Handling The Nervous IT Consultant (For Hikvision Remote Access)

We installed 2 Hikvision systems for a corporate client selling him on a feature of using his phone to view both offices. The dreaded IT consultant has dragged his feet for a long time. Today I received this email...

To be honest we were hoping that we were not going to have to poke a bunch of holes in to the firewall. We’ve seen several of our clients get in to trouble with their Credit Card processing companies because of PCI compliance testing. I know that CW does not do card processing. The PCI testing of the firewall typically reports and complains about any open holes or services and although we have not tested for these exact holes I have a strong suspicion they would cause a problem.

So I would not want to start with port forwarding. The Firewall they have does support VPN to Android and iPhone. We have nearly the same DVR system and Firewall and have tested it with ours so I think there is good chance of success. What I would like to do is to have a phone setup to work inside the building. Then see if we can get it to work though the VPN – if not we have a plan ‘B’.

I recommend that you and David setup a time together to meet and test it out. We can perhaps coordinate it one of CW people so we can use one of the CW phones.

I have mentioned to this person that maybe he could setup a DMZ just for the NVR but he wouldn't dare do such a thing.

Does anyone have any silver bullets to make this guy roll over?

What do you have against the VPN setup?

he should simply ask the IT guy to set it up... no need to do anything :)

I see nothing wrong with what the IT consultant wants and I would recommend it.

Does anyone have any silver bullets to make this guy roll over?

Yes, but remember it may take three or more, depending on the formula (weight in kg / age + years in biz).

One of our customers CC processing companies said if we use just the Server and RTSP ports that would be fine. He said there was a problem with the HTTP port being opened.

I am not a network security professional or by any means know much about PCI compliance. But one of our customers CC processing companies told us that would be fine and they passed.

This is common and a real issue. You absolutely can NOT have open ports in the firewall on the IP of the POS network.

Easy fix, have two public IP addresses; one for the POS network and one for the other network.

Now, when they scan the public IP of the POS LAN, it shows everything closed and secure. You can open any ports on the second public IP only.

Now, if the ISP won't support multiple IP addresses per connection, buy a second connection.

Would a VLAN be considered as a separate network for the PCI compliance?

Not unless you had a second public IP associated with that VLAN. Basically, when they run the PCI compliance software on the POS LAN, it runs a port scan for open ports on its own public IP. It doesn't check neighboring public IPs. So, as long as all ports are closed on the public IP the POS LAN resides on, you are OK. One open port is a fail.

Having worked in IT and still being the liaison with IT departments, the biggest mistake security professionals still make is disregarding the customer's IT department's concern for and the responsibility they have for protecting the security of their network. The fact you installed Hikvision already shows not much of a regard for this and you better hope they don't do more homework on the product.

You need to approach it like a partner with a common goal. Even if the suggestions presented here work, and Jon's is one of the better informed ones, how you approach is it also important. Otherwise, more IT departments will be tackling more CCTV projects on their own because they don't feel the security integrators take them seriously.

"The fact you installed Hikvision already shows not much of a regard for this and you better hope they don't do more homework on the product."

Seems like a loaded comment considering all of the different manufacturers can be hacked / exploited in one way or another. Maybe the IT department and the company should be shamed because users are VPNing in on Android devices and those are hackable.