Should You Use Port Forwarding?

I disagree. As the hacker, it merely slows me down by a minute or so. If you are willing to port-forward to a video device, it's highly unlikely you have any logging or intrusion prevention, so I don't really care if I go in fast and noisy.

These are my exact sentiments as well.

I was largely responding to this:

If there's an upside to P2P other than it being "easy" I'd love to hear it.

Port-forwarding should die. There is no way normal people can run servers on their networks and be safe.

This ignores the risk from targeted attack.

No, I didn't ignore it, I said it was vulnerable in that case.

Most attempts are not targeted.

They simply are not secure enough to be exposed to the Internet.

I didn't say they were secure enough. i just said more secure using obscure ports.

Just to be clear for everyone. A paying DDNS service does NOT provide any type of security. It's just as insecure as any portforwarding and so are all of the vendor provided dynamic ip services.

If you want to have security you need centralised authentication and encryption of your communication.

Both of which are totally absent with these "DDNS", "P2P" kinds of services.

Lots of routers options for VPN access including VPN access from your mobile phones.

There are literally hundreds of inexpensive options here. Any router that can run DD-WRT, Tomato, or PFsense can run OpenVPN.

But that isn't the difficult part. These types of inexpensive (read CPU poor) devices don't scale well when you have multiple simultaneous clients pulling video streams.

Add in the complexity of client configuration and it becomes more than just choosing a router capable of VPN.

One last note, just like any other set of credentials or managed access, VPN creds can also be stolen and used to access your networks.

Bottom line, there is no absolute here. There are layers of risk everywhere. Choosing your best efforts based on potential vs cost will be an individual effort. Layers of security are best. None alone are enough.

The Box itself is $129 MSRP (typically sold around $99 - Amazon is $96 right now). You can also run its software free on existing servers as a Virtual Machine (https://www.camio.com/box/vm/).

Only the live streaming is free. The 30-day storage, search & alerts are $9.90/cam/month. But per your feedback on wanting simple callbacks based on important motion events like car/person, we will likely add an even lower cost plan that has no cloud video storage and only serves as secure gateway for alerts, callbacks and secure viewing.

It may be helpful to describe how P2P and proxys work, as this may help to clarify why you experience different performance at different times. This is my understanding of the technology as of a few years ago, when we implemented it at a VMS I used to work for.

P2P, or Peer To Peer, includes a cloud service that maintains a constant connection with a device, like a camera (the device behind the firewall has to initiate the connection), and when a client connects to the cloud service that wants to view a video stream, the cloud service makes the introduction, essentially telling the client to go talk directly the the camera or the NVR (TCP Hole Puchhing is a common technique). If the connection is successful, then this is true P2P. Lots of different things can stop this from working successfully, including extra security on firewalls (depending on the service used, more than the standard 80 and 443 outbound ports are needed) and things like double NAT (think 2 firewalls before the camera or NVR can get out to the internet).

If a true P2P connection can't be established, the cloud service will usually 'fall back' to what amounts to a proxy, whereby video is sent up to the cloud service, which then forwards it on to the client.

Thus, you may experience different quality of P2P connections that are related to how successful each P2P session is. I'll caveat this all by saying i don't know the details of how HIK or others implement their P2P services or even if they are true P2P services, but that's the P2P world as I understand it. Hope that helps.

And what point is that? That security device manufacturers are incapable of writing bullet-proof code but VPN software engineers always do?

I think it's fair to say that VPN software engineers have a better focus on data/network security then most security device manufacturers, which in many (not all, but many) cases are happy if the firmware just enables the primary function of the device.

The fact that many device firmwares are hardly ever updated after release combined with the flagrant security blunders that oftenly are discovered in these firmwares proves this.

Another point is that a centrally managed security-focused application undoubtedly will have a far better chance of preventing, discovering and resolving datasecurity problems then a wide spread network of randomly (= as good as non-) managed devices with bad firmwares.

This approach best practice when it comes to data security in all IT-related fields. It has become best practice because there are millions of examples that prove it's the way to go.

Then what? They get in to the camera on the isolated VLAN, so they are going to figure out where I live from my IP and the camera views and come rob me by bricking the camera in case I'm watching the live feed?

You are absolutely right when you say that the likeliness of getting hacked at this point in time is very low. However, in my previous post I already mentioned that these automated hacking methods are constantly evolving, so every day this likeliness increases. Again, just get some factual information about this and the only services and devices that have been used as DDOS machines in the past, and you'll see that this is a fact.

Apart from that, as your customer i'd be shocked if you told me someone having access to the stream of the camera is "the worst that can happen".To me it seems that you have enough technical knowledge to set up a real secure solution but the attitude that comes with it is totally wrong.

Also i think it's fair to say that the bulk of integrators do not have this network knowledge and that the solution you provide here with managed switches, VLAN's and routers is much more complicated then a straight forward separate network with a firewall and VPN access.

So this solution is much more complicated, often also more expensive (depending on the situation) and not as effective....

That security device manufacturers are incapable of writing bullet-proof code but VPN software engineers always do?

Historically, yes, it has been the case that it is very rare that a VPN endpoint can be rooted compared to a DVR or camera.

So lets quantify this, the risk is that a zero-day vulnerability will be discovered in my Hik camera before a patch is released?

High. In fact, I can't recall a camera or DVR manufacturer patching a serious vulnerability because of internal testing. Would be happy to be shown an example where they have though.

Even so how do they know that get my camera is vulnerable since its running on port 31313, which in my routers log has never been SYN in the last 3 years, despite thousands of well-known port probes?

Strongly suspect this is a logging issue, as none of the 50+ honeypots I have run have not been fully portscanned in the last 8 months.

Then what? They get in to the camera on the isolated VLAN, so they are going to figure out where I live from my IP and the camera views and come rob me by bricking the camera in case I'm watching the live feed?

1. They brick it because it's fun. A vast proportion of attacks against IoT gear serve no purpose, it's just amusing.

2. They infect it with malware so anything that connects could be compromised

3. They watch the footage

4. The crappy consumer router you have has a vulnerability that means that VLAN is worthless...

5. It hasn't been configured right and you get bitten.

IfyourVPN was rooted how would you know?

Not one of those is a remotely exploitable vulnerability that results in RCE. The first two have no exploit code (and patches were notified to owners by email) and the last requires someone edits the config file.

And how would I know it isn't rooted? The HIDS would likely alert me immediately, and the NIDS and SIEM I run would tell me fairly quickly as well.

But then the VPN is on an isolated VLAN... so now we are back to your argument.

Hey,

Thanks for the reply.

I'm speaking from the experience with integrators and advising towards integrators. You don't seem to be one so that explains the different point of view.

I do remain convinced of my statements about complexity and the fact that the setup you proposed is more complicated whilst being less safe, and I do have experience to do so, but let's agree to disagree on that matter.

Yes, good integrators do these things. Whether there is a VPN or not.

Then i'm afraid the vast majority of integrators (and I'm not only talking about the ones on this website) are bad integrators from your perspective.

What do mean the odds are not in my favor? Even if I get hacked, the odds of it being 'disastrous', (whatever the hell that means), are pretty low. Perhaps you can point to some disastrous real-world examples of zero-day exploits via port-forwarding of cameras. No hypotheticals please.

I'm not a Routerboard or Ubiquiti expert, but I've looked at UBNT's routers enough to know that setting up a VPN is a command line affair if you want to do it without a RADIUS server. Even if you know how to do it (most don't), it's still a non-trivial amount of work in addition to the cost.

pfSense is interesting, also, but again, the installers and target market for these systems have no clue how to operate it.

I'm not saying that the industry shouldn't evolve and that these things are a bad idea. I just don't think it's realistic to expect that every install is going to get them.

I don't know for sure what the solution is, but clearly there are things short of expecting every install to get a VPN that can be done right now, and I'd rather see something instead of nothing.

I have pfSense running at a restaurant where the owner didn't want to spend a lot and he had been fine running on a cheap Linksys router, but I was tired of supporting it so I used an old Dell Dimension he had and put an extra Intel NIC card in and aside from replacing a hard drive, it has been flawless. It's running the latest version without issue. I understand and he fully understand what we did and understood the risk of used hardware. However, I believe it's been up and running for at least three years. I've also used the latest pfSense hardware that is sold by them and it's worked well.

It's worth noting that pfSense offers commercial support now and they assisted in hardware selection to make sure I had the right unit for the amount of network clients.

True, but at least firewall device manufacturers are constantly working to keep their devices as safe as possible with new firmware releases (as opposed to NVR / camera manufacturers which don't have a strong pedigree in network security). The Ubiquiti vulnerability you referenced was targeted at outdated firmware.

true, but in a setup with a VPN concentrator you only have the risk in one place, which is very easy and cost-effective to maintain and takes away the risk from your customer.

To be fair, I don't mean to call out just hardware here either. VMS, PSIM, analytics, and other software are in the same boat. Compared to a VPN application/appliance, any other software/appliance is less secure.

If "cloud" is not an option and you have the option to use VPN, that will always be the most secure choice.

As U4 mentioned, you can put access control in place on the VPN network to limit access to specific addresses and/or ports, so if it's compromised, it's not an all or nothing thing.

Hi Jon,

Not true

When using a VPN setup for multilple site, there's only 1 host that has to be exposed to the internet, and that's the VPN concentrator. All sites can connect to that single host et voila, everything is reachable and secure.

I'll prefer a VPN concentrator to be exposed to the internet over an NVR anytime. Ok in your example the NVR can't be used as a bot, but the entire internet has access to the recordings. Big problem if you ask me, and with current NVR security states also very likely to happen.

Your VLAN setup is much more complicated, whilst being less secure.

Also as a plus: this allows your CCTV network to be entirely separated, even physically whilst you can do whatever you want with the rest of the network. Change your IP range? No problem. Change your ISP? No problem. As long as your VPN router is online and can reach the concentrator it'll work and it'll be secure and easy.

It also allows you to use reverse proxy to reach the NVR from the internet, through that same single concentrator IP, which is super secure.

Also this solution is much cleaner then setups like blablabla.no-ip.com:47463. To me this looks very amateuristic.