What is the risk factor of using Dahua cameras on an enterprise network behind a secure firewall, using Milestone as the VMS, and no ports open to the cameras?
Subscriber Discussion
High Risk With Dahua & Milestone Behind Firewall?
UE
Undisclosed End User #1
Jan 09, 2018In addition to ports, make sure to give them static IP's without gateways, provided they are on same subnet as the Milestone.
JH
Jay Hobdy
Jan 09, 2018That brings up another question we have been looking at. The last few Dahuas we staged, the only option to update the time was via an NTP server. There was no "sync with server"
NTP won't work without a gateway, so how do we keep the cameras time correct?
UI
Undisclosed Integrator #2
Jan 09, 2018UI
Undisclosed Integrator #2
Jan 09, 2018I take that back, I’m not sure I understand the need for time sync on the cameras with Milestone. Milestone isn’t sensitive to time sync with the cameras as long as time sync between servers and workstations is spot on. Are you using time overlays at the camera?
JH
Jay Hobdy
Jan 10, 201899% of our installs use Dahua NVR's and our experience with Milestone is limited.
Yes we use the overlays on the camera. I guess you are suggestion disabling that and just allowing Milestone to put the time overlay on? That is probably a very good idea.
UI
Undisclosed Integrator #2
Jan 10, 2018It will definitely save you some time. We used to ensure time sync and turn on the camera side overlay as a gut check. Over time we stopped as there may be a minimal amount of latency (particularly if you use RTSP over TCP vs UDP on a error prone network) but it was almost unnoticeable. It also brought up more questions than it was worth in one casino environment.
UI
Undisclosed Integrator #2
Jan 11, 2018Just realized I flipped TCP and UDP around in my comment and do not want anyone to default to TCP thinking it has lowest latency. TCP could add a lot more latency. At least one VMS I know of does not even allow the option without a lot of workarounds that are intentionally obscured. Milestone, as always, has a ton of options that others lack which is useful for troubleshooting.
Jared Tarter
Jan 10, 2018One thing to note about time sync is that if the camera is using the ONVIF driver (a lot of the Dahua cameras use ONVIF instead of a dedicated driver with Milestone), then having the cameras time synchronized to the Recording Server may be necessary.
Generally speaking it is a requirement of the ONVIF spec and having the cameras not synchronized can prevent them from being added or cause other strange issues (I've seen some not display video). Not all camera manufacturers seem to follow that part of the spec though so some don't have issues if they are not time synchronized.
There are free NTP programs out there but you can make any Windows machine a NTP server with a few registry tweaks. Here are instructions for doing that:
1. Press the Windows key or click the Start button and type regedit and open the Registry editor.
2. Locate and then click the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\
3. In the right pane, right-click AnnounceFlags, and then click Modify.
4. In the "Edit DWORD Value" dialog box, type 5 under "Value data" and click OK.
5. Locate and then click the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
6. In the right pane, right-click Enabled and then click Modify.
7. In the "Edit DWORD Value" dialog box, type 1 under "Value data" and click OK.
8. Exit Registry Editor
9. Press the Windows key or click the Start button and type services.msc and open Windows Services.
10. Right-click on Windows Time and choose Properties. Set Startup type to Automatic and then restart (or start) the service.
11. When looking at Windows Time in the services list, if "(Trigger Start)" appears after "Automatic", open an elevated command prompt and type the following command and press Enter:
sc triggerinfo w32time delete
Note: If there is a firewall running, make sure UDP port 123 is allowed through.
UI
Undisclosed Integrator #2
Jan 10, 2018Good point Jared. I rarely used cameras that did not have direct drivers in Milestone (usually Axis). I do not know whether there will or will not be issues with ONVIF based cameras. In the handful of times I had to rely on ONVIF I never noticed an issue but would not take that anecodote as evidence.
UM
Undisclosed Manufacturer #3
Jan 10, 2018Over the years, I have also seen this as well (Time sync preventing ONVIF drives from connecting). I specify NTP time sync on all cameras a best practices for this reason, even if the OSD is turned off.
JH
Jay Hobdy
Jan 10, 2018So is there any more risk with putting a Dahua camera on this type of system versus an Axis or Arecont camera?
UI
Undisclosed Integrator #2
Jan 11, 2018From the internet? Not that I can foresee if those cameras are on their own VLAN. In theory, the only ingress point from the internet/rest of the corporate network is through your Milestone server. Obviously, harden the server. A whole lot of damage can be done to the corporate network since you're not in the DMZ if the server is compromised.
Regarding Arecont it may be worthwhile to do a search on IPVM for other risks that do not pertain to cybersecurity...
Jon Dillabaugh
Jan 11, 2018Of course there is more risk. Unless you have them on their own LAN/VLAN entirely, even an inside attack is possible. That’s not even mentioning severe flaws in their firmware that prevent them from working properly, exploits aside.
New discussion
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
Newest discussions