Also i think it's fair to say that the bulk of integrators do not have this network knowledge and that the solution you provide here with managed switches, VLAN's and routers is much more complicated then a straight forward separate network with a firewall and VPN access.
No, I think that it's unfair. The 'bulk' of integrators, at least the ones on this site, certainly know about VLANs and managed switches. And this is as about as simple as it gets in VLANing. Also, regardless of VPN or not the cameras should be seperated from the rest of the network. IMHO, there would be more learning curve with VPNs as there are multiple protocols and software elements involved.
So this solution is much more complicated, often also more expensive (depending on the situation) and not as effective....
Not to be insulting, but it's not more complicated. Its less equipment, less software, less recurring fees, less dependencies.
Now, P2P is a different story altogether, that is easy, though it has its own concerns.
I presume an integrator rolls out at least 100 devices each year. And he uses various devices, different brands of cameras, NVR's, routers,...
You are presuming I'm an integrator? I am not.
An integrator who says he's truly managing this for all these devices (monitoring firmware releases and upgrading when necessary, adjusting configuration when security breaches have been found,...) has very nice service contracts and a well built tech ops dept or is lying :-)
Yes, good integrators do these things. Whether there is a VPN or not.
And yes, getting hacked can take years...even in this situation...
Thanks for clarifying. When you originally said "You will be hacked", I didn't realize you meant "After several years at 100 devices per year"
but it only has to happen once to be disastrous and the odds are not in your favor with the approach you are taking.
What do mean the odds are not in my favor? Even if I get hacked, the odds of it being 'disastrous', (whatever the hell that means), are pretty low. Perhaps you can point to some disastrous real-world examples of zero-day exploits via port-forwarding of cameras. No hypotheticals please.