How to Secure Your Network
Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks.
No Port Forwarding
Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services. I can put it no better than forum member
nayr did in his "
VPN Primer for Noobs" post:
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.
I know it is often the most convenient way to facilitate remote access, but it is a bad idea. Don't forward ports.
Turn off UPnP
UPnP (Universal Plug and Play) is a "feature" found in routers which enables any device on your network to forward ports to itself without your explicit consent or knowledge.
Find it and turn it off. Turn it off in your router. Turn it off in your modem. Turn it off in your NVR and in your IP cameras. Turn off UPnP wherever you find it.
Use a VPN
When you need to remotely access your NVR or cameras, use a VPN (Virtual Private Network). A VPN provides secure access control and encrypts all the network traffic it carries, making it ideal for accessing unsecure services like video surveillance systems.
I'm NOT talking about a VPN subscription service that you pay for to hide your identity online. I'm talking about a VPN server that you run yourself on your router or on another machine on your network. You connect to that VPN in order to access your network from the outside.
Many routers have VPN server functionality built-in. Asus routers, for example, are well-known for having built-in OpenVPN servers.
Again, I refer to the
VPN Primer for Noobs thread.
Don't allow untrusted devices to have internet access
Above I have only mentioned blocking internet access TO your devices. For best cybersecurity it is also a good idea to block internet access FROM your devices whenever internet access is not required for the product's basic functionality.
Some NVRs and cameras create outgoing internet connections to their manufacturer's servers even if you disabled UPnP and have not forwarded a port. It is not well known what these connections are actually used for, but the fact is that any such connection
could be used to spy on you, to provide others with a backdoor into your devices, and to perform other malicious deeds. As such, it is increasingly common practice for users to block their untrusted devices from the internet either through parental controls in their router, or by simply keeping the devices on a separate network that has no internet access capability.
Here is an example where a computer running Blue Iris software is used as the NVR, and through the use of a second network interface adapter in the computer, the IP cameras are isolated from the internet. In this example, the IP cameras have no direct line of communication to the internet, making it largely irrelevant what cybersecurity vulnerabilities the cameras may have. The computer running Blue Iris can still communicate with the cameras to configure them and pull their video feeds, and Blue Iris can be remotely accessed through a VPN server running in the user's router. In this example, the computer running Blue Iris is given some amount of trust, as it is still allowed to access the internet.
