Set up the most "secure" system possible

LapZ

n3wb
Joined
Oct 9, 2021
Messages
8
Reaction score
3
Location
Denmark
A year ago i bought a hikvision system because i thought i was a genius doing it. After a lot of reading i can se the issues with the the security so i never came to set it up. Im not a networking guy but im now trying to do somting about it.
My nvr is DS-2CD2386G2-ISU/SL. and i have a hik switch model N. dDS-3E03189-E/M(b).

I have a normal router from isp with at dynamic ip.

Here it comes. What would you guys do to get the cams op and running and of the interweb. shuld i buy a Pfsense router and more switches. witch ones needed.

I should have a gigabit connection just testet it byt that was not the case, so i will call the isp with that issue.

Hope you guys can help me in the right direction. Thanks :)
 

jmhmcse

Pulling my weight
Joined
Dec 30, 2018
Messages
211
Reaction score
129
Location
usa
the "most" secure camera installation would be one that has no connection to the internet; none.

as for what a mostly secure camera installation could consist of, well that depends on your current level of technology (windows, IP, firewalls, routers, VPN) experience. if you work in the technology sector then a more-complex (read more-secure) installation would be possible. if terms like PORT, RSA, network mask, network address, gateway, DROP, ALLOW, DNS, DDNS are not in your vocabulary then perhaps a less-complex but still secure installation is the correct choice. and then there is everyone's enemy, co$t.

of course, a lot depends on the urgency; must have ASAP or build over time and the goal of the installation; home security, home protection, or watching wildlife in the back yard.

you'll need to provide a bit more information of your background and purpose before suggestions might be offered.

one last comment, everyone will lend a hand with answers to questions (provided you've done your best to read the WIKI to ensure its not already answered) as well as troubleshooting and installation/configuration issue. these are all friendly, YMMV, responses.

your actual installation is for you to design, implement, and maintain.

welcome to the forums.
 
Joined
Apr 21, 2021
Messages
16
Reaction score
3
Location
cali
the "most" secure camera installation would be one that has no connection to the internet; none.

as for what a mostly secure camera installation could consist of, well that depends on your current level of technology (windows, IP, firewalls, routers, VPN) experience. if you work in the technology sector then a more-complex (read more-secure) installation would be possible. if terms like PORT, RSA, network mask, network address, gateway, DROP, ALLOW, DNS, DDNS are not in your vocabulary then perhaps a less-complex but still secure installation is the correct choice. and then there is everyone's enemy, co$t.

of course, a lot depends on the urgency; must have ASAP or build over time and the goal of the installation; home security, home protection, or watching wildlife in the back yard.

you'll need to provide a bit more information of your background and purpose before suggestions might be offered.

one last comment, everyone will lend a hand with answers to questions (provided you've done your best to read the WIKI to ensure its not already answered) as well as troubleshooting and installation/configuration issue. these are all friendly, YMMV, responses.

your actual installation is for you to design, implement, and maintain.

welcome to the forums.
How can one view footage from an app if the device isn't connected to the internet?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,550
Location
USA
How can one view footage from an app if the device isn't connected to the internet?
It can only be viewed locally on a monitor hooked up to the device, or connected to a router without internet connection to it (most people don't realize and are shocked that a wifi router still works without internet connection - obviously you cannot communicate with the outside world and look at websites and stuff, but you can "talk" to other devices on the network if you set it up that way.)
 

jmhmcse

Pulling my weight
Joined
Dec 30, 2018
Messages
211
Reaction score
129
Location
usa
How can one view footage from an app if the device isn't connected to the internet?
that was my point.... the MOST secure system doesn't have a connection to the internet. you can still view/see cameras through apps, UI3, desktop, etc on the LOCAL (non-WWW-connected LAN)

There is always some level of possible-breach as soon as you introduce a connection between the WWW and your LAN. Yes, rely on devices that are to block intruders; though these too are subject to security holes that may be exploited. We accept this and move on.

A major issue arises as soon as you purposely allow some one/app to access your LAN from the outside (WWW). Without the proper understanding, individuals may simply open a port to obtain access to a camera, server, NAS, game server etc. Simple yes, but VERY dangerous! (NEVER OPEN ANY UNSECURED PORT)

If you want/need to access your LAN remotely, then know what you are risking and make all possible efforts to minimize those risks. And that returns me to the original request "how to set up the most secure system possible". the most-secure system will not be connected to the router (i.e. WWW).

Presuming that remote access was a requirement, I then asked how familiar LapZ was with technology, specifically networking. Depending upon their response would dictate what options to pursue. If he/she is knowledgeable then a pfsense installation would be a very good choice; if not, then a more traditional implementation using a VPN capable router would be a better (for them) choice.

Either choice can provide a solution which provides remote access and can be managed to have as low as possible risk factor.

====

Sorry to have gone off the deep-end... Allowing remote access into one's LAN should not be taken lightly, nor should it take a network engineer to accomplish. (though it would definitely help)
 

LapZ

n3wb
Joined
Oct 9, 2021
Messages
8
Reaction score
3
Location
Denmark
Big thanks to jmhmce. Sorry about the english. Getting Older :)

Well i must admit my tech skillz is windows based. But my intrest grows day by day learning linux and networking but man where to start. So i play arround youtube, learning, virtualbox, kali, ubuntu to get in the the world of new knowledge, and i do this now because i bought these damn cams :) haha. But i like it.
But playing arround learning new tricks is a whole other level when i comes to setteing up a PFsence router and a secure home network. I think it is to mutch for me in one go, this takes time and money spendt on divises i don´t understand from the get go. Don´t take me wrong, i would go after learning these skillz in the future.

But right now i need my security cams up and running so i can watch my dog eating cat poo in the garden and go yell at him because now he probertly have lung worms once again, and i have to collect 3 poo sampels 3 seperate days, keep the poo cool and deliver the sampels to the wet. Who confirms that he is a poo eater in front of other people and we can all laught. Good dog. What a world we live in today :)

Okay back on track: I like the idea that running the system offline. only to acces from home. But wait, somtimes i would come in handy if i had the possibility to connect from the outside if somebody trespasses, mostly cats. And UPS, GLS, trowing my orders arround my garden for fun. I use VPN on all my devises now. So i need at way to do this without inviting the hole world into my life.. :)
I just got in the Ivms 4200 and i struggle with the networking part because off the lack of understanding the basics arround networking.
So as i can understand from your advise start small at low cost and keep it simple and most of all secure.

Im thinking to set up the system offline and use my big ass tv monitor to have fun. And maby try out a VPN capable router. ( any suggestions? )
Im thinking about bulding a insulated box in the attic with fresh air from my house going in with fans and blowing the heat back in the house again. I really don´t like background noise and ofcourse this is also a matter of security.

I will probertly have a lot of questions but i feel that am i good hands in here.

PS: I have wildcams that motion detects and send pics and video allready, so i wil only connect to the security system from the outside if somthing is really off.

And now i will go and read the WIKI, have a nice day :)
 
Last edited:

LapZ

n3wb
Joined
Oct 9, 2021
Messages
8
Reaction score
3
Location
Denmark
A little update.

I tryed to register and install the Nvr via acusence only ( No internet connected at all ). Strange things happened. Like when trying to type a password it was like somone else hit random buttens all the time. I tryed to remove the keyboard from the equation it continued. Change mouse it continued. Followed the settings til the end with the passwords the nvr ended up choosing for me :) . and i had no control at all. Nothing worked, no cams worked, i couldent hit settings, turn of the devise and so on.. I think a have a sligt issue with the NVR itself :) I think i have to return it at let the provider take a look at it. haha
Maby i will film the process in the weekend and upload it. This is strange ;)
 

Griswalduk

Known around here
Joined
Mar 30, 2021
Messages
1,088
Reaction score
2,043
Location
Uk
Nvr set up should be done with a monitor and mouse connected directly to the NVR. Besides a monitor and probably a HDD everything should be in the box to get you going.

Once this is done you can progress to adding switches / cameras 1 at a time and then using fancier stuff like acusense.

Please bear in mind I'm not sure what acusense is as I more used with setting up a dahua NVR but I'm pretty sure it will complicate things at this stage.

Good luck
 

Griswalduk

Known around here
Joined
Mar 30, 2021
Messages
1,088
Reaction score
2,043
Location
Uk
Hik Acusense = Dahua AI IVS
I still haven't set up IVS rules on my 5216 NVR. Bad me lol.

I notice the original poster also mentioned having a keyboard plugged in. My initial set up was completed using a mouse and on screen keyboard.

I don't think NVR's play nice with usb keyboards
 
Last edited:

jmhmcse

Pulling my weight
Joined
Dec 30, 2018
Messages
211
Reaction score
129
Location
usa
ahh, kali. i too recently came across this version of linux; very interesting! keep expanding your skills, regardless of age, is ALWAYS fun and rewarding. linux, networking, cameras... what could go wrong?

i've installed a roll-your-own configuration of PC+BI, unmanaged switch, and wired cameras rather than a NVR. sorry, I can't assist you with those types of questions.

my $0.02 (0.14DKK)

for future expansion; what router to acquire... it depends.

there are lots of good manufacturers to choose from (ASUS, LinkSys, NetGear, TP-Link, etc) and they all have various levels of performance capabilities. the more features and capabilities, the higher the purchase price.

the one must or highly desirable feature is the capability of running a VPN* upon the router itself. whether you want/need wireless capability from the router is another major factor of which router to acquire. I've had good luck with LinkSys in the past, but my current router is an older ASUS that is no longer manufactured. I went to ASUS due to its capabilities/features/cost, likely the same decision points that most of choose one item over another.

On the ASUS it is a very simple and well documented process to configure the router to host a VPN service for inbound (from WWW to LAN) connections.

*this VPN is the one that is configured on the router and typically uses OpenVPN client to connect to the router from the WWW (public wi-fi hot spots, mobile cellular, etc). This is not a VPN service that you buy and install on your computer or mobile.
 

eeeeesh

BIT Beta Team
Joined
Jan 5, 2017
Messages
402
Reaction score
672
I went with the pfSense route a couple of years ago and have been very pleased. I even bought a device that has 6 separate ports so I could use physical networks instead of virtual. So hardwired cams are on their own physical network and with pfSense, you actually have to create rules to allow other networks (other than the first) to get through pfSense to anywhere, so it has been very secure for what I want

This is what I am running pfSense on (although I bought it direct from the manufacturer in China on Ali Baba pre Covid, the savings is not as much now)

 

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,375
Reaction score
2,735
Location
USA
As everyone has noted, the first step in creating a secure camera network is making sure the outside world cannot access your network (ie no open unsecure ports). If you need to access the network from the outside, you need to use a VPN connection. These are free connections that you generally host on your network router/firewall device. The second step is ensuring your camera devices cannot access the internet from within your network. There are a few ways of accomplishing this, but long story short - you don't want your cameras (or other IOT devices) from reaching out to some unknown server in some unknown country, and passing an unknown amount of information back to "the mother ship." The third step in creating a secure camera network is limiting access to the cameras on your network. Not every device on your local network should be able to "see" and communicate with your camera system. The only devices that should be allowed to access the camera setup are those few devices that you plan on using for viewing/playback. This step is often overlooked by people, but certainly helps contribute to a secure network. In the end, you should segment your network and isolate "like" devices and only allow communication when appropriate. I don't let my IOT devices talk to my cameras, or my main computers, or my PBX phone system or vice versa.
 

tigerwillow1

Known around here
Joined
Jul 18, 2016
Messages
3,815
Reaction score
8,424
Location
USA, Oregon
I'm sensing that more and more people are in the boat I'm in, of the ISP not allowing opening a port to use a VPN.
 

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,375
Reaction score
2,735
Location
USA
I'm sensing that more and more people are in the boat I'm in, of the ISP not allowing opening a port to use a VPN.
There are primarily two type of VPN connections. One is where you use an outside service (paid or free) in an effort to send all of your data from inside your network OUT through a VPN tunnel to shield your activity from your ISP and anyone else looking at your traffic. This is NOT the type of VPN we are talking about. When people talk about their ISP blocking VPNs, this is primarily what type of connection they are talking about. ISP don't like this type of VPN service for two reasons: 1) it is often used to try to shield illegal activity, and 2) lets be honest, the ISP makes money (ad revenue) off your information.

The second type of VPN is a server that you host on your local hardware to allow a secure tunnel INTO your network. This is always free. Even some basic consumer wifi routers (all in one) build this service into their hardware. This type of connection does not shield or mask your outgoing data from your local network. Instead of having to have a bunch of unsecured forwarded ports in your router/firewall to allow outside access to certain programs, computers, or services, you have a single open port that points to the VPN server/service. That server requires a private encryption key (that you create when you set up the VPN server) before it will accept the outside connection. This is the most secure way to allow access to your network from outside of your network. Anyone that doesn't have the encryption key is blocked. This type of VPN service cannot be blocked by your ISP because it looks like normal traffic - because it is normal traffic. Now it is possible that you are using the OEM network equipment provided by your ISP and they try to block you from opening a port on it to connect to your hosted VPN. If that's the case, you need to stop using/renting their shit equipment and get equipment that you control, not your ISP.

To be honest, you shouldn't be using ISP provided equipment ever, unless required to. I know a lot of ISPs need their own modem and/or router to work. Luckily many (most) of them will allow you to use your own equipment and simply use their equipment in "bridge" mode if you call and request this. There are some ISPs however that do not offer a "bridge" mode on their equipment, but definitely complain often if this is the case with your ISP. Public opinion can sway a company to change their policies. But always buy your own modem and router/firewall device if you are able to.
 
Last edited:

LapZ

n3wb
Joined
Oct 9, 2021
Messages
8
Reaction score
3
Location
Denmark
I will adress the keyboard mouse. Combination. The Nvr came with at corded mouse. as i sit 6 meters from my screen an nvr i use a logitech dongle wireles instead. that combines mouse and keyboard. But i don´t think this was the issue at all to begin with. I must have messed up the software before that. i still dont have acces to anything i can't even factory reset cause of the failed software. So i have to get it online and try to reset it that way. Now im running into the msvcr120.dll failure by trying to install the SADP tool. i earlier on fixed with c++ update. But now it won´t :) ahahah
 

Griswalduk

Known around here
Joined
Mar 30, 2021
Messages
1,088
Reaction score
2,043
Location
Uk
Glad you got there eventually. Enjoy your system :)
 

LapZ

n3wb
Joined
Oct 9, 2021
Messages
8
Reaction score
3
Location
Denmark
Well the system is still fucked. tryed to reset it with the sadpt tool og go online to reset that did not work. i think i have to reinstall firmware maybe :)
 
Top