Subscriber Discussion

2nd Router Or Modem To Maintain Network Security?

UI
Undisclosed Integrator #1
Jun 10, 2017

I was setting up cameras to port forward the other day and the IT guy for this restaurant said something about there being either 2 routers or 2 modems, (I think?) and put the cameras on the system in such a way that they maintained a certain level of security. He had a name for it. I believe the cameras were segregated from the rest of the network. 

I was reading a little bit but wasn't sure exactly what he did. Does this sound like a DMZ?

Would something like this solve the security issues surrounding port forwarding, if so, I would like some more information to read up and down the road offer this. 

U
Undisclosed #2
Jun 10, 2017
What type of network equipment are they using? Perhaps you are taking about virtual LAN (VLAN).
UI
Undisclosed Integrator #1
Jun 11, 2017

Pretty sure there were multiple devices. They had me unplug from one device into a different one. VLAN would be done from one device right?

Avatar
Josh Hendricks
Jun 10, 2017
Milestone Systems

We'd need to know for sure what topology he was mentioning but I'm guessing he was talking about DMZ like you mentioned.

From the sounds of it, he's talking about having the video surveillance equipment in the DMZ with the rest of the network behind a second firewall. This would indicate to me that the surveillance is not important to them to secure, and they're more concerned about what would be behind the second firewall.

The video surveillance equipment/cameras would be just as at risk (or more) sitting in the DMZ.

The benefit to the customer is that if a vulnerability in the NVR/VMS/cameras is exploited to gain "root access" to the equipment, the attacker has access only to what was exposed to the internet through the first firewall. If nothing is forwarded through the second firewall, they can still mess with the surveillance system/cameras, disable it, delete video etc. But they cannot access any of the business systems behind behind door number 2.

There are business grade routers/firewalls with the ability to implement a DMZ easily and securely. It can be done with just about any router, including consumer models, but TBH I don't really trust consumer routers to implement DMZ in a smart and secure way. In my experience, all it means is that any connection request from outside the local network gets forwarded to the designates IP. The PC receiving that traffic can actually still communicate with any other node on the network, so it defeats the purpose and results in an even more exposed network than before.

My experience with consumer routers DMZ settings is that they're used by teenagers who don't understand port forwarding and use DMZ as a "catchall". They might have improved a lot since I was one of those teens, but if the customer is not using good business grade equipment, you can "stack" a couple of cheap routers and accomplish more or less the same thing.

(1)
U
Undisclosed #3
Jun 10, 2017

Or may be "IT guy for this restaurant" is talking about 2 routers as Double NAT

have seen a lot of that type of BS lately

(1)
Avatar
Josh Hendricks
Jun 11, 2017
Milestone Systems

Two firewalls are better than one, right? More fire and all? /s

U
Undisclosed #3
Jun 11, 2017

I know you are joking (hope you are)

refuse to answer you question :)

(1)
UI
Undisclosed Integrator #1
Jun 11, 2017

I am not really sure of the topology but I will try to find out if I run into him again. 

My question now would be, if this is a viable method to increase the security of the customers network, or at least protect everything but the cameras, shouldnt that be mentioned more? There are constant arguments on here about how to set up the cameras for remote viewing. I would consider a restaurant a low security situation but too risky to expose a bunch of network cameras too. Shouldnt we have more options than just port forwarding, p2p, or ddns through the same network. Would a DMZ or double NAT be a step up?

Avatar
Josh Hendricks
Jun 11, 2017
Milestone Systems

In a perfect world your DMZ would service web requests and have zero connection to your LAN. If the DMZ hosts some kind of service that LAN users need to access, it would only allow LAN -> DMZ initiated connections. If your DMZ hosts are connected to both the DMZ and the LAN, there is zero benefit.

Since putting surveillance equipment in a DMZ does nothing for the security of the surveillance equipment and is just as safe as port forwarding, your only options for improved remote access of the surveillance system is...

- P2P when possible. Note that this eliminates the need for port forwarding and simplifies remote access, but you're giving up some of the control of your network security to the P2P host. Though, unless the customer has a big IT department with folks dedicated to intrusion prevention/detection, this is still safer than port forwarding.

- VPN. Instead of punching holes in the firewall for remote access of the surveillance system, punch a hole for VPN. It is almost guaranteed to be more secure than any camera, NVR or VMS for remote access. This adds hassle for users as they have to "dial in" before they can access video. But it's probably the safest way to go.

- Cloud. If your vendor choice provides an option for cloud, then you punch zero holes in your firewall and you don't even login to any equipment in the restaurant. The user logs into the cloud service and if done correctly, there is no inbound connection being made to the restaurant. The cameras would directly make a secure connection to the cloud, or a local appliance would connect to the cameras and it would connect to the cloud service itself.

Avatar
Brian Karas
Jun 11, 2017
IPVM

My question now would be, if this is a viable method to increase the security of the customers network, or at least protect everything but the cameras, shouldnt that be mentioned more?

It increases network security for the existing equipment by placing devices that have a high exploit potential on their own network so that if they are hacked they cannot impact other equipment. In particular, POS equipment, which would likely have some amount of access to credit card data, would be less at risk.

However, this does not make those devices themselves any more secure, it is still leaving them open to remote attacks, so from that perspective, it does nothing for 'security'.

A VPN, or at the very least a very narrow IP whitelist, would make them more secure from the sense of reducing chance of attack/exploit.

 

(1)
Avatar
Jon Dillabaugh
Jun 11, 2017
Pro Focus LLC

The type of network segmentation you are discussing here has been mentioned many times in various discussions here over the years. 

The reason why your restaurant IT tech was so adamant about sequestering the video network was likely for compliance reasons. Usually POS systems are highly protected for credit card security reasons. No other network traffic should reside on that same network. 

All of this can be done with VLANs. It can also be done with separate physical networks. Both ways have their benefits. You just need to know which suits your clients needs best. 

(1)
SD
Shannon Davis
Jun 12, 2017
IPVMU Certified

Some restaurants will use two different routers. One which is designed for the PCI compliance and another for general Web traffic. If they purchase a good Sonic Wall router designed for this then that will accomplish the same thing. 

CN
Corey Nelson
Jun 12, 2017
IPVMU Certified

Is this a simple as 2 separate wan IPs. On almost all of our installations we will have a separate modem and router for our security equipment. It makes diagnostics and configuration much easier. We need to make a change or reset equipment there is no effect on the customers LAN. On the other side of things when a customer messes something up on their side it doesn't cause issues for our equipment. This helps remedy some of the your people were working here last week and now our printer doesn't work problems.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions