I'm not sure I'm tracking here.
It seems like we are suggesting that port forwarding is bad. Is that the consensus, or it the thought that port forward only configurations are bad?
Everything required port forwarding, even VPNs. Can't access a VPN without configuring ports. Unless you set up a remote shell in the manner that P2P/UPnP does, then you HAVE to, right?
Nothing wrong with port forwarding at all. Outside of a VPN, followed by SSH (if available), a SSL connection to the admin page is the next best way to go. The only problem with this is that Security companies SUCK at software. The HTTPD software (likely Apache?) that runs the admin page is out of date before you install the device. The whole world operates this way. When you connect to google.com or what-have-you, you are access it via TCP, not P2P so I'm not sure where all the concerns come from and I'll explain a bit more in detail why I feel there is less of a concern regarding port forward only configuration.
The problem isn't port forwarding in the first place. The problem is again, security companies SUCK at software. If you need a GUI, we are stuck with Apache for now. With that said, we are susceptible to browser attacks. However, if we all had trust that these security vendors keep their hardware up to date then why would you consider it different than running any other web page? Accessing a web page over SSL is one of the best ways to go.
Because the admin page is accessible in a browser, does not mean it raises the attack surface. Just because "Kevin" can access https://ipadminpage.com in Chrome means relatively nothing considering you have to authenticate somehow. How else to you expect to authenticate? SSH? Telnet? In the browser it's over SSL, which we have trust in, right?
These are what I fear the real concerns are regarding using port forward only configurations:
1) Security companies SUCK at providing updates, essentially making us question the integrity of the front facing admin page.
2) Because these companies are not adding "noindex" or "robots.txt" files to their configuration, some pages get indexed by browsers and are dorkable, leading to a moderate risk of large scale enumeration. If IPVM want's to make a quick and effective impact on the security across the board, it could recommend to all the vendors to add these options so reputable search engines don't index them. That would easily be able to do this and I'm sure they'd all like to add a nice bullet point in their future release notes. It should be noted that enumeration is potentially much worse with P2P systems and in onw effort, could reveal all devices from all clients connecting to a companies P2P servers. Please read up on P2P vulnerabilities, I try to do my own research but you can read up on Krebs thought regarding P2P.
With all of this said, what do you guys recommend?
I have about 10 years direct experience administering government IT systems and I'm not sure exactly what we are advocating here, if anything. In government or commercial (when they have an actual IT department), VPN and port forwarding is likely the only "remote access" you get. There is likely a security policy in place to where they monitor all traffic coming in and out and they can't do that if you do shit like NAT Traversal via P2P. With that said, you may may face some tough questions from the IT Architect/Admin and if you can't answer them, they'll likely have you building your own network.
To be clear, all IP camera hardware is a threat to the integrity of IT systems. Every camera you put up is potentially a trojan horse. We all fear HikHua etc but you are installing devices that "Kevin" the neighbors kid can hack into and if they can't now, they can when an 0day becomes available as vendors suck at software.
For those wondering, no, P2P is infinity worse than any a port forwarding configuration. You are trusting third parties and hackers named "Kevin" to stay out of your system. The use of it lowers the expectation of integrity and it's use should elicit a warning to your clients.
Please consider speaking with Network Engineers about this stuff. They have a different take in this that is likely very valuable from the IT security standpoint.
Thanks John for moving this to its own topic. I think it merits further discussion. It would be nice to contact vendors about adding noindex and robots.txt to their config and request them to explain their P2P implementations a bit more in detail. (If you are still out there listening, lol)