To Port Forward or Not To Port Forward?

Yup a few brands have been offering that, we mostly do Ubiq although we sometimes to Hikvision too..and Honeywell.

As an IT consultant for SMBs for >20 years...computer networks and their security are my focus. The least amount of open/forwarded ports you can have..the less exposed your network and devices are .
DVR/NVR security is more the blame of installers, and owners..rather than camera manufacturers. I can't even begin to count the number of devices I've seen setup with "default" creds to log in. Or even if creds are customized...the system may have been in place for 5 or 10 years...without any firmware updates to help patch against exploits that did come out. And "residential grade" firewalls that they're behind...incapable of geo IP blocking, or IDS countermeasures...to help block against grinding attacks.

At least with these cloud proxy systems...your network much less exposed, and the servers that handle these proxy portals have at least some security maintenance done. To what degree, I can't state..but I'm 99% sure it's better than what any camera system owner or most installers will do for the old fashioned port forward setup.
 
  • Like
Reactions: giomania
Agreed. I recently spent a lot of time getting OpenVPN set up on my Ubiquiti EdgeRouter, mostly due to a steep command line interface learning curve for me.

I persevered and now have a 44-page document with detailed instructions, as my brain is a FIFO buffer, and I will soon forget how I did it.

I admit I considered throwing in the towel during the frustrating process, and would have gone with Dahua's solution vs no camera access at all.

The bottom line is I get why some take the easy route and forward ports, and I get why the Networking professionals push for the VPN solutions. Like you said, Dahua's solution, while it may be flawed and vulnerable, is the solution between the extremes.


Sent from my iPhone using Tapatalk
 
Adding to this...I don't know if Dah or Hik implemented 2Fa yet...but for those who "don't trust a cloud hosted proxy"....Ubiq recently added 2FA (two factor authentication). This can satisfy the tin foil hat sporting types who dont' like cloud systems...it's a separate authentication process.

VPN's aren't the end all for security either...how many people maintain updates on their VPN host/firewall/edge appliance? And change the user/pass credentials on a regular basis? Hmmm...I don't see many hands raised in the air.
 
  • Like
Reactions: giomania
Does using a TLS Secret key Authentication mitigate any lack of updates? I am assuming the secret key is appropriately secured off-line.


Sent from my iPhone using Tapatalk
 
That secures the tunnel itself. Firewalls and VPN appliances are frequently attacked via exploits on the host operating system itself, and exposed services. They don't try to hack your VPN tunnel..they try to hack the VPN appliance/host (whatever it is..such as your EdgeRouter, or a Cisco PIX, or a Windows Server doing PPTP or IPSec VPN via RAS/RAC, or a PFSense box, or your Draytec, or (insert whatever brand/make/model you want)
 
  • Like
Reactions: giomania
Got it, thanks. So make sure I keep the EdgeRouter updated, correct?


Sent from my iPhone using Tapatalk
 
Yes..Ubiq released some major updates for their "Edge" and "air" series products this past winter or spring...specifically related to security exploits. Not to mention, they're making the edgerouter web admin quite a bit nicer in recent releases. They've had a bunch of good improvements for it.

Excellent fast and stable routers...great product!
 
  • Like
Reactions: giomania
YeOldeStonecat said:
Adding to this...I don't know if Dah or Hik implemented 2Fa yet...but for those who "don't trust a cloud hosted proxy"....Ubiq recently added 2FA (two factor authentication). This can satisfy the tin foil hat sporting types who dont' like cloud systems...it's a separate authentication process.
Click to expand...

Two-factor is great for what it's intended to do as far as protecting the login but most exploits against such things don't go after the authentication/encryption itself directly. They target various vulnerabilities to go around it. i.e., No point in dealing with a highly secured door requiring multiple keys when you can just go around it or through a back window. And that doesn't really eliminate various other concerns about using cloud-based P2P services.

As you say P2P-type systems are better than some newb blindly opening ports but they have their own problems. One is that most camera manufacturers don't run their own services but rely on a very few large third-party providers, most all of which are located in China. Not sure which would be worse really, but at best I don't have a whole lot of trust in companies subject to the authority of the Chinese government as far as privacy and security go. I'm not aware of any cases where the large cloud service providers have been breached directly (yet) but people have found ways to iterate through some of their databases in order to identify all of the IPs/client devices of a certain type (without having to know any credentials) in order to then exploit other vulnerabilities in specific devices. So in that case people have kind of potentially signed up to put themselves on a short list. I believe that was suspected to have been done as part of one of the recent large IoT-type bot attacks. Then there's the sketchy implementation of the P2P and associated processes which potentially can be doing or exploited to do pretty much anything and a device that's out there waving its hands in the air saying here I am. ; )
 
YeOldeStonecat said:
Yes..Ubiq released some major updates for their "Edge" and "air" series products this past winter or spring...specifically related to security exploits. Not to mention, they're making the edgerouter web admin quite a bit nicer in recent releases. They've had a bunch of good improvements for it.

Excellent fast and stable routers...great product!
Click to expand...

Do you have any recommendations for restricting the cameras further with the default connections between subnets, as established by the wizards?

Like firewall rules preventing the cameras on eth2 from accessing the WAN interface? In other words only allowing them to access the Vtun0 or eth1?

Thanks for any guidance.

Mark


Sent from my iPhone using Tapatalk
 
My home, I use VPN. Customers, I use port forwarding, and tell them the VPN is the safer bet. Most are not interested. They don't want the added steps of tunneling in before connecting to the cameras. And, many times, it also means added equipment, like a new router. I do my best to make it as secure as possible for them. One thing I wish I could do is to change the admin user name to something else. I do put a strong password on it.
 
  • Like
Reactions: aristobrat and giomania
ChooChooman74 said:
My home, I use VPN. Customers, I use port forwarding, and tell them the VPN is the safer bet. Most are not interested. They don't want the added steps of tunneling in before connecting to the cameras. And, many times, it also means added equipment, like a new router. I do my best to make it as secure as possible for them. One thing I wish I could do is to change the admin user name to something else. I do put a strong password on it.
Click to expand...

Great point in the admin account. I Think I read that you might be able to delete the admin account on the Dahua, but I might be mistaken on that

Will have to search the threads I have been following.


Sent from my iPhone using Tapatalk
 
I found the below information in my notes, so we can discuss what this information means, if you want:

Change the Default Password

After logging in, the UI opens a page where you can change the default password. Subsequent password changes are accomplished in Setup > System > Account. Dahua cameras have two different "admin" accounts; one for "ONVIF", and one for "users" logging into the camera. However, sometimes it only changes the “user” account, and the “ONVIF account doesn't appear in the Web UI. You can only see and modify the "ONVIF" admin account if you use the ONVIF Device Manager tool, along with these instructions, so it is worth checking with the tool to verify and correct the password. For Step 1, use the default “admin” password. For optimal security, set different passwords for the "ONVIF", and "user" admin accounts.

Dahua Parameters for Setup > System > Account > User Name

Parameters described here. This link includes this section on adding users:

Add user: It is to add a name to group and set the user rights.

Hidden user “default” is for system interior use only and cannot be deleted. When there is no login user, hidden user “default” automatically login. You can set some rights such as monitor for this user so that you can view some channel view without login.

Here you can input the user name and password and then select one group for current user.

Please note the user rights shall not exceed the group right setup.

For convenient setup, please make sure the general user has the lower rights setup than the admin.
 
  • Like
Reactions: ChooChooman74
giomania said:
Great point in the admin account. I Think I read that you might be able to delete the admin account on the Dahua, but I might be mistaken on that
Click to expand...
I think he might be referring to Blue Iris.
 
Oh...he said: One thing I wish I could do is to change the admin user name to something else. I do put a strong password on it.

So, I guess he means changing the user from "admin" to something else, which should make it 50% harder to crack if they don't already know half the equation. I agree that all devices should allow this. I only have a handful of devices that allow this to be changed, and they are: My EdgeRouter Lite ERL-3, my ISY 994i automation hub, and my DD-WRT flashed access points.
 
giomania said:
Steve Gibson (of Security Now) has the solution: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&uact=8&ved=0ahUKEwi1wZiZuc_VAhUMNSYKHZ9sAisQtwIIQzAF&url=https://www.youtube.com/watch?v=uVBP30nd6_Q&usg=AFQjCNEp50lKCURAverRGEbQUDkfaK03dQ

I used a Ubiquiti EdgeRouter Lite to implement the two separate subnet solution.

Mark
Click to expand...
I found this explanation and pictorial of the Gibson 3 router setup
Seemed much better than the Gibson video
Steve Gibson's Three Router Solution to IOT Insecurity | PC Perspective
 
  • Like
Reactions: giomania
You must log in or register to reply here.
Top Bottom