PCI Compliance and authentication outside the network

Optimus Prime

Getting the hang of it
Joined
Sep 29, 2014
Messages
199
Reaction score
13
Does anyone have experience with installing systems that allow authentication outside the network for streams and retrieval? Our franchisees must pull a separate ISP circuit just for their cameras because we do not allow inbound connections on the managed network. Seems like all of their resellers and vendors are Hikvision rebrands and HikConnect is not getting the job done. The systems I’m finding that support this are prohibitively expensive vs a traditional IP cam installation.
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
483
Reaction score
308
Not clear what you're trying to do... If you have a second separate ISP connection then why not just run a second physically separate (air-gapped) network for the cams? Then you could run whatever you want. Or are you specifically looking for something that's not IP based? Can't imagine in that context you'd want anyone using a P2P-based system like HikConnect given security concerns.
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
4,475
Reaction score
4,274
Location
Alabama
+1^^
No way could the PCI folks get heartburn over a physically separate IP camera network that is autonomous AND isolated from the Internet.
But then again, I have spoken with some of their personnel in charge of compliance that think a "firewall" is a great CGI effect created by Hollywood.
 

Optimus Prime

Getting the hang of it
Joined
Sep 29, 2014
Messages
199
Reaction score
13
Sorry, we’re looking for a solution where we don’t have to incur the cost of another
ISP. They already pay for 2 for the SD-WAN. As we’ve converted then to our managed network, they’ve had to bring another ISP to the building just for their cameras.
 

mikeynags

Pulling my weight
Joined
Mar 14, 2017
Messages
319
Reaction score
185
Location
CT - the tax you to death state
Talk to your compliance folks about segmentation via firewall. To @TonyR's point above, if you can prove that the networks are completely separated, and the auditors are OK with that, then you don't need the 2nd ISP. If the auditors want a separate network and that's the only way the will "pass" you in an audit, that's a tough business decision to make and one that's being "forced" on you.
 

Optimus Prime

Getting the hang of it
Joined
Sep 29, 2014
Messages
199
Reaction score
13
The IP based cameras require port forwarding for the franchisees to view their cameras from their phones and to retrieve footage. Port forwarding allows inbound connections which is the issue. In need to authenticate, view and retrieve without the inbound connections.
 

mikeynags

Pulling my weight
Joined
Mar 14, 2017
Messages
319
Reaction score
185
Location
CT - the tax you to death state
The IP based cameras require port forwarding for the franchisees to view their cameras from their phones and to retrieve footage. Port forwarding allows inbound connections which is the issue. In need to authenticate, view and retrieve without the inbound connections.
Any remote connectivity will require some semblance of inbound connectivity whether you are opening ports or installing a VPN. Not sure how you can avoid it. Have you spoken with your QSA or audit team on this? Do they understand the technical aspects of what they are telling you are the "requirements"?
 

Optimus Prime

Getting the hang of it
Joined
Sep 29, 2014
Messages
199
Reaction score
13
Here's an example of what they found appropriate. It is an IPVMS system. More than likely, it is always streaming out to a remote server, then you perform your authentication and retrievals from the remote server, thereby negating the need have persistent, inbound connections in the production network with the credit card system. And, all 170 locations can be managed and administered from a dashboard.

DW Spectrum IPVMS

Each version we have found of this is extremely expensive..either upfront all at once, or by a subscription method. there a way to set up the same kind of system using the normal cameras typically used by us on this site, have the remote enterprise style management for all locations, and not have to pay a third party recurring subscription fees?
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
483
Reaction score
308
And, all 170 locations can be managed and administered from a dashboard.
Not wanting to have the second ISP makes more sense. Lots of other questions and options given the answers but the above is what's going to kill most all of them. If that's what you need then really no alternative other than the enterprise-type systems with enterprise-type pricing. Integrating 170 locations times N cameras/location with centralized management/monitoring/troubleshooting/etc. likely will be somewhat of a challenge for a lot of them to do well. Beyond just having a bunch of locations/cams all on the same platform/cloud anyway.
 

Optimus Prime

Getting the hang of it
Joined
Sep 29, 2014
Messages
199
Reaction score
13
@Mike A. Thanks Mike. At "wholesale" rates, we can install a normal NVR system for $3000, $5,000 with all the bells and whistles. Something like Digital Watch-Dog starts at $7,500 per location.

I'd really like the enterprise system, but I'd need to get each location back to $3K - $5 for 10-16 cameras. I imagine the cameras have a lot higher intelligence electronics in them driving up the cost.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
31,379
Reaction score
10,330
@Mike A. Thanks Mike. At "wholesale" rates, we can install a normal NVR system for $3000, $5,000 with all the bells and whistles. Something like Digital Watch-Dog starts at $7,500 per location.

I'd really like the enterprise system, but I'd need to get each location back to $3K - $5 for 10-16 cameras. I imagine the cameras have a lot higher intelligence electronics in them driving up the cost.
Someone is jacking you. DW ipvms (which is simply rebranded network optix nxwitness, they are the north american distributor) is 70 dollars per camera in licensing. Less if you buy in volume. You dont need to use their cameras or the overpriced servers with old cpu's.
I also believe there is no fee for the nx cloud service, but you will have to check with DW on that.

4 licenses for 266 (login for price) Digital Watchdog4 Spectrum IPVMS Licenses
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
9,173
Reaction score
6,398
Location
USA
Hey, I think you should explore running a VPN server on a low-cost cloud virtual machine (you can get one from AWS or any number of other hosts for like $5-10 per month). Have the server with the VMS software connect to that VPN, and have it configured so that server gets a static IP on your VPN.

Then you can either have users connect to the same VPN to gain connectivity to the VMS, or run a reverse proxy server like nginx on your VPN server. Either way, you don't need to have any open ports on your "secure" network because you are moving the open port offsite.
 
Top