New house, new network setup advice.

[cmx]

I will be using a ubiquiti dream machine se and 15 IP cameras with BI. In the past i always used a VLAN but i wonder if it is even necessary as i have multiple poe switches and it gets to be a lot to deal with remembering what port the cameras poe switch is using over multiple buildings.

Before i did VLANs, i would just enter each IP of each camera into the firewall and block it from getting outside. I thought it was more easy for me

Thoughts?

 

[Mike A.]

That works as far as traffic out. Unsolicited traffic in should be blocked by default as long as you don't open things up. But that doesn't segregate the cams/IOT stuff from the rest of your network. Not absolutely necessary but much better. Depends on your risk tolerance and how much isolation you feel like you need/want.

Alternately, you could also do a separate physical network with two NICs in the BI server which is fairly simple. But that (typically) doesn't cover all of the other IOT devices that most of us have. Which I kind of fear more than cams as far as that goes since much of it needs outside connections and inside access to work for whatever purpose so it's harder to just completely isolate.

 

[cmx]

I use IOT devices and most of them you can't isolate or they will not work as you said.

I am not sure how a IP camera can get a virus, malware etc if it has no way to connect to the internet. Unless you flashed some infected firmware to it but even then any info it collects can not be sent as it has been blocked by the firewall.

Unless the camera can access other devices on your network and use them to send out info, is that possible?

 

[Mike A.]

These cams are effectively little Linux boxes with a lot of communications and other functionality that you're dropping inside of your network. So, at least potentially, they can do lots of things. The firmware that comes with them, while likely not directly infected with something, is kinda suspect to start with and should be treated pretty much as it is. I've seen them search neighboring addresses for other gateways out and use lists of hard-coded DNS and other hosts when they can't connect (disregarding any settings), I recall a post here showing a cam attempting to spoof its MAC address to try to get access out, they can access uPnP services if it happens to be left on, they're capable of further propagating vulnerabilities originating from other internal devices, etc., etc. Most of this isn't intended to be malicious; rather, generally, just someone trying to make the cam work wherever it might be dropped in. But it could be. So best practice is to try to isolate things to minimize potential unforeseen risk however that might happen.

 

[cmx]

For most a VLAN is probably more simple, For me the issue is i have multiple buildings varying in feet away from the house.

For example.

In the barn there is 6 cameras and a POE switch and only one cable coming back to the switch in the house.

The original owner did every building this way. I guess they did it so they would only have to bury one cable instead of 6.

I'm not sure of a better way to do it.

 

[Mike A.]

Yes, if you have hardware that supports it and understand how it works/setup in a case like yours where you have mixed things on a series of single cables the VLAN would be the easier way.

As I said, all comes down to your risk tolerance and how much trouble you think that it's worth. Better to segregate things but most run flat networks with everything all together so certainly wouldn't be alone doing it. Blocking things at the router and using VPN for access will cover the biggest risks.