Subscriber Discussion

Layer One LAN For Ip-Based VMS?

UE
Undisclosed End User #1
Sep 19, 2017

On a VMS that uses Mac Address, like Milestone or old Occularis, you can run a system on a LAN. 

 

However, with an upgrade to new Occularis like 5.x, that bases everything on IP instead of MAC, can you still run everything on your same LAN without routing? 

U
Undisclosed #2
Sep 19, 2017
IPVMU Certified

Short answer: Yes.

Longer answer: Milestone and Occularis, old and new, have always been IP based.

Are you referring to the MAC licensing scheme?

Btw, MAC addresses are a component of Layer 2, Layer 1 is the transmission medium, might be copper or fiber optic.

 

(1)
UM
Undisclosed Manufacturer #3
Sep 19, 2017

Sorry, I do not understand your question.

A VMS is using UDP and TCP (Layer 3) connections to communicate with cameras and clients. For API accrss often HTTP/HTTPS (Layer 4) is used.

TCP and UDP require IP-Adresses to establish a connection.

I'm not aware of a Milestone version that requres you to configure MAC addresses. 

Could you please explain your question more detailed?

 

Avatar
Josh Hendricks
Sep 20, 2017
Milestone Systems

There is no network based software in the industry which does not use the TCP/IP stack. Though if anyone uses IPX/SPX that would be interesting to know.

Milestone licensing is based on the camera MAC address, but that doesn't mean the camera has to be on the same LAN as the server. We discover the MAC by "asking" the camera directly, utilizing the API typically provided by the manufacturer. As such,we are definitely not limited to devices within the local network broadcast domain.

One special caveat is that we used to rely on being able to receive an ARP reply from a device using the universal driver (a generic RTP/RTSP driver). This was changed some years ago in order to support routing like every other device driver.

In summary, I don't think you will find any VMS which requires all cameras to be on the same LAN as the server.

U
Undisclosed #2
Sep 20, 2017
IPVMU Certified

There is no network based software in the industry which does not use the TCP/IP stack.

Unfortunately, there's Lonworks ;)

(1)
(1)
Avatar
Josh Hendricks
Sep 20, 2017
Milestone Systems

This is great, I fully expected to be proven wrong and you did not dissappoint :)

UE
Undisclosed End User #1
Sep 20, 2017

Can it be set up on layer 2 switches without a router in the mix? That's my ultimate question. 

Example, one 48 port switch attached to server(s), cameras, and local monitoring station. 

No router in the mix, and only a layer 2 switch. Will this still work because I know layer 2 switches only forward frames based on mac address.

I know a router would be needed for any remote viewing outside of the LAN. 

Maybe I'm overthinking this.... 

Avatar
John Scanlan
Sep 20, 2017
IPVM • IPVMU Certified

U1 - Yes that will work.  It's called a flat network.  It is easier / quicker to setup, but sacrifices scalability and security.  Hope that helps.

(2)
(1)
U
Undisclosed #2
Sep 20, 2017
IPVMU Certified

Will this still work because I know layer 2 switches only forward frames based on mac address.

Yes, because anything running IP on Ethernet will always have both a MAC address and IP address.

The ethernet frame actually contains the IP packet:

CM
Corey McCormick
Oct 02, 2017

If the cameras do not need to stream directly to a remote network client (in a different IP subnet), but always are viewed through the VMS you can do some things to reduce the exposure introduced by cameras (or printers, or other "dumb" devices who are not really so "dumb"...). 

One of the options when designing a flat network that is able to slightly increase the security is to intentionally misconfigure the DHCP scope for those MAC addresses which are cameras (called reservations), or to statically configure by not providing a default gateway.  (or providing the wrong one).

If you provide one that is currently off-line you can bring the router IP online if the camera needed to directly download firmware or something and then turn it off again after use.  If you always manage them from the VMS or at least locally, they will likely not ever need a default gateway and that tends to prevent them from communicating via the Internet.

Filtering by MAC and/or IP at the firewall is also helpful.  There are no perfect security options, but if they are on the same IP subnet as everything else, then even a little helps.

There are lots of ways around simple fixes like this, but if several layers of these simple things are implemented, it is MUCH more difficult for malware/bad actors to tackle each and every one of these in one exploit.  For a person it is not so tough to beat, but currently most of the malware generally assumes the machine is configured correctly for the environment.  (not all however, but all the camera exploits so far I know about assume the TCP/IP stack is configured correctly)  

I am not a camera expert though and someone else here might have better information.

 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions