What Are The Best Way To Secure IP Cameras And NVR Over The Network?

Don't port forward. Use VPNs. At a high level, that is the two most fundamental recommendations.

See: Cybersecurity for IP Video Surveillance Guide and VPNs for Video Surveillance Guide.

Arecont and Exacq do not have a track record of significant vulnerabilities.

on other hand, the Arecont Vision & Exacq Vision have a back door or not?

Arecont and Exacq are more than three letters.

Change all the default passwords and use a VPN.

Turn off any unused protocols.

Here is what our IT person uses when training security integrators on camera cyber issues...hope it helps

How secure do you really want to make things?  Let me share with you some of the recommendations that are used in large deployments where I dabble a bit, they can get pretty complex but in my world Regulatory Compliance is the name the game.

Network Segmentation is key to security period.

First its highly recommended that you deploy a flat network so it is easier to manage the devices connected to it.  When you have a closed secondary network for IP Camera traffic its typically on a unmanaged switch.  Then direct access to the devices is challenging to say the least unless you are physically at the switch.  You may often rely on the VMS software to push camera updates if they even have that capability, if not then its do truck rolls to update camera firmware etc which is very costly with 8K+ recorders and 150K+ cameras.  Average cost per site is about $300 which is pretty pricy to push a required firmware update (abut $2.5mil per update). 

Second, create a separate VLAN for the IP Cameras and the recording devices, be sure to designate a create a small MAC ACL and or JumpBox for IP Camera Administration so the device can be managed remotely within its VLAN by only by authorized connections.   Limit the amount of folks that can have direct access to the devices, really no need to access the camera web page unless you are doing configuration or troubleshooting IMO.

Third is use 801.x EAP-TLS Certificate Based Authentication.  Yes its a bit of work but it locks things down pretty tight.  As a failback you can use MAB (MAC Authentication Bypass) to keep it secure assume the switches you are using support these features.

Once you get things talking to each other then you move on to how to manage it w/o loosing control, you must have a robust Policy to manage the following using the either NIST or ICS-CERT Cyber Security Guidelines (links below).  Compliance and Reporting is the name of the game in my world.

- Password Management

- Patch Management

- Configuration/Drift Management

You should have a solid Baseline Configuration that is deployed with all devices and the ability to measure drift from it to correct, this will help ensure if followed properly that all of the devise are deployed ready to go out of the gate.  That being said most VMS platforms which I consider to be the ecosystems of a surveillance system are very weak at the three examples above. 

Unfortunately the VMS manufactures don't thinks its their responsibility to provide these functions and often push it back on the camera manufacturer, think of yourself like a very large enterprise like I assist with and all of the devices to manage, you need one tool in the toolbox to manage it all not five or six tools (one form each camera supplier).  From what I can see the VMS platforms still don't get it and there appears to only be one solution now that can help bridge the gap, shameless plug for Viakoo suggest you check them out.

You want to learn a bit more about cyber security standards check these links out, there is a ton of stuff I did not call out that is employed to enhance security I chose not to dive into.

https://ics-cert.us-cert.gov/Standards-and-References

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Use Hardware Firewall to secure your network. Netgate / pfSense are fantastic open source solutiouns!

Don't connect your cameras to an internet uplink have them on an offline poe switch connected to a proper vms server.

Easy and inexpensive ways to secure your cameras;

1) Keep the cameras on a network segment that does not have internet and/or corporate network access

2) Give VMS servers two NICs minimum; one NIC in corporate, internet facing LAN, and the second NIC in camera (sequestered) LAN.

This can be done with either separate switches, or with properly implemented VLANs using managed switches. We generally like to use managed switches with VLANs as it saves money on hardware. If done correctly, it is as safe as separate switches.

3) Keep firmwares up to date.

4) Use complex passwords.

5) Create non-admin accounts for VMS server access. Create a new user with only the minimum rights needed to pull camera streams. This can limit VMS users having the ability to change zoom or focus.