PCI Compliance and authentication outside the network

Discussion in 'Networking' started by Optimus Prime, Jun 11, 2019 at 11:31 PM.

Share This Page

  1. Optimus Prime

    Optimus Prime Getting the hang of it

    Joined:
    Sep 29, 2014
    Messages:
    175
    Likes Received:
    8
    Does anyone have experience with installing systems that allow authentication outside the network for streams and retrieval? Our franchisees must pull a separate ISP circuit just for their cameras because we do not allow inbound connections on the managed network. Seems like all of their resellers and vendors are Hikvision rebrands and HikConnect is not getting the job done. The systems I’m finding that support this are prohibitively expensive vs a traditional IP cam installation.
     
  2. Mike A.

    Mike A. Pulling my weight

    Joined:
    May 6, 2017
    Messages:
    391
    Likes Received:
    215
    Not clear what you're trying to do... If you have a second separate ISP connection then why not just run a second physically separate (air-gapped) network for the cams? Then you could run whatever you want. Or are you specifically looking for something that's not IP based? Can't imagine in that context you'd want anyone using a P2P-based system like HikConnect given security concerns.
     
    TonyR likes this.
  3. TonyR

    TonyR IPCT Contributor

    Joined:
    Jul 15, 2014
    Messages:
    3,484
    Likes Received:
    3,202
    Location:
    Alabama
    +1^^
    No way could the PCI folks get heartburn over a physically separate IP camera network that is autonomous AND isolated from the Internet.
    But then again, I have spoken with some of their personnel in charge of compliance that think a "firewall" is a great CGI effect created by Hollywood.
     
  4. Optimus Prime

    Optimus Prime Getting the hang of it

    Joined:
    Sep 29, 2014
    Messages:
    175
    Likes Received:
    8
    Sorry, we’re looking for a solution where we don’t have to incur the cost of another
    ISP. They already pay for 2 for the SD-WAN. As we’ve converted then to our managed network, they’ve had to bring another ISP to the building just for their cameras.
     
  5. mikeynags

    mikeynags Young grasshopper

    Joined:
    Mar 14, 2017
    Messages:
    50
    Likes Received:
    22
    Location:
    CT - the tax you to death state
    Talk to your compliance folks about segmentation via firewall. To @TonyR's point above, if you can prove that the networks are completely separated, and the auditors are OK with that, then you don't need the 2nd ISP. If the auditors want a separate network and that's the only way the will "pass" you in an audit, that's a tough business decision to make and one that's being "forced" on you.
     
  6. Optimus Prime

    Optimus Prime Getting the hang of it

    Joined:
    Sep 29, 2014
    Messages:
    175
    Likes Received:
    8
    The IP based cameras require port forwarding for the franchisees to view their cameras from their phones and to retrieve footage. Port forwarding allows inbound connections which is the issue. In need to authenticate, view and retrieve without the inbound connections.
     
  7. mikeynags

    mikeynags Young grasshopper

    Joined:
    Mar 14, 2017
    Messages:
    50
    Likes Received:
    22
    Location:
    CT - the tax you to death state
    Any remote connectivity will require some semblance of inbound connectivity whether you are opening ports or installing a VPN. Not sure how you can avoid it. Have you spoken with your QSA or audit team on this? Do they understand the technical aspects of what they are telling you are the "requirements"?
     
  8. Optimus Prime

    Optimus Prime Getting the hang of it

    Joined:
    Sep 29, 2014
    Messages:
    175
    Likes Received:
    8
    Here's an example of what they found appropriate. It is an IPVMS system. More than likely, it is always streaming out to a remote server, then you perform your authentication and retrievals from the remote server, thereby negating the need have persistent, inbound connections in the production network with the credit card system. And, all 170 locations can be managed and administered from a dashboard.

    DW Spectrum IPVMS

    Each version we have found of this is extremely expensive..either upfront all at once, or by a subscription method. there a way to set up the same kind of system using the normal cameras typically used by us on this site, have the remote enterprise style management for all locations, and not have to pay a third party recurring subscription fees?
     
  9. Mike A.

    Mike A. Pulling my weight

    Joined:
    May 6, 2017
    Messages:
    391
    Likes Received:
    215
    Not wanting to have the second ISP makes more sense. Lots of other questions and options given the answers but the above is what's going to kill most all of them. If that's what you need then really no alternative other than the enterprise-type systems with enterprise-type pricing. Integrating 170 locations times N cameras/location with centralized management/monitoring/troubleshooting/etc. likely will be somewhat of a challenge for a lot of them to do well. Beyond just having a bunch of locations/cams all on the same platform/cloud anyway.
     
  10. Optimus Prime

    Optimus Prime Getting the hang of it

    Joined:
    Sep 29, 2014
    Messages:
    175
    Likes Received:
    8
    @Mike A. Thanks Mike. At "wholesale" rates, we can install a normal NVR system for $3000, $5,000 with all the bells and whistles. Something like Digital Watch-Dog starts at $7,500 per location.

    I'd really like the enterprise system, but I'd need to get each location back to $3K - $5 for 10-16 cameras. I imagine the cameras have a lot higher intelligence electronics in them driving up the cost.
     
  11. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    30,214
    Likes Received:
    9,338
    Someone is jacking you. DW ipvms (which is simply rebranded network optix nxwitness, they are the north american distributor) is 70 dollars per camera in licensing. Less if you buy in volume. You dont need to use their cameras or the overpriced servers with old cpu's.
    I also believe there is no fee for the nx cloud service, but you will have to check with DW on that.

    4 licenses for 266 (login for price) Digital Watchdog4 Spectrum IPVMS Licenses
     
  12. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    8,420
    Likes Received:
    5,372
    Hey, I think you should explore running a VPN server on a low-cost cloud virtual machine (you can get one from AWS or any number of other hosts for like $5-10 per month). Have the server with the VMS software connect to that VPN, and have it configured so that server gets a static IP on your VPN.

    Then you can either have users connect to the same VPN to gain connectivity to the VMS, or run a reverse proxy server like nginx on your VPN server. Either way, you don't need to have any open ports on your "secure" network because you are moving the open port offsite.
     
    fenderman likes this.