point out I technically can get any of your guy's IP address very easy, all I would have to do is embed an image to this thread loaded off my webserver... and then when someone replies I can check the logs for that time and correlate what requests for that image came in at that time, and then direct a targeted attack at you.. infact im sure I could find all sorts of cameras targeting these forums <wink>

    people can do this anywhere, forums, facebook, twitter, etc.. the internet is full of vindictive asshats so you could become targeted for your opinion very quickly if you havent been already.. a bunch of security cameras could give them the information they need to know where you live, just GeoLocate IP to city, then search for streets/addresses on google streetview, then next thing you know swat teams are busting down your door because you pissed some lil prat on the internet off.

    thats a scenario that plays out across the internet all the time..
     
    Last edited by a moderator: Nov 7, 2014
    catseyenu and fenderman like this.
  11. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    If you have a decent router/firewall you can define a host group and input all your cameras IP's into that group, then create an outbound firewall rule saying reject all packets to/from that group.. it wont filter access to/from cameras locally like you can get w/VLAN's. It will prevent them from calling home or exposing them selves without your knowledge. You'll want to run a local NTP service because if it works they wont timesync over internet.

    expanding on firewall rules, I like to do 2 rules for a blackhole group like this, reject tcp/udp for all hosts and then lower than that a drop all for those hosts.. some packet types cant be rejected, but if you drop tcp/udp you can end up making your cameras boot times really slow as it tries an external connection (dns lookup) only to wait for a timeout.

    You can add more and more rules and allow only what you want if you do allow your cameras some internet, give it access to only a specific mail server, time server, etc.. but keep it simple, you'll vpn into the network and bypass the rules so it wont effect remote access.
     
    Last edited by a moderator: Nov 7, 2014
  12. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    Your beloved Foscrap: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2560

    2013:
    Code:
    [COLOR=#000154][FONT=Verdana][B]Access Vector:[/B] Network exploitable[/FONT][/COLOR]
    [COLOR=#000154][FONT=Verdana][B]Access Complexity:[/B] Low[/FONT][/COLOR]
    [COLOR=#000154][FONT=Verdana][B]Authentication:[/B] Not required to exploit
    
    [/FONT][/COLOR]
    [COLOR=#000154][FONT=Verdana]Directory traversal vulnerability in the web interface on Foscam devices with firmware before 11.37.2.49 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) Wi-Fi credentials.[/FONT][/COLOR]
    add to the fact that foscam hardcodes dynamic dns settings into there firmware it was stupid easy to scan *.myfoscam.org and find all these damn cameras.

    Dahua/Hikvision all have hardcoded telnet logins, and that is a fact.. My dahua cameras by default come with 3 backdoor logins that cant be removed but you can change the password.

    there are billions of network capable devcies out there; and almost none of them should be exposed directly to the internet.. almost all of them were designed for local network access only and were never hardened or default to secure enough for internet exposure.. I am not saying you have to use VLAN's im saying got to use a fucking firewall and VPN instead of forwarding ports to insecure and hard to update hardware devcies.. go ahead and do it, i dont give a crap what you do..

    Firmware updates are inherently riskey; camera makers are not pushing out new firmware to fix security issues and nor are people applying firmware updates to fix security issues.. im sure there are thousands of people with pre 2013 firmware on there foscams... Nor should they have to, if they keep the device off the internet (you can still access with VPN) its not a problem.

    I recommend anyone who gives a shit, to setup a VPN, Firewall off your cameras from all internet access.. If you dont give a shit; well then so beit... listen to that asshat if you can get your head arround his ramblings.

    If your camera (or any network device you own) was designed to be plugged directly into the internet securely the very first thing it would force you to do is set a new password before doing anything else; I have yet to find such a camera.

    attached is a screenshot from my dahua camera; its impossible to delete admin, 888888 or 666666.. so you have to change 3 passwords and everyone knows the username so all they have to guess is a password thats probably easy to type into a phone/tablet.. This right here tells me this device was never intended to be exposed to the internet and maintain any level of security.
     

    Attached Files:

    Last edited by a moderator: Nov 17, 2014
    monstor likes this.
  13. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    7,602
    Likes Received:
    4,206
    nayr, lets not forget about Dahua's onvif support which lets you, at the very least, pull video streams without authentication. There is probably much more possible that I am not aware of.
     
    nayr likes this.
  14. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    Good point @bp2008

    many decent IP cameras are designed for Professional Installers in mind, us DIY'ers are a nice side effect.. but professional installers are not typically network savvy, having to only learn basic networking recently as IPcameras have taken over the analogue market.. They put backdoor logins so the installer can get into the camera and fix it when the end customer ends up messing it up or locking them out and telnet logins that allow the resellers in to rebrand the camera to there name, or preconfigure settings with a few quick changes..

    The 888888 login saved my ass once when I locked my self out on a password update; I guessed the password would be 888888 on first try.
     
    monstor likes this.
  15. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    I respect that you have done a lot for the foscam owners / community, but really, the more you type, the less reassuring you are.

    Without going into further details - as I really don't have the energy and time nor do I want to get into some web tit for tat on certain details that you're trying to raise - I just want to say that your attitude in your posting with false analogies, exaggerations etc looks to be non-constructive, is becoming hostile and then becomes a personal attack.

    You even start highlighting things in bold and pulling in unrelated photos.

    What's next? ALL CAPS? Alternating colors? ASCII ART? Animated GIFs.

    You feel a need to go above and beyond, explaining and defending certain known insecure things manufacturers do ... for what?
    You are tripping over yourself, running in circles, hijacking this thread, wanting nayr to prove certain things ... for what?
    All you do is really prove that you somehow have an axe to grind against what nayr posted or him personally.

    Longer and louder talk doesn't necessarily make one look better in public nor in a forum.

    So, you may want to give that a moment of thought ...

    ( Back on topic )

    Personally, I think closing all forwarding ports on a router and implementing VPN is 1000% solid advice and easy to implement. The rest may be too complex and over people's head; but I don't take issue with nayr's opinion as a whole. He's on the front lines of security, and, you have to highlight the bad to prove a point. Whether that's a bit alarmist, maybe, but there's no "dare to prove it" evidence required. This is not some prove it or lose it competition. This a friendly posting on a forum for fellow members. We all know stuff is exploitable and as time has proven so many times, networked electronics are inherently insecure / vulnerable. Manufacturers focus on getting the product out and selling. More features than the competition = more sales. Off the shelf security is fine. Build. Sell. Ship. Repeat.

    I most narrowly escaped a major hacking headache a number of months ago after opening a port for some quick remote access. Something I did last minute before a trip. I didn't think much of opening a specific port for a manufacturers device, as directed. Boy, would it have cost me very very very dearly on many fronts if I was one of the victims.

    You can knock on my IP since then. Unless you get into the router itself or can bypass it, there's nothing to see.

    One of my next purchases is a more secure router with VPN. Have done some comparison shopping on a few features. Still on the fence a bit, but a better router swapped in is imminent.
     
    Last edited by a moderator: Nov 17, 2014
  16. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    its me personally; I keep calling him out on his bullshit and am not the least bit impressed with his signature like he thinks I should be..

    every once and a while he has some pretty sound advice, I do admit; but by default I would suggest you seriously question anything he states given the behavior I have seen out of him.

    But this goes to prove my earlier point about targeted attacks; he is harmless.. there are people out there whom arent and if you hurt there internet ego the'll hack your IPCam just to fuck you up.. Welcome to the internet, enjoy your stay.. Lesson #1, people will be asshats to just coax an emotional response from you, then attack you further upon submitting to that.. we like to call them Trolls.
     
    Last edited by a moderator: Nov 17, 2014
  17. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    I know. I've got a bit of technical experience and pretty good set of eyes and ears.

    I just felt compelled to speak up a little in the hopes it may help him in some way to stop shouting from the other end of the spectrum.
     
  18. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    That forum does not promote open and honest discussions so I am not a member and will not participate in there community... I require the ability to use four letter words every once and a while and post links to anything relevant; regardless of the commercial interests of the staff and advertisers.

    When you moderate out any opposing lines of thought you end up with a bunch of mindless dolts; much like a religion... They say there open but when you find the statment: Please do not try to defeat the forum's word censors - words/urls are censored/masked for a reason... that kinda implies the opposite.

    Fuck, i stubbed my toe.. ouch.. oah look at that were all grown ups, well most of us.
     
    Last edited by a moderator: Nov 17, 2014
  19. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    I love you, your my UberOverlord :love:
     
  20. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    Have your laugh.

    You really want me to go to another forum and ask the members there? And say hello, I'm new here, I just got a few cameras, but am worried about security, I hear they can be accessed remotely and exploited.
    Between
    (a) uberlord's method of just opening up router ports and monitoring web traffic
    and
    (b) nayr's advice of keeping the router ports plugged and using a vpn tunnel
    Which is more or less secure? More hack proof? Easier to implement?

    You have got to be kidding me.

    Anyone who opens up a port, even changes port settings, edits the device password to be "safe", and maybe even goes as far as removing the factory admin account after creating a custom user, is not safer as you state, than when those cameras are simply not directly accessible from the internet.

    Whatever factory back door / secret logins that are baked in are still wide-open, if the device is visible online. Maybe we don't have to worry about 99% of factory trained personnel and engineers, but word gets out, things get discovered. Whether motivated by fun or financial gain, one can bet it will get abused and at some point gets out.

    Whatever vulnerability that can be exploited without even touching the default admin/user account is right there waiting to be built and exploited, if the device is visible online. As I tried to say, I just narrowly escaped this very exact thing with a networked appliance from one of the world's top vendors; where an attack was built specifically targeting their hardware around the globe. Tons of people got duped. Eye opening to someone who's not on the front lines of internet security, how you can seemingly do the right thing per the manual but come up losing it all. This exact exploit hinged on the open a port method you say is secure. Really makes one think. Oh and the monitor traffic thing didn't work because it took mere moments to be compromised. People have to work, sleep, go on a trip, ... aka have a life and don't sit there monitoring their router logs.

    Since you're into proving things and challenging people. Maybe this example will raise a spark. We could do a test. We'll give you and nayr and any forum member who feels like jumping in, an hour or two hour to pull some stills from a camera of choice, change a camera setting, password, whatever, just something to prove it was found. Nayr's challenge would be to poke one behind a router with open ports. You try the same except with a router with all ports closed. Doesn't have to be for the fastest time or anything.

    I just know which challenge I'd prefer.
     
    Last edited by a moderator: Nov 17, 2014
  21. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    7,602
    Likes Received:
    4,206
    Except the port for the VPN, of course.
     
  22. icerabbit

    icerabbit Getting the hang of it

    Joined:
    Apr 14, 2014
    Messages:
    582
    Likes Received:
    72
    Location:
    FL <~> ME
    @bp2008 True. My understanding is though that modern types of VPN are pretty secure. And certainly the use of one (vs open router ports) avoids detection by tools built for certain exploits and targets.

    @uberlord

    Well that's a bit more balanced. Sorry that your point(s) got lost.

    My point isn't about back doors, some of which can't be closed anyhow.

    What I'm saying is that if one can't see/get through a wall, that (a) whoever is outside doesn't know what's behind it (move on nothing to see here) and (b) that whatever is behind the wall is more secure than if that wall had windows, doors, gates etc. and especially if some of those are left open.

    So I am quite comfortable with a little internet castle with high walls, big mote and a drawbridge with dual gates (VPN) as the only exposed way in.
     
    Last edited by a moderator: Nov 5, 2016
  23. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,354
    Likes Received:
    5,192
    Location:
    Denver, CO
    those are all the same problems that any large network has with multiple end users, they didnt break the VPN to get access to the network.. they compromised a machine that got into the network with VPN.. no different than compromising a machine already on the network, except once most people take a computer home they loose any protections on the main network, like firewalls and network scanners and become an easier attack vector.. If a remote user logs into any corporate service (email, document sharing, xerox copy machines) with an infected keylogger your fucked, those same authentication credentials are valid everywhere on the network.. but this is why 2-factor authentication exists, and does a damn good job at taking care of most of those issues.. and you bet thats what Target and USPS are all moving towards, they took a huge gamble having that number of users and devices without implementing a 2-factor auth system, and lost.

    The only possible way your scenario makes any sense is that whatever device your using to remote into your network will never under any circumstances be plugged into your network normally (say a work provided desktop computer), then the VPN does expose your home network in a way that it wouldn't normally be exposed, might consider putting a firewall up between your VPN and LAN if this is a problem... However if your like most of us here and accessing your cameras from a device that is normally at home on your LAN then you are not exposing your network to any devices its not normally exposed to, so any malicious software running on said devices are getting access one way or another.

    If your running a large corporate network with hundreds/thousands of end users I dont think your coming to these forums for network security advice..

    But what do I know; I dont maintain corporate network security for tens of thousands of employees, most of them teleworkers like my self over VPN connections, for one of the largest networking companies out there... oah wait.. nm I do and your right, its horribly complex and really easy to get it wrong... but nobody here is talking about networks of this scale or type..

    My advice is for DIY IPCamera community, which is typically 1 large subnet, 1 or two main users and a very limited number of devices that normally have nothing protecting them from eachother.. if your running anything more complicated than a basic small LAN then your absolutely right... there is much much more to consider than my blanket statements on basic security.
     
    Last edited by a moderator: Dec 8, 2014
    Rocktop_006 and gpower07 like this.
  24. Jack B Nimble

    Jack B Nimble Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    881
    Likes Received:
    102
    Location:
    Great White North
    I set VPN on my ASUS router and I have installed VPN access on Samsung 6 both very easy to do. It connected from the phone to the home VPN connection no issue. My question now is how do I see the Hikvision NVR with the cameras ? I use IVMS 4500 HD which IP do I put in it , thanks.


    I will try this seems others had same issue:

    Connecting to camera using VPN ?
     
    Last edited: Dec 30, 2016
  25. looney2ns

    looney2ns IPCT Contributor

    Joined:
    Sep 25, 2016
    Messages:
    5,583
    Likes Received:
    3,528
    Location:
    Evansville, Indiana
    Once you connect to the VPN on your phone, if it's working correctly, you would connect to your NVR via the same IP address/port that you would use if you were at home.
     
  26. wantafastz28

    wantafastz28 Pulling my weight

    Joined:
    Nov 18, 2016
    Messages:
    531
    Likes Received:
    245
    Location:
    Phoenix, az
    Man there must of been some douchebags here a couple years ago... Glad there isn't hostility like this now a days here. Such a waste of energy.
     
    nayr likes this.
  27. Jack B Nimble

    Jack B Nimble Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    881
    Likes Received:
    102
    Location:
    Great White North
    All is good openvpn on the Asus router ezpz and openvpn connected on the Samsung 6 I can view cameras .
     
  28. h901

    h901 Getting the hang of it

    Joined:
    Apr 1, 2016
    Messages:
    146
    Likes Received:
    2
    Location:
    London
    Thanks for the first post, really useful.

    Just a quick question that might sound stupid. If I've set up a VPN. Do I only need to connect via this VPN whilst away from home? Or does it need to be used locally and remotely? Thanks
     
  29. wantafastz28

    wantafastz28 Pulling my weight

    Joined:
    Nov 18, 2016
    Messages:
    531
    Likes Received:
    245
    Location:
    Phoenix, az
    Only when away.
     
    h901 likes this.
  30. spork

    spork Young grasshopper

    Joined:
    Aug 16, 2016
    Messages:
    58
    Likes Received:
    7
    nayr,

    I was wondering what your thoughts were on the newer alarm sensors that are encrypted? dsc, honeywell, elk , and most companies now have 2 way encrypted sensors that I doubt a little baofeng or sdr could take out. Are you a ham also? I think if one frequency is jammed they will hop around until they get a confirmation. I would like to upgrade but honeywell hasn't made a compatible receiver module for my vista. Unfortunately these upgrades are also bringing along a encrypted keypad bus on the newer panels which prevents you from using things like a envisalink for self monitoring.

    I may eventually buy a elk panel since they support the diy crowd and have a tcp module built for self monitoring. I guess I could always use a relay on the siren output and have a arduino send me a sms when that is activated. I've also considered just using Blue Iris for all my needs. Even with all its options it doesn't seem like a viable replacement for a good alarm panel though.

    I try to hard wire most things but wiring every room with pir's, glass break sensors, and especially door and window contacts is no easy task in a finished house.