"#3, do you think Hikvision is being responsible continuing to recommend port forwarding?"
Yes
NOTICE: This comment was moved from an existing discussion: "Fear Mongering": Hikvision USA Cybersecurity Director Dismisses Chinese Government Ownership Concerns
#1, thank you for your honesty.
It's not responsible. Unfortunately for you, Hikvision and Hikvision customers, Hikvision continues to recommend port forwarding regularly, even in Hikvision's hardening guide.
Related: Remote Network Access for Video Surveillance Guide
Interestingly, this month Hikvision's cybersecurity PR director came out against this saying:
Now, let's see if he has the power to stop Hikvision from doing this.
#1, evidently you disagree with Chuck Davis here?
Port forwarding opens port(s) for a camera on the Internet. That's the fundamental reason to port forward. Your response?
"Port forwarding opens port(s) for a camera on the Internet. That's the fundamental reason to port forward. Your response?"
Port forwarding opens port(s) for a NVR on the Internet. That's the my reason to port forward. Your response? :)
P.S.
lately we using HIK Connect
Once you open a port on the Internet, it's open to any device on the Internet. It's open to an NVR, it's open to you, to me, to any hacker who wants to attack it, etc.
You can have whatever reason you want to port forward it, the problem is, in doing so, you have now exposed the port to anyone on the Internet. Your response?
"Once you open a port on the Internet, it's open to any device on the Internet. It's open to an NVR, it's open to you, to me, to any hacker who wants to attack it, etc."
Yes, of course
So is your opinion then that port forwarding cameras is bad but port forwarding NVRs is ok /secure?
So far so good with older HIK and port forwarding
All new using HIK connect
Tell me
What do u think half of the world do to connect to their PC based
recorders using Client?
I can assure you, They open ports :)
We are not debating what people do, we are debating what is responsible to do.
It's as if we are debating whether drinking coca-cola healthy and your response is "hey but lots of people drink coca-cola."
Related: Surveillance Systems Remote Access Usage Statistics
Look at Dahua dealers. They learned the hard way last year the damage port forwarding does. The Dahua backdoor impacted their recorders, combine that with port forwarding and the result is mass hacks.
The same risk exists for Hikvision or any other recorders port forwarded.
"The same risk exists for Hikvision or any other recorders port forwarded."
wow, agree with you 2 times in one day/hour :)
UD#1, I'm confused as to what you're saying here. Port forwarding is bad, but you're doing it anyway because... Hik Connect?
This is asinine. Your client depends on you to keep them and their data safe, and they may not even know what you're doing to put them at risk. Port forwarding is so completely and utterly risky that nobody should ever do it at all for any purpose or device, period.
if somebody requires remote access the responsible path is to provide network equipment that allows a secure VPN connection from portable device to the home or business. If you're unqualified to do this you should get help or get out of the business.
UC#3 I could not agree more, too many folks out there who just don't get it.
I am amazed at some of the lackadaisical security "best" practices by some of peers on this forum. My primary role is Cyber Security, everything else comes second. I hope you read the contracts with your customer very closely, you may be leaving your company open to some potential serious legal issues.
Any smart and reputable integrator will NOT do anything that would allow remote access of any kind, this includes on demand remote support tools like TV or LogMeIn etc. Let the end user provide you a VPN so they own the security and liability, if its a web based remote tool let the end user initiate all sessions. This is why the network folks do the network stuff, its their domain. I get it that there are more than qualified integrators who are network savvy and maybe that works at those smaller customers but in my world the integrator does not touch the network....period!
Here is some food for thought to chew on...
1. Integrator 'A' pulls the network infrastructure for the Security Devices, do you know what type of cable they are using, does it meet your Enterprise IT Specs? Are they "Certified" to do structured network cabling, do they have the right testing tools, can they produce a Pass/Fail Certification Report to ANSI/TIA-568 Standards?
2. Integrator 'B' provides the network switches for the project, do they meet the Enterprise IT Requirements? Can you meet the SLA for patching of the switch OS if there is a problem, do you really want to manage the switch? What PENN testing has been done on that inferior switch?
3. Joe installer/service guy brings his non-whitelisted laptop to program the IP Cameras, maybe he plugs directly into the core switch to find and discover all the camera on the subnet, maybe he plugs directly into the secondary NIC of the NVR to fire up his client......
I can go on and on.......any employee, vendor or supplier (myself incld) who does stuff like this would be terminated and banned. End of Story!
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
