what else can i do to secure my network? any advice or tips

Dr Ian

Dr Ian

Young grasshopper
Dec 14, 2016
60
15
ok, im an enthusiastic amateur!

recently had Miral malware pop up on one on my dlink cams, so got that removed and logically looking to improve network security

things I have done so far:

removed uPnp from router and everything else
made sure latest firmware in everything and more complex passwords etc
using vpn for remote viewing (built in orbi router) and then openVPN on my phone
added stunnel to blue iris computer for https lan and wan
removed all port forwarding EXCEPT the forwarding 8080 to 81 for BI machine stunnel

what else would you do?

duel lan/ nic is harder as bi is on a laptop ( and two old cams are wifi, so can't block all access)
its a pain to block cameras accessing internet totally and calling home as orbi router blocks keywords not ip addresses

so any other tips?
 
Even with "wifi" cams, if you secure them in a Vlan which has absolutely no internet access at all, you are already a level higher in the security maturity scale. As long as your NIC in your laptop support vlan tagging 802.Q, it is already (virtually) serving two networks by the use of 1 physical adapter.

Nothing but good news today, right? ;-)
CC
 
  • Like
Reactions: Jessie.slimer and Dr Ian
@Dr Ian - another easy thing to do to keep the cameras from accessing the Internet is to remove the default gateway from the camera's IP settings. This way, the camera will still communicate with Blue Iris, but not the Internet. You may also want to look into NetTime which is an NTP server you can run on your local network. Assuming you cameras maybe going out to the Internet to get their time via NTP, if you remove the default gateway IP from the cameras, you could set this up and point them locally for their NTP settings.
 
  • Like
Reactions: Dr Ian
mikeynags said:
@Dr Ian - another easy thing to do to keep the cameras from accessing the Internet is to remove the default gateway from the camera's IP settings. This way, the camera will still communicate with Blue Iris, but not the Internet. You may also want to look into NetTime which is an NTP server you can run on your local network. Assuming you cameras maybe going out to the Internet to get their time via NTP, if you remove the default gateway IP from the cameras, you could set this up and point them locally for their NTP settings.
Click to expand...
There have been camera's found that smart to spawn "generic" gateways addresses to "find" common router addresses... So I wouldn't secure your network by "obscurity"... Drop your cams into a vlan which is simply not routable, and you are safe.
 
  • Like
Reactions: gordomatic, th182, SouthernYankee and 1 other person
mikeynags said:
@Dr Ian - another easy thing to do to keep the cameras from accessing the Internet is to remove the default gateway from the camera's IP settings. This way, the camera will still communicate with Blue Iris, but not the Internet. You may also want to look into NetTime which is an NTP server you can run on your local network. Assuming you cameras maybe going out to the Internet to get their time via NTP, if you remove the default gateway IP from the cameras, you could set this up and point them locally for their NTP settings.
Click to expand...


excuse my basic understanding, so if I change default router and dns in the camera settings to say 0.0.0.0 but leave the static ip and subnet?

im still looking into getting a new bigger switch as I have no ports left on my basic 8 port unmanaged with vlan capabilities
 
Dr Ian said:
excuse my basic understanding, so if I change default router and dns in the camera settings to say 0.0.0.0 but leave the static ip and subnet?

im still looking into getting a new bigger switch as I have no ports left on my basic 8 port unmanaged with vlan capabilities
Click to expand...

Yes but you only have to do the gateway, if a IP is outside of the subnet it is sent to the gateway, if the gateway is invalid the trafic will not be routed and just dropped, (so you could set the gateway to the BI server if the device dose not like been 0.0.0.0 & Bi has not been setup to do routing)

you could also use two niks in the BI server one for cameras and one for local / remote access :)

another thought you could add the cameras MAC address to the router to block internet access if your router supports MAC address filtering
 
Last edited:
  • Like
Reactions: gordomatic and Dr Ian
Dr Ian said:
excuse my basic understanding, so if I change default router and dns in the camera settings to say 0.0.0.0 but leave the static ip and subnet?

im still looking into getting a new bigger switch as I have no ports left on my basic 8 port unmanaged with vlan capabilities
Click to expand...

Yes - just change the gateway. If the camera has no gateway, it has no path out to the Internet.
 
copex said:
Yes but you only have to do the gateway, if a IP is outside of the subnet it is sent to the gateway, if the gateway is invalid the trafic will not be routed and just dropped, (so you could set the gateway to the BI server if the device dose not like been 0.0.0.0 & Bi has not been setup to do routing)

you could also use two niks in the BI server one for cameras and one for local / remote access :)

another thought you could add the cameras MAC address to the router to block internet access if your router supports MAC address filtering
Click to expand...

sadly its an older Alienware laptop running BI so only 1 network as standard

this is weird thought , I change DHCP to static in the camera and save settings and on reboot its back to DHCP? Admittedly these are Old Dlink dcs-2332 camera ( waiting on some new 5442 turrets from Andy)
 
Dr Ian said:
sadly its an older Alienware laptop running BI so only 1 network as standard

this is weird thought , I change DHCP to static in the camera and save settings and on reboot its back to DHCP? Admittedly these are Old Dlink dcs-2332 camera ( waiting on some new 5442 turrets from Andy)
Click to expand...
You can purchase a USB to ethernet adapter and boom, instant 2nd network.
 
  • Like
Reactions: Dr Ian
Dr Ian said:
ok, im an enthusiastic amateur!

recently had Miral malware pop up on one on my dlink cams, so got that removed and logically looking to improve network security

things I have done so far:

removed uPnp from router and everything else
made sure latest firmware in everything and more complex passwords etc
using vpn for remote viewing (built in orbi router) and then openVPN on my phone
added stunnel to blue iris computer for https lan and wan
removed all port forwarding EXCEPT the forwarding 8080 to 81 for BI machine stunnel

what else would you do?

duel lan/ nic is harder as bi is on a laptop ( and two old cams are wifi, so can't block all access)
its a pain to block cameras accessing internet totally and calling home as orbi router blocks keywords not ip addresses

so any other tips?
Click to expand...

airgap what you can...
 
mikeynags said:
Yes - just change the gateway. If the camera has no gateway, it has no path out to the Internet.
Click to expand...

omg, this is literally the easiest and best thing so far!!

BI still works as expected
cameras can't be seen by the manufacturers app (dlink lite) which was one thing I wanted!
im no longer getting alerts from the orbi router of outgoing connections to suspect ip numbers

and as a bonus Fedex just emailed to say my Andy/ empire delivery is due tomorrow
 
Very cool. I would still consider the time on the cameras next, now that they are probably not going out to some host on the Internet for their time. The NetTime software can be run on your BI laptop. I have mine running on a virtual machine and all the computers on my network reference it.


Sent from my iPhone using Tapatalk
 
mikeynags said:
Very cool. I would still consider the time on the cameras next, now that they are probably not going out to some host on the Internet for their time. The NetTime software can be run on your BI laptop. I have mine running on a virtual machine and all the computers on my network reference it.


Sent from my iPhone using Tapatalk
Click to expand...
For now I just unticked the sync time check box and set time manually.
 
Dr Ian said:
For now I just unticked the sync time check box and set time manually.
Click to expand...

Keep in mind that clocks drift. That’s why having an NTP server to keep everything in synch is important. You’ll end up logging into cameras to update the time when you notice they are out of sync. If you don’t have a bunch of cameras, not too big a deal but if you have a bunch it becomes a pain. I have 16 cams in synch all the time within 1 second of each other using NetTime as my local NTP server.


Sent from my iPhone using Tapatalk
 
  • Like
Reactions: Dr Ian and sebastiantombs
There's a good primer here on setting up an NTP server on the BI machine and then pointing the cams to that NTP server and is easy enough to do so I'd get that done. This would also take care of clocks going forward/back as they do in the UK where I am.
 
  • Like
Reactions: Dr Ian
IAmATeaf said:
There's a good primer here on setting up an NTP server on the BI machine and then pointing the cams to that NTP server and is easy enough to do so I'd get that done. This would also take care of clocks going forward/back as they do in the UK where I am.
Click to expand...

that's great, I set up netime service, working for most cameras. the two really old cameras are acting weird with it, guessing because the date range (in the camera gui) doesn't go past 2019.... lol

I really must thank everyone for all the great advice on this forum, you all amazing. I feel much more secure now, stunnel, vpn, removing gateway from cameras etc also got spotter cams moving my ptz following other threads.
 
Last edited:
  • Like
Reactions: mat200 and sebastiantombs
Excuse my ignorance, but why the use of stunnel if you can VPN into the system remotely? Couldn't you drop stunnel and use the more secure VPN connection as your sole means of accessing the network?
 
You must log in or register to reply here.
Top Bottom