How to Secure Your Network
Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks.
No Port Forwarding
Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services. I can put it no better than forum member
nayr did in his "
VPN Primer for Noobs" post:
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.
I know it is often the most convenient way to facilitate remote access, but it is a bad idea. Don't forward ports.
Turn off UPnP
UPnP (Universal Plug and Play) is a "feature" found in routers which enables any device on your network to forward ports to itself without your explicit consent or knowledge.
Find it and turn it off. Turn it off in your router. Turn it off in your modem. Turn it off in your NVR and in your IP cameras. Turn off UPnP wherever you find it.
Use a VPN
When you need to remotely access your NVR or cameras, use a VPN (Virtual Private Network). A VPN provides secure access control and encrypts all the network traffic it carries, making it ideal for accessing unsecure services like video surveillance systems.
I'm NOT talking about a VPN subscription service that you pay for to hide your identity online. I'm talking about a VPN server that you run yourself on your router or on another machine on your network. You connect to that VPN in order to access your network from the outside.
Many routers have VPN server functionality built-in.
Asus routers, for example, are well-known for having built-in VPN servers.
Again, I refer to the
VPN Primer for Noobs.
The
VPN Primer for Noobs is still a great resource, but it was written in 2016 and is a little out-of-date on some points.
- The Primer does not mention Wireguard, which is a popular newer alternative to OpenVPN and is generally the fastest available VPN option.
- The Primer also does not mention IPv6. In case your ISP (internet service provider) uses CGNAT and you are therefore unable to connect to your VPN server using IPv4, you may be able to enable IPv6 in your router and use that to connect to your VPN. Most major internet providers (including cellular carriers) support IPv6, so give it a try.
- Tailscale and Zerotier are security-focused cloud-based VPN providers which also can work in situations where your ISP uses CGNAT and IPv6 is unavailable or otherwise not desirable to use for your inbound VPN connection. They both have free versions. Tailscale and Zerotier do not have as widespread of router support (OpnSense is a good choice if you're nerdy), so you may need to use another computer to act as a gateway on your network. It can be a bit complicated to set up in some situations, but it is another way to get you a secure remote connection to your home network without a monthly fee.
Don't allow untrusted devices to have internet access
Above I have only mentioned blocking internet access TO your devices. For best cybersecurity it is also a good idea to block internet access FROM your devices whenever internet access is not required for the product's basic functionality.
Some NVRs and cameras create outgoing internet connections to their manufacturer's servers even if you disabled UPnP and have not forwarded a port. It is not well known what these connections are actually used for, but the fact is that any such connection
could be used to spy on you, to provide others with a backdoor into your devices, and to perform other malicious deeds. As such, it is increasingly common practice for users to block their untrusted devices from the internet either through parental controls in their router, or by simply keeping the devices on a separate network that has no internet access capability.
Here is an example where a computer running Blue Iris software is used as the NVR, and through the use of a second network interface adapter in the computer, the IP cameras are isolated from the internet. In this example, the IP cameras have no direct line of communication to the internet, making it largely irrelevant what cybersecurity vulnerabilities the cameras may have. The computer running Blue Iris can still communicate with the cameras to configure them and pull their video feeds, and Blue Iris can be remotely accessed through a VPN server running in the user's router. In this example, the computer running Blue Iris is given some amount of trust, as it is still allowed to access the internet.