Subscriber Discussion

Best Practices For Remotely Access VMS Systems

UI
Undisclosed Integrator #1
Apr 02, 2015

Dear fellow IPVM Members --

What are some of the best practices in satisfying remote VMS viewing client requirements when there isn't a network administrator to perform port forwarding on a client's router?

Remote VMS access is expected by majority of end-users buying new systems. Most VMS systems require port forwarding to be performed on pre-existing client routers/firewalls in order to enable remote viewing. Customers without in-house network administrators or dedicated 3rd party IT consultants often expect remote access to be enabled at the time of installation by an integrator. And while technically port forwarding procedure is usually straight forward, it can pose risk due to external threats to the network or misconfiguration affecting end-user IT environment.

Providing necessary legal disclosures? Partnering with 3rd party IT consultants? Establishing a VPN or other hardware/software solutions?

Thank you in advance for your comments and feedback.

JH
John Honovich
Apr 06, 2015
IPVM

A VPN set up and approved by the company's in-house IT organization would typically be best.

However, in your situation, there is no network administrator which I guess implies that they don't have a VPN.

I'd put your concerns in writing to the client and explain (a) port forwarding and (b) VPNs.

SM
Steve Mitchell
Apr 07, 2015

There's some discussion on this here: Remote Network Access for Video Surveillance

(1)
GR
Graham Reid
Apr 07, 2015
IPVMU Certified

As an IT Service provider, we insist on VPN access for all incoming access requirements, except some aspects of email (if an email server is running inhouse). Open ports on a firewall are just an invitation to anyone scanning ports to see what is on those ports. But open ports coupled with weak passwords often means "Hacked"

Small Business is generally not security conscious: That's how I do it at home so why can't I do it with my business?? Often it is not until they are hacked that they start to understand.

Push for VPN either through their IT contacts or recommend a provider. If they want port forward, then suggest they use an IT service provider. Legal discloures are a backside covering process. If something untoward happens, they can still sue & you still need to defend: Either way it costs both time & money.

I have had a small business client blame me for a dead power supply on a 7 year old machine after working on it remotely. "The computer was working until YOU did something to it!!!"

Cheers

Graham

(2)
LM
Luke Maslen
Apr 07, 2015
IPVMU Certified

Steve Mitchell referred you to the article Remote Network Access for Video Surveillance. If a VPN is too tricky or expensive to set up for a small client, then I recommend you review the section of that article named Cloud / 'Phone Home' for the most painless and inexpensive option which also avoids port forwarding. Choosing this option assumes that such as service is available with the chosen VMS or NVR so you would need to check that.

(1)
SP
Sean Patton
Apr 08, 2015

Just to chip in what everyone else is saying, if youre talking large enterprise, and a VPN connection, I would definitely recommend that they disable split-tunnelling. This will only allow traffic from your PC to go through their VPN/firewall. What this means is if someone has a remote link/view of your computer through your company's Internet Connection, as soon as you connect to the customers VPN it segregates you from that outside traffic, thus partially preventing your from being the (wo)man in the middle of a man-in-the-middle attack.

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions