Subscriber Discussion

Startup Idea - Remote Recorder Access - Is There A Market For This?

Hi everyone, I'm seeking feedback to hopefully determine whether there is a wider market for a system I've developed for my own use. Do you agree that there is a problem? Do you think my solution is something you (or your clients) would pay for? Thanks for your help.

Problem: I design/sell/install CCTV systems for small/medium businesses (and I also teach IT networking). I needed remote access to my DVR/NVR but the client didn't want me to be able to see the rest of their internal network. They didn't have a network admin to set up VLANs etc. (My market is limited to small/medium enterprise, I don't think this problem would be relevant in larger organisations where they have a network administrator).

Solution: I installed a router between the DVR/NVR and the client's network and configured the firewall to only allow access to the client's default gateway. Firewall administration from NVR/DVR side of the network has been disabled (so rules can't be changed). This alone lets me use without having any access to the client's internal network.

I also set up a VPN client on the router that connects to a remote VPN server. Now I can connect through the VPN server directly to my NVR/DVR via open ports for direct access to the streaming server, internal web server etc.

Other benefits: If I happen to get a virus on my system it won't infect the client's network. If my DVR/NVR is hacked the hacker won't have access to the rest of the client's network.

Opportunity? This was a reasonably large pain to set up, but I can easily repeat the process now I know how to do it. Is this a problem other people are facing? Would you spend ~$200 on a hardware device to fix it. Would you (or your client) pay a monthly/yearly subscription charge to use the hosted VPN server? How much? What would help motivate you to set up your clients behind one of these devices? Margin on the initial sale of the device? Ongoing commissions on monthly subscription?

While my main motivation here was better security for my customers I can also see some benefits from an ease of install/management point of view - primarily in not having to go near client's routers to set up port forwarding. If I was going to take a service like this to market I'd set up a web interface that would allow consolidated mangement of your devices such as easily opening/closing ports. This would mean the install process for this device could be as easy as:

1) plug DVR/NVR into port 1 of device

2) plug client network into port 2 of device

You can now use / gotomypc etc + your client's network is isolated from your network

3) if you also need open ports, log into and set which ports need to be opened on your device

You can now remotely access your device directly from

Before I go to the effort of building a web site, thinking of an awesome name or leasing a yacht I thought it would be sensible to determine whether there was any market for this kind of product. I'd appreciate any feedback or suggestions for improvements. I know this isn't the next Facebook, and it's probably way to specialised for kickstarter, but if there are enough people in this community who like the idea that would be enough proof for me to have a go at launching this idea as a side project.

Additionally, if this has already been done (I couldn't find it but the web's a big place) or if you think the idea won't work for any reason please let me know so I can stop wasting my time and move on to a different project! Thanks again.


Dan -

There *is* a market for this (IMO). You're solving a fairly common problem in a practical manner.

In the early 2000's another company patented this basic idea for a similar use case. I think that company is essentially dead, but just in case, I'm not going to mention their name here to make sure a Google alert doesn't wake up some patent troll that bought the IP/patent. I'll send the info to John to send to you.

The biggest headache you'll face is that now you are essentially an ISP of sorts for every one of your customers. Any issues they have, they'll want to call you up and tell you "I can't see my cameras, your service is down", even when a hurricane has leveled their building... So, make sure you hire plenty of support people :)

A practical approach would be to sell this as a convienience+security offering with an RMR kickback to the dealer. At least in the beginning you probably want it to be a no-brainer purchase option, so something like $25/mo (USD) with a $5 kickback to the dealer should work. You'll need some language in your contract about bandwidth usage I think, because if people leave a live view of their cameras up 24/7, all that data is streaming through whereever your VPN is hosted and it will start to add up quick.

Thanks for the feedback. I hadn't considered the bandwidth issue but you are absolutely correct, I'd need to time it out or restrict bandwidth in some way or this could cost a fortune. I mostly just use it for remote admin and my customers use it for checking cameras occasionally, but if someone wanted a permanent remote connection streaming this would increase costs substantially.

Why not just sell them a router/firewall with the ability to do VLANS? Just sell them a Sonicwall and a managed switch and call it a day. I don't get why people try to get too fancy when dealing with simple issues. You can also charge them for the install/config of the Sonicwall and switch.

If a small biz doesn't want you to TOUCH their LAN period, why would they trust you at all?

Why not just sell them a router/firewall with the ability to do VLANS...and call it a day.

Cuz we sell milk, not cows...

Cuz we sell milk, not cows...

Ain't that a bit of Texas wisdom!

That's a clever way of summing up the case for RMR! On the other hand, sometimes it is better for customers to just buy the networking applaince cow.

What are your thoughts in this case John? Cow or milk?

I think it depends ultimately on what are your recurring costs for providing this. If the recurring costs are sizeable, then it's 'milk'. If they are very low or nonexistent, most people will want to buy the 'cow' realizing that it's less expensive for them that way.

While there are recurrent costs (of a few dollars a month for me), I'm hoping that the reduction in up front costs and hassle compared to installing a firewall/VLAN and the improved security compared to logmein or port forwarding into the client's network with will make my idea viable.

I've approached a few of my customers and they are willing to pay $20 a month for the extra security provided by isolating my DVR from their LAN. However, I am wondering whether they are willing to pay because they see the value in the idea or if its just because they trust my advise - I suspect it is a bit of both, but can't imagine them buying the solution without a recommendation from me.

As such, I'm leaning towards still trying to charge end users $20 a month but giving a 40% commission to the reseller as I suspect that sales will occur mostly because end user's trust their reseller/integrator.

So I guess my next step is building a complete solution that reputable integrators trust enough to recommend.

The way burglar alarm central station monitoring works is the alarm integrator contracts with a monitoring service. The service bills the integrator a low price, usually $5 to $7 or so (All-American charges $2.50 for example), depending on features, and the integrator bills the customer, usually $250 to $350 a year. This is the bread and butter of most alarm installers, who charge about enough to break even or make a small profit on the equipment installation, and rely on the "monthlies" coming in to actually survive. And when it comes time to admit that it's too hard to make money in this business and being a hobo is probably a more dignified life, you can sell off your contracts to another company, usually for three or four years worth of monitoring (so if the customer is paying $300 a year, that account is worth $900 to $1,200).

A similiar model is probably a good idea. $10 a month or $99 a year direct to the end user, or $5 to a dealer and let them charge the customer whatever they want.

Yes, the customer can go directly to WinsonSoft and buy the product direct, but you can get alarm monitoring yourself, too, if you know how.

I like this idea Ari, by copying a model that dealers already understand from their experience with alarms it seems like it would be easier to get them on board.

It would also give dealers an easy way to start charging a monthly price if they aren't already "You have to have this if you want me to offer any remote support and it isolates my equipment from yours to make sure that your DVR which doesn't have antivirus isn't putting the rest of your network at risk, it's only $10 a month" seems like a clear enough sales pitch. From there the dealer could easily on sell extra services "For $30 a month I'll proactively monitor your system's health, for $50 a month I'll do a test restore to confirm footage is working... "

A team of MBAs couldn't come up with a clearer explanation of RMR if they worked for a year. I owe you a beer next time you come up to Yankeetown.

Thank you kindly sir, though if its all the same I'll just take a snort of Jim Beam Black, cuz I'm on a diet.

Thanks for the feedback Jon, you are correct that a firewall/switch would do everything my solution does. In my experience though many CCTV consultants either can't or don't want to become their customer's computer/network support person. I'm hoping there are enough of these people out there to make this idea viable.

If they can't install a simple Sonicwall and managed switch, then they shouldn't be touching a network in ANY way. We aren't talking a complicated Cisco CLI-only device that needs a certified engineer. This is pretty basic networking stuff here. It seems to me that your solution doesn't really fix any issues with complexity or security. All it does is create a revenue stream for you, and IMO just for the short term.

But, all that said, you know why *I* would never sell your solution? I wouldn't trust that you are going to stay in business to provide that VPN access. As a startup, you are either going to have to charge way too much to cover start up costs, or you will drown in debt. Either way, I can't live with either option.

Another big issue for me is that you are taking a very simple issue and compounding it with a very complex "solution". Instead of accepting sub-standard integrators, why wouldn't you instead insist they get with the times and learn the skillset needed for today's markets. I know, I know, it's the milk.

I know that if I locked my clients into this proprietary, closed loop solution that died soon after install because the dev couldn't afford the servers and bandwith, I would never get future business from them. However, if I offered the correct solution, which was cheaper, more robust, and the right way to do things, I will not only earn their future business, but hopefully also referrals for other new clients.

I would rather sell cows. Lots of cows.

Instead of accepting sub-standard integrators, why wouldn't you instead insist they get with the times and learn the skillset needed for today's markets.

Because you have no control over that? There are hundreds of trunkslammers for whom this product would be a godsend. And 'half-assed' is better than 'completely wrong' or 'non-functional'.

I would rather sell cows. Lots of cows...

And farms, big farms...

Thanks again for the detailed feedback, you've given me plenty to think about - I'm trying hard to stay completely objective so I can decide whether this idea is worth pursuing, as a natural optimist it's difficult - I tend to see the opportunities which can make me blind to the problems. So I definitely owe you a beer whether or not I go ahead with this project.

Whether or not people should be installing network devices without required knowledge of networking is probably not relevant though, all that matters is whether they are.

While this solution doesn't reduce overall system complexity, it does move responsibility for the complexity from the integrator to me as a service provider.

From a security point of view what I'm providing is similar to installing a seperate Internet connection for 3rd party equipment without having to pay as much. While it will only protect the 3rd party equipment if the installer chooses to connect via the VPN rather than a simple port forward it will always provide isolation from the customers other equipment which I'm sure would stop a lot of opportunities for hackers.

Yes the idea is that this creates a revenue stream - not a bad thing IMO if I'm delivering a service that the customer wants.

If you accept that there are integrators out there that don't want to worry about networking (and I definitely think there are) the question moves to whether anyone will pay a monthly charge for easy install / better security rather than paying an external consultant to install a firewall/VLAN.

I take your point that buying an ongoing service from any startup comes with risk and this will stop some people buying, so if I'm going to proceed I'd need to rely on early adopters who see enough value in the offer to accept that risk.

If I'm understanding you correctly, what you're proposing here is an idiotproof (well, idiot resistant) way of getting any NVR or DVR online, regardless of DVR model, router model, or ISP? For $200? I'll take a pallet.

I've been dreaming of just such a product since I put my very first DVR online. It was 2002 or 2003, and it took me most of a day to figure it out. The DVR was an Everfocus, an EDR series I think. I remember thinking that I wished the customer had just gotten a VCR like normal people.

Edit: I'd pay $10/month forever, if you threw in a DDNS service.

Thanks Ari, you are understanding the idea correctly, I'd be making it as close to idiotproof as possible. It sounds like you are my key demographic. When the time comes would you be interested in doing some beta testing?

How about $25/year for 30 hosts?

A Leading Dynamic DNS Provider | Dyn

I love dyndns, I've been a pro subscriber for years. But, it doesn't change the routing requirements for remote access, it just redirects a name to an IP (which is very useful if the client has a dynamic IP address that changes each time they connect to the Internet).

You still need to set up port forwarding on the client's router/firewall (either directly to your device or to a VPN server) and if your device isn't in its own VLAN you risk your device being used as a launching point for further network intrusions.

My biggest concern with this is that IT from a customer does not have control over this firewall. After the Target problem, many should be concerned that Logmein is a security vulnerability for customers, and many allow this that are not knowledgeable to the fact that you have the keys to their network (you have access to NVR, which can change router settings, which does not show audit trail to customer on their network). Most of our IT fluent customers require VPN access (they setup) and frown on logmein. The reason is that this gives them logs and audit trails for any vendor that accesses an internal network. They must have full control and monitoring of "doors" (routers, firewalls) that interact with their systems. If you do have a small business with the Linksys router protecting their network, Logmein may sound great to them for remote support, but make sure you have them sign something stating what is in place and what you can do, with the process you will follow to alert them that you are entering their network.

Other better method is to upsell a Sonicwall TZ100/200, put it outside of their business network and before the public connection, and then put the DVR/NVR in this zone. Portforward client and web access for mobile devices, and allow all out and none inbound. With business ISP services from the provider (usually pool of a couple of public addresses and a gateway address), instead of NAT, can just assign IP public address to their WAN port. Firewall your NVR to another public address assigned. Now you can Logmein at will with no risk. Customer can access NVR easily from their outbound rules.

Hi Jeffery, thanks for taking the time to comment. I completely agree with your concerns. 3rd party remote access can be a massive security vulnerability and the Target problem was in the back of my mind when I was thinking about how I was going to fix this problem for my customers.

Enhanced logging is a great idea, I'll look to incorporate this into the design. I also agree that the customer's IT department should be award of everything on their network. I don't see any technical barriers to this, it would even be possible to allow them to administer the device from the client side of the LAN while still restricting the DVR side.

As you say, lots of people use Logmein or other similar services. If their accounts were compromised an attacker would have access not only to their systems but the system's of their clients too.

What I'm proposing is a solution that solves part of this problem by greatly reducing the opportunity for an attacker to use 3rd party equipment to compromise the remainder of the network.

If all customers required VPN access at the network perimiter there wouldn't be an opportunity here, but they don't so I suspect there is. I've spoken with the IT departments of the customers where I've deployed this solution and after I explained the conept they were all OK with it, they were happy that they didn't have to change their router / firewall configs!

As you have the skills to set up a firewall / VPN at the network perimeter and your clients are OK with you doing this you wouldn't be part of my target market, but think of how many sites you have seen where the installer didn't have this option so instead installed logmein/gotomypc, set up port forwarding or put the DVR straight into the DMZ. Would you agree that isolating these machines behind the untrusted side of a firewall would be preferable?

I saw the whole point of this was to limit access to the customer network from the remote access to the box ( rules to only allow access to gateway) but I assume allow customer to the box. This whole thing is based on also gaining remote desktop or ultravnc or logmein to box? DMZ is a horrible idea, where isolated port forwarding is preferred. (with trusted root certificate for secured web access). Many times you will not have credentials to router and do not want liability for setting anyway. Also the day and age of all windows computers in you line of boxes is coming to an end. (hikvision 64 channel our cost 2000 bucks) so single port access to administration functions of cameras and boxes may be all you need. I am building some microcomputers to put within customers networks for VPN or logmein because of appliance box applications. (see Foxconn). Not sure of last question and meaning of untrusted side of firewall.

The whole point is easily limit access to the customer network while still allowing remote access to your own equipment via whatever remote access protocol / program you like.

Agree that DMZ is horrible but I've seen it used before in particular when the customer was using an ISP provided router that didn't give them full control over port forwarding... of course the first thing I've done in these instances is sell them a firewall/router/managed switch. But instead, I could have used this solution, if it existed.

Agree that you don't always have creds for the router or want to go near it, in particular if they have a regular IT contractor but no internal staff responsible for IT.

It sounds like this solution could replace the need for your microcomputers in some cases.You would just install the control software locally and use my box to establish a VPN with your equipment.

By untrusted side of firewall I mean the zone that has been configured to only allow access to the Internet so that it is isolated from the rest of the client's network.

Hi, Dan. I do something much like this - using a router to isolate NVR network from client's side of network, at least.

Most of my customers are small enterprises, or remote facilities with minimal LAN infrastructure. Usually, just a local WAN router/modem and maybe a switch, and a few cable 'homeruns' to local appliances.

Almost every surveillance network I deploy is 'insulated' with a gateway router - including cameras (which, if IP, are just another computer host, with similar security risks). I run dedicated Cat5/6 cable for these networks, and almost never use/resuse any local LAN - I trust it less than they trust me.

I use a very powerful but inexpensive router as the gateway, as you describe. The NVR and all cameras are NAT'ed behind it. I use 'typical' firewall rules to help protect the router from attack, tarpitting what falls through. To 'slow down' potential hacking via administrative login (either local or remote), I use double port knocking rules and, of course, a strong password.

If the customer is unsophisticated, I'll get on thier local WAN router/modem (usually a common brand, with default user names and passwords still intact!), and set appropriate port forwarding to my gateway router. I used to 'zone' traffic from the private surveillance network, but realized that the WAN router itself was a far greater security risk to the local LAN than any attack from 'within' the private surveillance network, via a 'hack' of the remote access to either my gateway router or the NVR host itself. The principal exception, of course, is local, physical access to the NVR host box itself, and what might be done from a keyboard directly.

If they have an IT admin, then he/she puts the port forwarding rules on thier WAN router, and may create firewall rules to limit (zone) all traffic from my gateway router to the WAN. Sometimes we'll use a VPN for another layer of 'insulation,' but not usually.

Some, very anal, IT folks will put a completely separate WAN access point in place, so there is absolutely no interconnection with the surveillance network and the company's private network. Ironclad, but comes with addtional cost.

All customers have a public URL (DynDns) that I provide them, with specifc ports set for access to the NVR VMS service(s) running.

For NVR host remote administration, I used to use LogMeIn, but have recently gone to TeamViewer. I find it quicker and easier for me to use - not sure if either is more 'secure' than the other, Target notwithstanding. Again, strong passwords for TeamViewer connection and NVR host user login. No Windows Remote enabled, of course.

By the way, as you're an IT instructor, you know all the potential benefits of having a fully-featured router on your 'private' surveillance network, with regards to performance monitoring and tuning, and remote maintenance and administration. I could not be doing this without this type of architecture. Way too many truck rolls and attempts to resolve issues with the end customer at the keyboard, over the phone...

I thought everyone did something like this - at least when existing LAN infrastructure is minimal. The VPN would make it stronger, if you're not confident that the remote access method you use, combined with the private surveillance network isolation you employ, are adequate. If you're using the existing LAN, then the VPN would certainly be recommended - especially if PoS or other high-security exposures are present on it.

Sorry about the anonymous post - but I recently got my mail server hacked (by Russians), and don't want anyone trying to figure out where these installations might be in place... now, am I paranoid, or what?