Segregating our networked IP cameras

[Q™]

I know a little bit about a lot of things, but one thing I don't know is how to best segregate the 24 IP cameras which run on our LAN. In addition, 3 of our LAN local Win10 workstations need to use @bp2008's Better BI Viewer to view these cameras. We have a dedicated Win10 BI "video server" on our LAN which runs BI 4.4.x. We also have 1 Win10 workstation in Maine and 1 in Indiana which use Better BI Viewer to stream the 24 cameras (we have 5 static IP addresses, 1 of which is assigned to the BI video server).

So what advice do you have for a guy who knows a little bit but can devote some time to changing this setup so that it is right?

 

[nayr]

if your running BI servers the simplest way is to simply dual hone the BI servers, put all the cameras on there own switches on one interface.. then the LAN on the other.

Run TimeSyncTool on your BI Server so your cameras have a local NTP Server.

simple is good, harder to fuck-up simple.. this way only BI is exposed to your LAN, but at least it gets software updates and can run antivirus.

 

[c hris527]

Agreed,@nayr I never mix a large amount of IP cameras with PC network traffic. If I plan a job with more than say 3 cameras they will go on their own switch or use a NVR that has its own subnet. I usually have to Infringe on other IT GURU's networks and you would think I was asking for their first born. I like to keep my stuff separate and in some cases if it means having to run all new cat 6 or 5e than so be it. I personally do not use BI but the network planning would be the same. Q, If you have a way to get those cameras off your Data network than do it. I have lucked out in a few cases and have found a building was upgraded to cat 6 and the installers left all the cat 5e in the walls and ceilings and re-used that.. what a gift that was. what kind of switches do you have now and what is the landscape look like to easily separate the cameras from the data?

 

[Q™]

Thanks fellas. I'm going to need some help to do this and please excuse my ignorance. I setup our current network scheme up myself, and it runs great without issues, but I'm certain it could be more secure.

1. We've got 22 IP cameras running on a 24-port Netgear FS728TP POE switch. The dedicated Blue Iris Server is also running on this switch.
2. The Netgear FS728TP POE Switch is connected to our 48-port Cisco Catalyst 2950 switch.
3. We have approximately 12 Avaya IP phones running on the Cisco Catalyst 2950 switch.
4. We have 3 servers running on the Cisco Catalyst 2950 switch.
5. 1 of those servers is a Win2003 RDP server (which is bad bad bad I know but we presently need to do this)
6. We have approximately 10 workstations running on the Cisco Catalyst 2950 switch.
7. We have 2 Avaya IP phones (1 in Indiana and 1 in Maine) which connect to our LAN by way of a VPN connection.
8. We connect our LAN to the Internet by way of a Cisco Pix 515e firewall.
9. In a few weeks the current Pix 515e is will be replaced with a Cisco ASA 5506-X Firewall.
10. Our Avaya IP Office phone system has it's own Internet connection which is separate and distinct from the 100/30 service our ISP provides. The Avaya IP Office system is connect to the Cisco 48-port Cisco Catalyst 2950 switch (where is connects to the phones). BTW, every IP office phone has it's own dedicated Cat5e run from the phone to the Catalyst 2950 switch.
11. I'm thinking that I need to segregate my cameras AND segregate my phones from our LAN but I'm clueless how to segregate these devives from our LAN while at the same time MAINTAINING CONNECTIVITY between the BI Server and the phone system.

As I wrote before, everything runs great without issues, but it's readily apparent that it's inherently insecure.

I'm not too comfortable documenting out topology here, but I need some help getting this right. I will edit and remove this information after we're done.

Thanks a million guys!

 

[Q™]

A few more notes: we have a Lynksys WRT54GS V4 acting as an access point providing anyone with the WPA Pre-Shared Key access to our lan. Yikes! This is very bad I know. I need to replace this access point with a segregated guest network.

 

[Q™]

One more note: Our ISP provides us with a block of five (5) static IP addresses. I probably only need 1 or 2 static IP addresses. What I'd like to do is set up 2 or 3 distinct networks using several old Cisco 515e firewalls I have in my possession and use 1 of these static IP addresses to connect each network to our ISP but I have NO IDEA if this is even possible, let alone how to do it.

 

[tangent]

Put 2 NICs in the Blue Iris server... cams connect to one the rest of the network to the other (basically what nayr said earlier)
disconnect the netgear switch from the rest of the network.

 

[c hris527]

One more note: Our ISP provides us with a block of five (5) static IP addresses. I probably only need 1 or 2 static IP addresses. What I'd like to do is set up 2 or 3 distinct networks using several old Cisco 515e firewalls I have in my possession and use 1 of these static IP addresses to connect each network to our ISP but I have NO IDEA if this is even possible, let alone how to do it.

It is possible but every ISP has a different way of doing it. I would contact them for guidance. I have never had the need but on your behalf I talked to a trusted guru today about how to configure that. He said this, sometimes the isp will take care of the routing issues through their system. Other times its up to the end user through the supported router to adjust the routing table, nat,dmz bla bla and then mentioned ddwrt can do this and lost me on second base when his cell phone cut out. So I hope I gave you a glimmer of home but as he said, best ask your isp provider first and go from there.

 

[hmjgriffon]

Why put two NICs in the bi server? Are you going to use Windows firewall? I would put the cameras and server on their own subnet that runs into a port on the firewall, then another port goes to the computers and a third for the phones unless they run through another device, I think you said they have their own internet, then you can block and allow everything in the firewall, if the bi server needs to talk to the phones just create an allow rule that says this one machine can talk to this subnet or whatever. As long as bi and the cameras are on their own switch all of that traffic will stay there even if it's on the same subnet as everything else because that's just how switches work. Only reason I'd put two NICs in the bi server is if I was going to bond those two ports together to get more bandwidth to the server.

Sent from my Nexus 6P using Tapatalk

 

[nayr]

most people dont have multi-interface routers.. they usually have a lan side and a wan side.

broadcast traffic dont care what your IP is, you have to physically isolate switches or use virtural lans.. running two subnets on a single dumb switch provides no security.. you want your cameras reachable from the LAN but you dont want the cameras able to talk to the internet or directly to LAN devices.

the BI Server acts as a bridge between the two networks.. usually you configure the camera network statically unless you run a dhcp server in windows and carefully bind it to the right interface.

 

[j4co]

One more note: Our ISP provides us with a block of five (5) static IP addresses. I probably only need 1 or 2 static IP addresses. What I'd like to do is set up 2 or 3 distinct networks using several old Cisco 515e firewalls I have in my possession and use 1 of these static IP addresses to connect each network to our ISP but I have NO IDEA if this is even possible, let alone how to do it.

Most likely these 5 usable adresses come from a /29 prefix (6 usable) where the ISP has one IP and you have 5 available.
The PIX can sit on the wan side in this /29 subnet and would need to use at least 1 address ip to communicate on. But it will have the other 4 available there also.

You can use for example PAT/NAT from 5 different inside addres ranges to these 5 outside adresses and overload them.
So multiple hosts can be reachable from the outside per one of these 5 /32 prefixes.


remember that not all protocols like NAT. Cisco will have list which protocols are supported, adn if you know your traffic you can see if it matches.


Your isp should be able to advise you on this.

I think there is no need to deploy other firewalls behind this one.
One dot1q link from the firewall to you main cisco switch and you can seperate traffic in different vlans and route via the firewall if needed (not everyone will like routing on firewall, but it can work)

 

[Q™]

Here are network diagrams of (1) our current configuration and (2) a scheme to isolate the current mess into three (3) separate physical LAN/WANs. Be kind...these are the first -- and most likely the last -- network diagrams I've created. Any and all comments are welcomed!...

 

[j4co]

That seems possible.
My work is in L3 routing with large cisco devices with m-bgp over mpls.

I will ask a firewall collegue monday.

 

[hmjgriffon]

most people dont have multi-interface routers.. they usually have a lan side and a wan side.

broadcast traffic dont care what your IP is, you have to physically isolate switches or use virtural lans.. running two subnets on a single dumb switch provides no security.. you want your cameras reachable from the LAN but you dont want the cameras able to talk to the internet or directly to LAN devices.

the BI Server acts as a bridge between the two networks.. usually you configure the camera network statically unless you run a dhcp server in windows and carefully bind it to the right interface.

Yes, but I was commenting on his specific setup and he has a cisco firewall, which has more than one interface.

 

[hmjgriffon]

Most likely these 5 usable adresses come from a /29 prefix (6 usable) where the ISP has one IP and you have 5 available.
The PIX can sit on the wan side in this /29 subnet and would need to use at least 1 address ip to communicate on. But it will have the other 4 available there also.

You can use for example PAT/NAT from 5 different inside addres ranges to these 5 outside adresses and overload them.
So multiple hosts can be reachable from the outside per one of these 5 /32 prefixes.


remember that not all protocols like NAT. Cisco will have list which protocols are supported, adn if you know your traffic you can see if it matches.


Your isp should be able to advise you on this.

I think there is no need to deploy other firewalls behind this one.
One dot1q link from the firewall to you main cisco switch and you can seperate traffic in different vlans and route via the firewall if needed (not everyone will like routing on firewall, but it can work)

Router on a stick works too if you want to have more than one vlan on the switch, I thought he said everything had it's own dedicated switch, heh.

 

[j4co]

Yes that pix can do a dot1q connection over 1 cable to the switch. This than contains all the vlans you need to go outside, or want connectivity to from other vlan.

I worked only once with a pix, and that was years ago and I did not really like it.

Privately I use a pfsense firewall. There it is quite simple to do the inside routing with rules. But do not have such an advanced ips connection. (Simple oversubscribed 500/500 fiber subscription)

 

[tangent]

(Simple oversubscribed 500/500 fiber subscription)

OT, but how much speed variation do you see on that fiber connection?

 

[hmjgriffon]

Yes that pix can do a dot1q connection over 1 cable to the switch. This than contains all the vlans you need to go outside, or want connectivity to from other vlan.

I worked only once with a pix, and that was years ago and I did not really like it.

Privately I use a pfsense firewall. There it is quite simple to do the inside routing with rules. But do not have such an advanced ips connection. (Simple oversubscribed 500/500 fiber subscription)

That's funny, I'm running OpenBSD at home with PF, I wanted more customization then pfsense gave.

 

[j4co]

Off topic but openbsd and freebsd are not that different i guess.
Firewalls are not my job, so the gui is good enough for me..

 

[hmjgriffon]

Off topic but openbsd and freebsd are not that different i guess.
Firewalls are not my job, so the gui is good enough for me..

Nope, but there were various things, pf is cool, it's based on freebsd, but their version of PF is old, but I tried it and liked it, I would recommend it to people who aren't super nerdy but you still need to be decently nerdy, openBSD is similar but it's built for security from the ground up and secure by default, it's still pretty easy to use, I just wanted to use certain things set up a certain way and couldn't do it with pfsense. they both work fine though. openBSD is so stable I never have to touch it and when I do, I have to refresh myself because its been so long since I worked with it lol. Actually I decided to just use it as the ntp server for my cameras so I'm gonna mess with that later today or sometime this weekend.