Security question

[dryfly]

I have Hikvision cameras connected to POE ports on Hik NVR. On all cameras I've disabled uPNP, PNP, SSH. I access my system remotely using tunnel VPN via Asus router.

What other precautions am I missing? Is there an issue with the cameras or NVR "phoning home"?

 

[SpacemanSpiff]

You could create a specific LAN --> WAN rule on your router to block all traffic from the IP address of the NVR. This will prevent the NVR from phoning home, but it will also prevent NVR time sync from contacting a internet time source.

This can be solved by hosting a time sync (NTP) server on one of your home computers, and point the NVR to it.

 

[Teken]

If and when you have more advanced network appliances in place. Some of the following are industry best practices as it relates to management and security.

- Disable Ping: This should be used sparingly as some capabilities and features rely on being able to ping a device never mind knowing the NIC is active.

- MAC Filtering / Restriction: This will allow only the devices that have been registered in the system to have access to the network.

- DHCP Reservation: From a management point this insures IP assignments and network changes can be pushed at will anytime without issues and saves lots of time. A IP address is locked and assigned to a end device based on its MAC address.

- Subnet: Security devices should be on a completely different subnet which at a high level prevents other devices to communicate with one another. If your firewall appliance has the ability to also restrict devices from only a specific subnet this too increase security.

- VLAN: This allows you to virtually assign networking attributes to end devices within the infrastructure. At a high level this also isolates networks from one another while also allowing defined or more network traffic to share the same port(s).

- Time: More advanced systems allow schedules to be applied where a person can access the network or enable / disable network traffic. This can be done via firewall rules, managed switch, managed PDU, advanced router.

- Logging: Every device offers some kind of logging. All of the cameras should have at the minimum access, failed attempts, lock out, and any verbose logging you deem necessary. At a high level a firewall appliance at the edge of the network would track all inbound / outbound connections. It’s up to you to review the same and act upon the relevant threats.

Ports: Managed switches allow you to disable ports, enforce logging, isolate, filter, and direct data flow. If you have 16 ports and all are wired but only 8 are used. Do not connect the RJ-45 to those ports until ready to do so. A compromise is to disable the port through the switch. When the proper services are present and running you can enforce credential logging.

QOS / DDOS: Both of these features allows you to manage bandwidth while reducing the impact of flooding of data on the network. Learn to use these features if present and apply them sparingly.

Isolate: The first rule of security is isolation and operating locally. You’ve already broken the first rule which is allowing remote access to the network. Regardless, the security video should run on its own isolated network separate from the main trusted network.

If there is ever a breach it will be limited to just the video security. This assumes you have network appliances running in parallel. If not, this will require compromise and a solid understanding of network security and how to implement the same.

 

[dryfly]

You could create a specific LAN --> WAN rule on your router to block all traffic from the IP address of the NVR. This will prevent the NVR from phoning home, but it will also prevent NVR time sync from contacting a internet time source.

I turned on "disable internet access" for my NVR on the router. Will this accomplish the same thing you suggest?

 

[dryfly]

Isolate: The first rule of security is isolation and operating locally. You’ve already broken the first rule which is allowing remote access to the network. Regardless, the security video should run on its own isolated network separate from the main trusted network.

Thank you for all the info. A lot of it is above my knowledge but I'll do some research on how to accomplish.

As far as breaking first rule, I'm allowing remote access to my network/NVR only through a tunnel VPN. Doesn't this provide protection in the form of an encrypted path into my network?

 

[Mike A.]

I turned on "disable internet access" for my NVR on the router. Will this accomplish the same thing you suggest?

It should but I'm not sure that you'll still be able to reach the NVR via your VPN then. Have you tried from outside of your network?

 

[SpacemanSpiff]

It should but I'm not sure that you'll still be able to reach the NVR via your VPN then. Have you tried from outside of your network?

NVR access should still work. However, as @Mike A. mentioned, you should always test the configuration to ensure you'll have NVR access when connected via VPN.

 

[Mike A.]

It would not on an older Asus AC68U that I used. Which is why I asked. But not sure exactly what they're using and whether it might work differently. Likely not.

With the VPN, using the client isn't truly equivalent to receiving a local IP address for whatever remote device. On the Asus for example using OpenVPN by default the client will be a assigned an IP in the 10.8.0.x range. That IP then is routed from the tun/tap interface to the br0 interface and 192.168.x.x or whatever IP range used internally. The block to Internet access is done at the firewall which still sees the traffic as external. So it still blocks that even over the VPN.

There are some ways around that to permit certain traffic past using iptables and Merlin but more complicated. You also can toggle the block on/off by accessing the router first when you need access, but not very convenient. You can use the block effectively to restrict individual cams since generally you don't need to access them directly if using an NVR/BI/whatever that's accessible.

 

[dryfly]

It should but I'm not sure that you'll still be able to reach the NVR via your VPN then. Have you tried from outside of your network?

Yes, I tried it outside the network and I was able to access my NVR. I'm using an AC86U using OpenVPN.

 

[Mike A.]

Hmmm... which Asus router? You really shouldn't be able to.

Can you block a cam and try to access that directly? Or are they all tied to the NVR?

Might check to make sure that UPnP didn't open up a port that you don't know about. If you turned off UPnP after, it will stop that going forward but won't remove any existing port forwards. Might test without the VPN to check. [ETA: Actually, now that I think about it, that shouldn't work either with it blocked.]

If it works and everything seems in order, then great. But again really shouldn't. By setting that toggle, you've told it to block that traffic. The VPN doesn't override that block. Or shouldn't anyway.

 

[Teken]

Thank you for all the info. A lot of it is above my knowledge but I'll do some research on how to accomplish.

As far as breaking first rule, I'm allowing remote access to my network/NVR only through a tunnel VPN. Doesn't this provide protection in the form of an encrypted path into my network?

As it relates to network security everything people do in life and business is a compromise of access, ease of use, and management. A person / business’s threat level is dictated by the environment they operate and work in.

This is known as attack surface.

You’re already further ahead when compared to 99% of the average consumers who know nothing about what a VPN is - never mind setting one up and using the same!

Regardless of the above, the information I provided earlier (there’s a lot more) reduces points of entry (attack surface) and should be applied whenever possible.

A VPN is just software and can be compromised at anytime and only encrypts the two points of a connection and not the data within. Every major hardware vendor spanning A-Z has iterated and updated their VPN service within their appliances over the years not once, twice, but multiple times.

Why?!?

Breaches and holes in the existing software code.

If one looks at this from a 30K view a network that has no outside connection to anything has literally zero possibility of being hacked. If we add a single layer to this which is running a separate and isolated network from the main one.

The probability for a breach is now improbable. Add on the extra layers I noted up above of Port AAA, subnetting, MAC filtering, VLAN, Timing / Scheduling, No Ping, and other.

The improbable has now become near impossible without being on site.

When all of the above is managed with biometrics, 2FA, strong and rotating passwords unique to each network device. Coupled by Antivirus & firewall at the service, edge, and every computer system.

System drives are all encrypted and password protected at the BIOS, OS, and application.

The Impossible, is close at hand vs a lack of imagination. Impossible simply takes longer!

 

[SpacemanSpiff]

I've seen routers' VPN set-up vary. Last night I enabled VPN on a nighthawk R700. Put a tick in the "enable VPN" box and hit save, nothing else to set. When I connect to the router from the internet, it sets my adapter's IP to the same scheme of the R700 LAN. Firewalls (FW) not for the typical home consumer (Pfsense, sonicwall, etc) are the opposite. Much to what @Mike A. described yesterday. The VPN server service has it's own network created for connecting clients, and it's routed to the LAN. Creating a rule to block NVR IP from the WAN IP (or the WAN zone) will still allow the NVR to communicate to the VPN network (and it's connected clients). Depending on the FW software, it may require an 'add route', or simply categorizing the VPN network in the "LAN zone" (aka, a trusted network)

Regardless of which one OP is working with, thoroughly test any changes you make to ensure there is not a gaping hole in your set-up. As suggested earlier in the thread, confirm your PnP settings are disabled, confirm you are unable to access the NVR from a remote location without the VPN client connected.

 

[dryfly]

Regardless of which one OP is working with, thoroughly test any changes you make to ensure there is not a gaping hole in your set-up. As suggested earlier in the thread, confirm your PnP settings are disabled, confirm you are unable to access the NVR from a remote location without the VPN client connected.

This thread is very interesting but I admit is way over my knowledge level in regards to networking. I don't have a clue as to how to test for "gaping holes" in my configuration, but would be willing to learn.

I did confirm uPnP setting is off. On my client (iPhone) I turned off the OpenVPN app and was unable to access the NVR. Activated the OpenVPN app and was able to connect throught he Hikvison app.

 

[dryfly]

Hmmm... which Asus router? You really shouldn't be able to.

Can you block a cam and try to access that directly? Or are they all tied to the NVR?

Might check to make sure that UPnP didn't open up a port that you don't know about. If you turned off UPnP after, it will stop that going forward but won't remove any existing port forwards. Might test without the VPN to check. [ETA: Actually, now that I think about it, that shouldn't work either with it blocked.]

If it works and everything seems in order, then great. But again really shouldn't. By setting that toggle, you've told it to block that traffic. The VPN doesn't override that block. Or shouldn't anyway.

Router is AC86U. Cameras are all tied to NVR, so assume I would have to remove and tie to network to see if could be accessed directly.

Checked again. Enable Upnp = no. NVRr setting: block internet access = on.

Everything does appear to be working correctly, but as you say, it shouldn't.

 

[dryfly]

You’re already further ahead when compared to 99% of the average consumers who know nothing about what a VPN is - never mind setting one up and using the same!

Well, I hope so but still feel like a complete novice at home network security.

All of your comments are valuable and I wish I could intelligently discuss them. I'm not using my home network as a business, and while I'd like it to be as secure as possible, there's very little to be compromised in the event of an attack.

I keep all of my personal data in a VeraCrypt encrypted file with very strong password. I guess unless someone was snooping while I had the encrypted file mounted, or unless a keystoke monitor was installed, am pretty safe.

 

[SouthernYankee]

on the asus router if you block the NVR IP / mac address you will not be able to access it via the VPN.

If i block my BI PC mac address it is no longer accessible for the VPN connecction

Test do not guess !

 

[Mike A.]

Yeah, I've tried it on the AC86 too. That should not work if you have it blocked and don't have some other way set up to bypass.

Using OpenVPN vs PPTP?

Is there a diagnostics page in the NVR that you can try a ping or trace route or other simple way to try to access something outside of your network from it? I'm sure that it has mail and FTP but that's a lot to set up as a quick test. Does it still pull the time from whatever NTP server you're using? Anything that would reach out from the NVR would work as a simple test.

Any P2P set up for the NVR?

What happens if you try to access your NVR remotely without being logged into the VPN?

On the Asus under WAN > Virtual Server/Port Forwarding > Port Forwarding List do you see anything listed there? That shouldn't work either if blocked but should check for general purposes anyway.

Also for general security purposes on the Asus under Administration > System turn off if on any of: Enable Telnet, Enable SSH, and Enable Web Access from WAN. If you ever need to use any at some point you can toggle on and then off again when done. Also can disable IPv6 unless you have some need to use it. That will help eliminate things happening behind the scenes with IPv6 that may bypass IPv4 restrictions.

 

[dryfly]

on the asus router if you block the NVR IP / mac address you will not be able to access it via the VPN.

If i block my BI PC mac address it is no longer accessible for the VPN connecction

Test do not guess !

I'm going to Network Map, clicking on the NVR, and enabling "Block Internet Access". I rebooted router just to make certain. What else do I need to do?

As far as testing, see my post # 13.

How can I try to access my NVR remotely without without going through VPN? Setting up something like port forwarding?

 

[sebastiantombs]

Be aware that in Asus routers there's a "save" function when making changes like this that reboots the router WITH the changes. It may be off screen so scroll down a bit. If you change it, don't "save" the change and just reboot the setting will not change from the original setting.

 

[Mike A.]

Yes, that's how it's done. Or you can do on another page under parental controls and DHCP I think but more complicated. Does the same thing either way. There should be a little red minus sign by the icon for that cam in the list if it's blocked.

You don't need and don't want to set up port forwarding. Just checking to see if it might be working that way inadvertently. It shouldn't.

Try this:

• Phone WiFi disabled (or however otherwise you're accessing it remotely disconnected from local network)
• VPN on
• In browser, try connecting to the local IP of the NVR and port. e.g., 192.168.1.10:80

Whatever the correct internal IP and port for the NVR's http interface. Not using the Hikvision app.