Network Security Primer

icerabbit

Getting the hang of it
Joined
Apr 14, 2014
Messages
583
Reaction score
74
Location
FL <~> ME
@bp2008 True. My understanding is though that modern types of VPN are pretty secure. And certainly the use of one (vs open router ports) avoids detection by tools built for certain exploits and targets.

@uberlord

Well that's a bit more balanced. Sorry that your point(s) got lost.

My point isn't about back doors, some of which can't be closed anyhow.

What I'm saying is that if one can't see/get through a wall, that (a) whoever is outside doesn't know what's behind it (move on nothing to see here) and (b) that whatever is behind the wall is more secure than if that wall had windows, doors, gates etc. and especially if some of those are left open.

So I am quite comfortable with a little internet castle with high walls, big mote and a drawbridge with dual gates (VPN) as the only exposed way in.
 
Last edited by a moderator:

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
those are all the same problems that any large network has with multiple end users, they didnt break the VPN to get access to the network.. they compromised a machine that got into the network with VPN.. no different than compromising a machine already on the network, except once most people take a computer home they loose any protections on the main network, like firewalls and network scanners and become an easier attack vector.. If a remote user logs into any corporate service (email, document sharing, xerox copy machines) with an infected keylogger your fucked, those same authentication credentials are valid everywhere on the network.. but this is why 2-factor authentication exists, and does a damn good job at taking care of most of those issues.. and you bet thats what Target and USPS are all moving towards, they took a huge gamble having that number of users and devices without implementing a 2-factor auth system, and lost.

The only possible way your scenario makes any sense is that whatever device your using to remote into your network will never under any circumstances be plugged into your network normally (say a work provided desktop computer), then the VPN does expose your home network in a way that it wouldn't normally be exposed, might consider putting a firewall up between your VPN and LAN if this is a problem... However if your like most of us here and accessing your cameras from a device that is normally at home on your LAN then you are not exposing your network to any devices its not normally exposed to, so any malicious software running on said devices are getting access one way or another.

If your running a large corporate network with hundreds/thousands of end users I dont think your coming to these forums for network security advice..

But what do I know; I dont maintain corporate network security for tens of thousands of employees, most of them teleworkers like my self over VPN connections, for one of the largest networking companies out there... oah wait.. nm I do and your right, its horribly complex and really easy to get it wrong... but nobody here is talking about networks of this scale or type..

My advice is for DIY IPCamera community, which is typically 1 large subnet, 1 or two main users and a very limited number of devices that normally have nothing protecting them from eachother.. if your running anything more complicated than a basic small LAN then your absolutely right... there is much much more to consider than my blanket statements on basic security.
 
Last edited by a moderator:

Jack B Nimble

Pulling my weight
Joined
Dec 15, 2015
Messages
878
Reaction score
106
Location
Great White North
I set VPN on my ASUS router and I have installed VPN access on Samsung 6 both very easy to do. It connected from the phone to the home VPN connection no issue. My question now is how do I see the Hikvision NVR with the cameras ? I use IVMS 4500 HD which IP do I put in it , thanks.


I will try this seems others had same issue:

Connecting to camera using VPN ?
 
Last edited:

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
Once you connect to the VPN on your phone, if it's working correctly, you would connect to your NVR via the same IP address/port that you would use if you were at home.
 

wantafastz28

Getting comfortable
Joined
Nov 18, 2016
Messages
550
Reaction score
253
Location
Phoenix, az
Man there must of been some douchebags here a couple years ago... Glad there isn't hostility like this now a days here. Such a waste of energy.
 

h901

Getting the hang of it
Joined
Apr 1, 2016
Messages
148
Reaction score
3
Location
London
Thanks for the first post, really useful.

Just a quick question that might sound stupid. If I've set up a VPN. Do I only need to connect via this VPN whilst away from home? Or does it need to be used locally and remotely? Thanks
 

spork

Young grasshopper
Joined
Aug 16, 2016
Messages
58
Reaction score
7
nayr,

I was wondering what your thoughts were on the newer alarm sensors that are encrypted? dsc, honeywell, elk , and most companies now have 2 way encrypted sensors that I doubt a little baofeng or sdr could take out. Are you a ham also? I think if one frequency is jammed they will hop around until they get a confirmation. I would like to upgrade but honeywell hasn't made a compatible receiver module for my vista. Unfortunately these upgrades are also bringing along a encrypted keypad bus on the newer panels which prevents you from using things like a envisalink for self monitoring.

I may eventually buy a elk panel since they support the diy crowd and have a tcp module built for self monitoring. I guess I could always use a relay on the siren output and have a arduino send me a sms when that is activated. I've also considered just using blue iris for all my needs. Even with all its options it doesn't seem like a viable replacement for a good alarm panel though.

I try to hard wire most things but wiring every room with pir's, glass break sensors, and especially door and window contacts is no easy task in a finished house.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
what would encryption have to do w/preventing jamming.. im quite sure a 1-2W transceiver is more than capable of whiting out a whole range of frequencies and that lil 25mW sensor wont have a hope.. these batteried powered sensors are extremely low power and would be trivial to jam out.

they all operate on ISM bands; so even unintentional jamming is entirely possible just by using another ISM device drastically more powerfull in near range.. Frequency hopping is just a coupe Mhz in either direction.. the ISM Bands are rather small and they dont have alot of room to work with.. it wont jump from 433Mhz to 1200Mhz to 2400Mhz, its radio is gonna stick in its band... When I fire up my HAM on UHF it wipes out all UHF tv reception across the board for a good distance around my house and I dont need that much power here in town.. im using a tiny fraction of what my radio could dump out (50W)

wireless sensors are fine as long as you understand that if the battery is dead your not getting any notifications.. thats my biggest problem, put a wireless driveway sensor on and start relying on it to let you know someone is there and one day someone will startle you when that battery finally goes... some might notify you on low batteries but I've found this is not 100% reliable.. sensors that are not triggered alot often think they have more voltage than they really do, until they trigger and actually try to put load on it.

good ole wired sensors never need new batteries, never have some environmental RF issue that interferes with communications, you can trust em.. and trust means alot, I trust a notification at 2am saying my door/gate was opened and dont second guess it while I'm pulling the gun out of the safe.

73's N4YRE
 
Last edited:

spork

Young grasshopper
Joined
Aug 16, 2016
Messages
58
Reaction score
7
I wasn't thinking clearly and assumed someone would try and jam a individual frequency of a particular sensor. There is a article on the net somewhere from a security guru demonstrating how easily 1 way sensors can be defeated with a sdr.That makes more sense of course that a wide signal or high power transmitter could jam all the frequencies that are available to the sensor even if it has the ability to move around in a small allotment. At the very least 2 way sensors I think could help with unintentional interference. I think they keep trying until they get through. The few times I experienced interference with my one way sensors I was notified by my panel. Most alarm panels also have some sort of jam detection feature.

My sensors take cr123 cells and last 5-7 years. When its time to be replaced the panel will nag me with low battery and supervision warnings.

For home alarm panels the only disadvantage to hardwired sensors that I've ever heard of is that small gauge alarm wire is more susceptible to lightning damage and gives it more pathways around your home. Its also quite a mess trying to keep it all nice and neat in the alarm box. If you have a lot of sensors it will unload your backup battery quickly in a power outage as well. I wish that I could at least hard wire my pir's and front door.

Thanks for taking the time to respond and educate us

73 KD9BYI
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
I have a TON of hardwired sensors, lots of windows and doors, and they are all wired thanks to the previous owner. Knock on wood, but never had lightning damage, that seems very unlikely, and not had battery issues when power goes down. Batteries won't last forever depending on length of outage no matter what.

Having a hardwired alarm, I would very much recommend. You set the alarm when leaving the house, and you know you're fairly safe. For wiring, they tied some of the sensors together at other points in the house so they didn't have to run as many wires all the way to the panel. And you don't need pir's in every room, just main area or hallway where you know an intruder would walk.
 

spork

Young grasshopper
Joined
Aug 16, 2016
Messages
58
Reaction score
7
I definitely think hardwired is better. I'm just rambling and trying to make myself feel better about my wireless sensors. You can also carry wired to a new system should you switch panels, etc. vs proprietary wireless.

If you don't use glass break sensors a pir in every room isn't a terrible idea if you want the alarm to activate sooner when your away. In my basement I installed a wired dual tec pir. Its armed in both stay and away modes. It protects the ground level windows in my basement that is mostly a storage area. My thinking is that glass break sensors may not always activate wired or not so its better to have a wired pir for a catch all backup. So I figure that if I'm home and window detectors fail I will likely hear it exploding since they have gas in them. If I'm away then a hardwired pir upstairs can be the backup. Even if I have to use a raceway I'm going to find a way to put a sensor on my front door as well.

sorry for going off topic. Its not very often that you can find a good discussion on home security.
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
Is the only way to stop someone from unplugging an IP camera from the outside of my house and plugging that Ethernet cable into their laptop and accessing my local network to properly set up a VLAN for that port on the switch? I've got two Cisco SGE2000P switches that support VLANs, but from your other posts it sounds like that is useless unless my router also supports VLANs. I've got a linksys router that I don't believe supports VLANs.

Do you have any specific threads on any forums where you go into VLANs in detail? I'm also looking for a secure way to set up a guest network with Internet only access at home. My router supports guest network, but I set it up once and immediately tried accessing my personal network files and had access, so I shut it off and haven't tried since. I'm thinking the only /best way for me to do that would install a spare router (set up as a wireless access point using ddwrt) into one of the ports on the switch, set that up to have Internet access only and give it a guest ssid and separate password. But... Again not having a router that does VLANs that might not be possible for me. I'll have to dig more into the switch capabilities. So far I just have it plugged in and working, but I've noticed any time I unplug or reset it, all of my settings are lost. Seems strange.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
the only way to stop em form using that network cable is to use a switch that has port based authentication and cameras that will authenticate; if camera is unplugged the port is effectively dead/isolated from anything, even the NVR.

a vlan in combination with this would be the way to go; however these are more for like prisons and other high security areas.. such attack surfaces are very unlikely to be exposed on most residential and even commercial setups... Ive got full support for setting this up on my home network, yet I dont bother.
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
You have that ability, but don't bother because you have a solid VLAN set up...Which sounds like it's quite a bit of in depth work that's not too easy for a regular Joe who just wants a few cameras around their property. On that note, an average Joe doesn't have government secrets on their network they need to protect....and neither do I, but leaving a LAN cable (or a half dozen+ cables) outside the house seems kind of like leaving a hide a key box to the front door of the house on the window ledge next to the door.

Maybe just accepting the fact that it's HIGHLY unlikely for someone to physically, in person and not a supercomputer on the other side of the world, target the contents of my network is so far fetched that it's something all of us need to live with, but at this point I'm just trying to figure out what I don't know.

I'm just starting to play around with this managed switch. It's way more than I needed (really only wanted a cheap gigabit POE switch) but maybe it has some MAC address blocking abilities? So that I could set it to the MAC of my camera and it will only work for that one particular camera? I just made that up, maybe it's real maybe not.

Thanks for your input!
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
a keybox to what exactly? Open up a guest internet wifi network that cant access your LAN and there will be no motivation to grab an ethernet cable.. Its not like when they on your LAN they can instantly disable your cameras, deactivate your alarm and unlock your doors.. if you have technology to do that over the LAN then you might want to take additional steps to secure them, like changing default passwords.. but the largest attack vector for your network is going to be YOU, downloading something and infecting your computers on the network and allowing hackers past your firewall.
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
I meant a hide-a-key box. Like a little box someone would hide their front door key in and put under a rock in the garden to let them in if they locked themselves out.

I guess leaving a window open is a better comparison to leaving a network cable end outside the house.

Either way, I'm imagining someone with a laptop coming to my house, ripping down my camera and plugging the Ethernet cable into their laptop and copying or deleteing all my files/pictures /tax documents whatever.

Everyone always warns people to put a strong password on their WiFi, this is basically the same thing as leaving my WiFi wide open. Just instead of someone sitting in their car in front of my house, they're on top of a ladder at the camera I have on the back corner hidden area of my house.

I should have clarified. I'm not worried about them disabling my cameras, I'm worried about someone having direct access to my home network.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
why can anything on your network delete your pictures/tax documents or whatever w/out a login?

Like I said; what your imaging is never gonna happen.. whats really going to happen is your going to click on a link and get ransomware that encrypts all this data and then charges you alot of money to decrypt it again.. because clearly anything on your network can just wreak havoc too your files and your the biggest security issue on the network.

Unless your targeted by a government agency that scenerio's not going to happen; because the'll be planting evidence to toss you in Gitmo.. if they want to do this; your not gonna stop em w/a lil network security.

If they break into your wifi they can sit in the saftey of their car, or bedroom if its a neighbor and not be standing ontop of a latter with a laptop in there hand running a bunch of hacking tools trying to compromise your data.. if you ever find your self in this situation with an idiot james bond, just shoot the motherfucker.
 
Last edited:
Top