Recommended security settings for Hikvision NVR and router

[Mike Oz]

Hello everyone, I apologize if this has been covered before but I wanted to get some feedback. I want to lock down my NVR setup so I don't have security issues. My setup is actually an LTS NVR connected to my Asus router (rebranded hikvision) with LTS POE cameras. The LTS NVR gets an IP from my Asus router. I run a VPN server on the router so I can access the NVR remotely via connecting to OpenVPN on my phone and then with NVMS7000. So, I don't use any port forwarding, as I understand that risk.

The other big concern I have is limiting outbound traffic from the NVR to the world. Are there any issues with blocking all outgoing traffic for the NVR? I just set this up (via a firewall rule, I blacklisted the IP's outgoing traffic to the WAN). Does the NVR need to make requests to fetch the time or anything else? I figure when I need to upgrade firmware on the router I'll need to temporarily disable this rule but is it ok to leave on the rest of the time? I wanted to see if other people also "lock down" their nvrs and if it's a good idea. I know the security risk with cameras but I'm thinking the NVRs are probably worth locking down as well..?

Big thanks to anyone's input.

 

[tmushy]

Dont think you can do this with ASUS routers. I personally run pfsense.
You can set up a VLAN and only allow your hikvision on that network. I also use this for my IOT devices.

I would disable all port forwarding and use openvpn to access NVR

I see no harm in blocking outgoing traffic from nvr to the world. The only thing it would need (not important) is connecting to an NTP time server to get current time.

Another idea is you can setup a static ip address on the nvr (which is what you should be doing, not using dhcp to receive address from router). After setting up static address you can remove the DNS server entries and leave them blank. This wont allow any access to the internet because it cant resolve any domain names.

Hikvision may have embedded google dns servers or uses direct ip address but I doubt they have that setup. I do this on my units.

 

[george dy]

I recently was told that the configuration my installer did to the port forwarding for 80 8000 and 8554/554 was wrong and insecure, but I'm not clear on how to setup the VPN on my local NVR and if there are other requirements of the NVR and switches and router themselves.

I lost access to my NVMS7000 service recently and realized it was because the connection to 8554 was being "refused" or so canyouseeme.org was telling me. I believe that's the reason behind loss of remote feed. How do I handle this the right way?

NVR: HIKVISION NVR DS-7608NI-E2/8P 8CH PoE Embedded Plug & Play Network Video Recorder
Cameras: Hikvision 4MP DS-2CD2142FWD-I HD WDR IP Network Dome 2.8mm Lens
Switches: Unifi Switch 8
Router: EdgeRouter Lite

 

[SouthernYankee]

@george dy
Use a VPN never use port forwarding. The VPN should be set up in the router. I believe your router supports VPN, do an internet search on how to set it up

@Mike Oz
With an ASUS router you can block any local device from communication with the internet by using parental controls and block the device mac address.

I do NOT know if blocking at the MAC address of the NVR will prevent it from communicating via the VPN. You will need to test this. Use a static address IP on the NVR.