Securing cameras

Discussion in 'Cyber Security' started by cam26, Mar 4, 2019.

Share This Page

  1. cam26

    cam26 Young grasshopper

    Joined:
    Jan 21, 2019
    Messages:
    61
    Likes Received:
    7
    Location:
    USA
    Good evening guys,

    So my network is all set up and locked down tight with my router in bridged mode to an Asus 1900 and a VPN to remotely connect to my network while off the LAN.

    My Dahua cams came in today and my next step is securing them on my network so they cannot be accessed by anyone outside of it. From everything I've read in the Wiki's/Primer, I believe I have to either 1) set up a VLAN (which I believe is outside my networking abilities) or 2) change the IP's of the cameras outside of my network range so they'll work with BI but not be able to be viewed outside of that program.

    Am I thinking correctly and, if so, is it as simple as changing the 3rd and 4th sets of digits in the cameras IP to something different than my network's?
     
  2. pozzello

    pozzello Getting comfortable

    Joined:
    Oct 7, 2015
    Messages:
    1,441
    Likes Received:
    384
    If you've already got your router blocking all access into your LAN (except for via the VPN), then you are all set, in terms of coming in from outside.

    You do want to make sure tho, that your cams are not making outbound connections (unless you want them to, of course.)
    this can be done in your router by specifying a range of IPs not allowed to go out to the internet and then put all your cams in that IP range.
    also, make sure you have UPNP disable in your router to prevent the cams opening ports allowing access from outside.

    Then you can also make sure your cams all have UPNP disabled, as well as any 'cloud' services they may try to contact.
    If the cams were allowed to previously open ports via UPNP, you may need to reboot your router to clear those previously opened ports.

    VLAN's can also be used (if your switch and/or router support it,) but are more to prevent access between the cams and other machines on your LAN (not outside)...
     
    handinpalm, cam26 and mat200 like this.
  3. cam26

    cam26 Young grasshopper

    Joined:
    Jan 21, 2019
    Messages:
    61
    Likes Received:
    7
    Location:
    USA
    @pozzello awesome, thanks. I do have UPNP disabled through the router, but I'll have to make sure I do that through the cams, too.

    Would setting each cam to have it's own static IP be helpful?

    Having trouble figuring out where that setting is to limit outbound connections from certain IP's on my router. I'll have to do some digging.
     
  4. SouthernYankee

    SouthernYankee IPCT Contributor

    Joined:
    Feb 15, 2018
    Messages:
    1,170
    Likes Received:
    562
    Location:
    Houston Tx
    if you have an asus router you can use the parental controls to block the camera mac address 24 hours a day from the internet.

    On BI you can install an additional NIC card. So the BI PC has 2 NIC cards. One NIC is connected to your home network and the ASUS router. The other NIC card is connected to a switch that is connected to the cameras. Your cameras can only be accessed from the BI PC
     
    Last edited: Mar 4, 2019
    gotcoffee and cam26 like this.
  5. cam26

    cam26 Young grasshopper

    Joined:
    Jan 21, 2019
    Messages:
    61
    Likes Received:
    7
    Location:
    USA
    Thanks @SouthernYankee , I'll check out parental controls. Making note of all the mac addresses now.

    NIC card sounds like a goal to attain. I'll have to do that, just to be safe.
     
  6. J Sigmo

    J Sigmo Known around here

    Joined:
    Feb 5, 2018
    Messages:
    582
    Likes Received:
    545
    I currently use the parental controls in my Asus router to block various IP devices from accessing the internet. Not only cameras, but printers, Programmable Logic Controllers and their distributed I/O brains, and other gadgets are better off being blocked from direct internet access.

    And this means that I have more devices that I want to block than the parental controls feature in the router allows me to define.

    @pozzello mentioned that you could set aside a range of IP addresses and block that entire range. That would be a method that would let me block plenty of devices and get past the limit in the Parental Controls. I wonder if @pozzello could describe how to go about setting this up, or point me to a tutorial or instructions for this feature. It sounds like a good way to block more addresses.
     
    handinpalm and cam26 like this.
  7. pozzello

    pozzello Getting comfortable

    Joined:
    Oct 7, 2015
    Messages:
    1,441
    Likes Received:
    384
    depends on your router and the features it present in the UI, but on my (openwrt netgear) unit,
    it's under the firewall/restrictions tab where there are controls for allowing specific IP's or ranges
    to go out to (or be blocked from) specific ports at any (or specific) times of day.
    Poke around in your router's UI and see if there is such a feature or equivalent...

    Best practice is to give your cams specifically assigned IP's (in the cam GUI), or your DHCP may some day get reset
    and renumber everything. yes, dhcp clients typically will be reassigned the same IP as last time,
    but if the server loses track (or you replace your router serving dhcp), it might renumber things not statically assigned, causing havoc...
     
    cam26 likes this.
  8. J Sigmo

    J Sigmo Known around here

    Joined:
    Feb 5, 2018
    Messages:
    582
    Likes Received:
    545
    Yes, I have all devices except phones, tablets, and other wireless devices assigned fixed IP addresses in my system. The address range I have assigned to DHCP is quite small, actually, and everything else uses a fixed IP address. It's a lot more robust and a lot easier to administer things if you get as much as you can on fixed IP addresses. The programmable automation controllers I use won't even allow you to set them up as DHCP.

    I'm using an Asus RT-AC68U router. I do see a "network services filter" menu, and this might work. I need to read up on how to use this, though, and it does have a limit of 32 entries in the data table. If one entry can cover a range of addresses, and/or I can whitelist only those devices that I want to allow to have internet access, perhaps this will work. I just wish the "parental controls" allowed me to restrict more devices. It's easy to use.

    Edit to add: I just read the tiny bit of information on setting up the Network Services Filter in the manual, and that didn't tell me as much as the UI itself does! I need to do a bit of searching online for a better description.
     
    Last edited: Mar 5, 2019
  9. looney2ns

    looney2ns IPCT Contributor

    Joined:
    Sep 25, 2016
    Messages:
    6,460
    Likes Received:
    4,576
    Location:
    Evansville, Indiana
    How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk
     
    mat200 and cam26 like this.
  10. Whoaru99

    Whoaru99 Pulling my weight

    Joined:
    Dec 22, 2018
    Messages:
    423
    Likes Received:
    158
    Location:
    Here
    Bear in mind if you want your cams to send you email notification of motion alerts, etc., you cannot have the cams totally blocked. Need to allow at least TLS / port 587, possibly DNS / port 53, and maybe NTP / port 123 if you want their time sync'd kept accurate.
     
  11. pozzello

    pozzello Getting comfortable

    Joined:
    Oct 7, 2015
    Messages:
    1,441
    Likes Received:
    384
    or run internal services for that.
    point cam DNS (port 53) to your router, not some server in the cloud.
    run an NTP server (port 123) on your BI machine or on your router, if it supports it.
    etc...
     
    handinpalm likes this.
  12. Whoaru99

    Whoaru99 Pulling my weight

    Joined:
    Dec 22, 2018
    Messages:
    423
    Likes Received:
    158
    Location:
    Here
  13. looney2ns

    looney2ns IPCT Contributor

    Joined:
    Sep 25, 2016
    Messages:
    6,460
    Likes Received:
    4,576
    Location:
    Evansville, Indiana
  14. handinpalm

    handinpalm Pulling my weight

    Joined:
    Sep 21, 2016
    Messages:
    211
    Likes Received:
    145
    Location:
    Tampa Bay FL
    I too have more clients than Asus routers can block w/ parental controls. Evidently, ASUS only uses 1 Byte (16) of info to track these clients. That is a downfall for ASUS. I looked into the network service filters and saw where many people on other forums had problems with it from not working to having the logic backasswards. GUI does not let you set ranges of IP addresses for filtering from internet. Hopefully they come out w/ new router that supports more client filtering or firmware update. Firmware may not help if hardware limited. In the meantime I filter the highest priority clients.
     
    J Sigmo likes this.
  15. pozzello

    pozzello Getting comfortable

    Joined:
    Oct 7, 2015
    Messages:
    1,441
    Likes Received:
    384
    J Sigmo and mat200 like this.
  16. lifeatredline

    lifeatredline Getting the hang of it

    Joined:
    Jul 4, 2016
    Messages:
    69
    Likes Received:
    44
    Location:
    Kansas
    Sounds like a good reason to turn the asus into an access point, and put an edgerouter in front of it.

    Sent from my SM-S767VL using Tapatalk
     
  17. J Sigmo

    J Sigmo Known around here

    Joined:
    Feb 5, 2018
    Messages:
    582
    Likes Received:
    545
    And here, I thought the Asus unit was all I'd ever need. ;)

    What model of edgerouter would you recommend? This hobby is as bad as photography or shooting! And as with the others, the forums are quite "enabling"!
     
    bigredfish likes this.
  18. lifeatredline

    lifeatredline Getting the hang of it

    Joined:
    Jul 4, 2016
    Messages:
    69
    Likes Received:
    44
    Location:
    Kansas
    I use the edgerouter "x" model, it has done well as my main home router and at a few other locations for me. The routing capacity steps up to insane levels with more expensive models, and the poe capabilities are expanded. Your unlikely to need more than the x in home and soho settings.