Security question

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
I run a Hikvision NVR with several Hikvision cameras connected directly to the NVR. The NVR is connected to my home network so I can make modifications to NVR and camera settings. I do not remote access so I don't port forward. What are my current camera/network security risks? Is there a way an outside intruder could access my cameras or network in my current configuration? Anyway to detect if the NVR or cameras are "phoning home" info?

I'm always interested in any means to beef up security on my network. thanks,
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Confirm that UPnP is not enabled on the router. If enabled, it would open ports inbound when automatically requested by devices on the LAN such as IP cameras and NVRs.

Conduct inbound probes for open ports using a full port range scan with services such as GRC's ShieldsUp!
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
Confirm that UPnP is not enabled on the router. If enabled, it would open ports inbound when automatically requested by devices on the LAN such as IP cameras and NVRs.

Conduct inbound probes for open ports using a full port range scan with services such as GRC's ShieldsUp!
Thanks for the info. UPnP is disabled in my router. I ran several of the tests in GRC ShieldsUp and everything looked good. I've never had any evidence that there is an issue on my system, but I'm looking for any way to be more secure. I know there is a lot of knowledge on this forum and I would be glad to hear any other suggestions.
 

DsineR

Getting comfortable
Joined
Mar 25, 2018
Messages
466
Reaction score
724
Location
FL
An easy way to secure your cams is to setup a dual LAN, isolating your cams & NVR from all other traffic.
Lot's of info available here, search away for the details.
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
An easy way to secure your cams is to setup a dual LAN, isolating your cams & NVR from all other traffic.
Lot's of info available here, search away for the details.
I did a little research on this but not sure I understand. Would this be accomplished by adding a second NIC card to my computer. Then routing the NVR to that 2nd card?

Currently I have the NVR going to the router. Apparently by going to a 2nd NIC it keeps camera traffic off router and isolates it to the LAV. Right??
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
That would be correct. I did the dual NIC option after looking at all the options and feel it is probably the easiest thing to set-up. You could also go the VLAN route, but some of those options require some additional knowledge or sweat equity to get it to work as intended.

I actually tested it first by running a network cable to a laptop as one IP address and used wifi as the 2nd NIC just to test - I would not recommend wifi as a permanent solution, but for testing, it allowed me to see how easy it was to set up.

You will need a router with OpenVPN to access the stuff outside of your home network.
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
You will need a router with OpenVPN to access the stuff outside of your home network.
Sorry, I don't understand. By using a 2nd NIC and creating a subnet, you would have to use OpenVPN to then access that subnet? You can see I don't know much about networking.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
You only need OpenVPN in order to VPN to your home network when away from home. You do not need OpenVPN while on home network.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
If the cameras are connected to the RJ45 POE ports on the back of the NVR, they do not have access to the internet. The NVR is connected to the home network, so it has access to the internet through the router. Some routers allow you to use parental controls or other methods to block selected MAC address to the internet. So if the NVR is not to be accessed from the internet, Block its mac address in the router

The second NIC will not be much use when using the NVR. Unless you have only one device, the PC, that will access the nvr.
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
My cameras are connected to the RJ45 POE ports on the back of the NVR . I'll check my router and see if I can block NVR MAC address. I appreciate your help.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I'll check my router and see if I can block NVR MAC address.
If you do, you'll need to find an alternate route to a time source. Unless the router firewall rules have some fine-grained capability to precisely allow access to an internet time source, or you have a time server on your house network.
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
I'm running a TP-Link Archer C5 router and I think I successfully blocked the NVR using the "Access Control" settings. Don't know how to run a manual check.

I'm currently still showing correct time on the cameras. My NVR time setting is set to Manual Time Sync, not NTP>server address. Camera displayed times sync with the time specified by the NVR.
 
Top