Startup Idea - Remote Recorder Access - Is There A Market For This?
Hi everyone, I'm seeking feedback to hopefully determine whether there is a wider market for a system I've developed for my own use. Do you agree that there is a problem? Do you think my solution is something you (or your clients) would pay for? Thanks for your help.
Problem: I design/sell/install CCTV systems for small/medium businesses (and I also teach IT networking). I needed remote access to my DVR/NVR but the client didn't want me to be able to see the rest of their internal network. They didn't have a network admin to set up VLANs etc. (My market is limited to small/medium enterprise, I don't think this problem would be relevant in larger organisations where they have a network administrator).
Solution: I installed a router between the DVR/NVR and the client's network and configured the firewall to only allow access to the client's default gateway. Firewall administration from NVR/DVR side of the network has been disabled (so rules can't be changed). This alone lets me use logmein.com without having any access to the client's internal network.
I also set up a VPN client on the router that connects to a remote VPN server. Now I can connect through the VPN server directly to my NVR/DVR via open ports for direct access to the streaming server, internal web server etc.
Other benefits: If I happen to get a virus on my system it won't infect the client's network. If my DVR/NVR is hacked the hacker won't have access to the rest of the client's network.
Opportunity? This was a reasonably large pain to set up, but I can easily repeat the process now I know how to do it. Is this a problem other people are facing? Would you spend ~$200 on a hardware device to fix it. Would you (or your client) pay a monthly/yearly subscription charge to use the hosted VPN server? How much? What would help motivate you to set up your clients behind one of these devices? Margin on the initial sale of the device? Ongoing commissions on monthly subscription?
While my main motivation here was better security for my customers I can also see some benefits from an ease of install/management point of view - primarily in not having to go near client's routers to set up port forwarding. If I was going to take a service like this to market I'd set up a web interface that would allow consolidated mangement of your devices such as easily opening/closing ports. This would mean the install process for this device could be as easy as:
1) plug DVR/NVR into port 1 of device
2) plug client network into port 2 of device
You can now use logmein.com / gotomypc etc + your client's network is isolated from your network
3) if you also need open ports, log into www.danswebsite.com and set which ports need to be opened on your device
You can now remotely access your device directly from yourdevice.danswebsite.com:portnumber
Before I go to the effort of building a web site, thinking of an awesome name or leasing a yacht I thought it would be sensible to determine whether there was any market for this kind of product. I'd appreciate any feedback or suggestions for improvements. I know this isn't the next Facebook, and it's probably way to specialised for kickstarter, but if there are enough people in this community who like the idea that would be enough proof for me to have a go at launching this idea as a side project.
Additionally, if this has already been done (I couldn't find it but the web's a big place) or if you think the idea won't work for any reason please let me know so I can stop wasting my time and move on to a different project! Thanks again.
There *is* a market for this (IMO). You're solving a fairly common problem in a practical manner.
In the early 2000's another company patented this basic idea for a similar use case. I think that company is essentially dead, but just in case, I'm not going to mention their name here to make sure a Google alert doesn't wake up some patent troll that bought the IP/patent. I'll send the info to John to send to you.
The biggest headache you'll face is that now you are essentially an ISP of sorts for every one of your customers. Any issues they have, they'll want to call you up and tell you "I can't see my cameras, your service is down", even when a hurricane has leveled their building... So, make sure you hire plenty of support people :)
A practical approach would be to sell this as a convienience+security offering with an RMR kickback to the dealer. At least in the beginning you probably want it to be a no-brainer purchase option, so something like $25/mo (USD) with a $5 kickback to the dealer should work. You'll need some language in your contract about bandwidth usage I think, because if people leave a live view of their cameras up 24/7, all that data is streaming through whereever your VPN is hosted and it will start to add up quick.
Why not just sell them a router/firewall with the ability to do VLANS? Just sell them a Sonicwall and a managed switch and call it a day. I don't get why people try to get too fancy when dealing with simple issues. You can also charge them for the install/config of the Sonicwall and switch.
If a small biz doesn't want you to TOUCH their LAN period, why would they trust you at all?
If I'm understanding you correctly, what you're proposing here is an idiotproof (well, idiot resistant) way of getting any NVR or DVR online, regardless of DVR model, router model, or ISP? For $200? I'll take a pallet.
I've been dreaming of just such a product since I put my very first DVR online. It was 2002 or 2003, and it took me most of a day to figure it out. The DVR was an Everfocus, an EDR series I think. I remember thinking that I wished the customer had just gotten a VCR like normal people.
My biggest concern with this is that IT from a customer does not have control over this firewall. After the Target problem, many should be concerned that Logmein is a security vulnerability for customers, and many allow this that are not knowledgeable to the fact that you have the keys to their network (you have access to NVR, which can change router settings, which does not show audit trail to customer on their network). Most of our IT fluent customers require VPN access (they setup) and frown on logmein. The reason is that this gives them logs and audit trails for any vendor that accesses an internal network. They must have full control and monitoring of "doors" (routers, firewalls) that interact with their systems. If you do have a small business with the Linksys router protecting their network, Logmein may sound great to them for remote support, but make sure you have them sign something stating what is in place and what you can do, with the process you will follow to alert them that you are entering their network.
Other better method is to upsell a Sonicwall TZ100/200, put it outside of their business network and before the public connection, and then put the DVR/NVR in this zone. Portforward client and web access for mobile devices, and allow all out and none inbound. With business ISP services from the provider (usually pool of a couple of public addresses and a gateway address), instead of NAT, can just assign IP public address to their WAN port. Firewall your NVR to another public address assigned. Now you can Logmein at will with no risk. Customer can access NVR easily from their outbound rules.
Hi Jeffery, thanks for taking the time to comment. I completely agree with your concerns. 3rd party remote access can be a massive security vulnerability and the Target problem was in the back of my mind when I was thinking about how I was going to fix this problem for my customers.
Enhanced logging is a great idea, I'll look to incorporate this into the design. I also agree that the customer's IT department should be award of everything on their network. I don't see any technical barriers to this, it would even be possible to allow them to administer the device from the client side of the LAN while still restricting the DVR side.
As you say, lots of people use Logmein or other similar services. If their accounts were compromised an attacker would have access not only to their systems but the system's of their clients too.
What I'm proposing is a solution that solves part of this problem by greatly reducing the opportunity for an attacker to use 3rd party equipment to compromise the remainder of the network.
If all customers required VPN access at the network perimiter there wouldn't be an opportunity here, but they don't so I suspect there is. I've spoken with the IT departments of the customers where I've deployed this solution and after I explained the conept they were all OK with it, they were happy that they didn't have to change their router / firewall configs!
As you have the skills to set up a firewall / VPN at the network perimeter and your clients are OK with you doing this you wouldn't be part of my target market, but think of how many sites you have seen where the installer didn't have this option so instead installed logmein/gotomypc, set up port forwarding or put the DVR straight into the DMZ. Would you agree that isolating these machines behind the untrusted side of a firewall would be preferable?
I saw the whole point of this was to limit access to the customer network from the remote access to the box ( rules to only allow access to gateway) but I assume allow customer to the box. This whole thing is based on also gaining remote desktop or ultravnc or logmein to box? DMZ is a horrible idea, where isolated port forwarding is preferred. (with trusted root certificate for secured web access). Many times you will not have credentials to router and do not want liability for setting anyway. Also the day and age of all windows computers in you line of boxes is coming to an end. (hikvision 64 channel our cost 2000 bucks) so single port access to administration functions of cameras and boxes may be all you need. I am building some microcomputers to put within customers networks for VPN or logmein because of appliance box applications. (see Foxconn). Not sure of last question and meaning of untrusted side of firewall.
The whole point is easily limit access to the customer network while still allowing remote access to your own equipment via whatever remote access protocol / program you like.
Agree that DMZ is horrible but I've seen it used before in particular when the customer was using an ISP provided router that didn't give them full control over port forwarding... of course the first thing I've done in these instances is sell them a firewall/router/managed switch. But instead, I could have used this solution, if it existed.
Agree that you don't always have creds for the router or want to go near it, in particular if they have a regular IT contractor but no internal staff responsible for IT.
It sounds like this solution could replace the need for your microcomputers in some cases.You would just install the control software locally and use my box to establish a VPN with your equipment.
By untrusted side of firewall I mean the zone that has been configured to only allow access to the Internet so that it is isolated from the rest of the client's network.
Hi, Dan. I do something much like this - using a router to isolate NVR network from client's side of network, at least.
Most of my customers are small enterprises, or remote facilities with minimal LAN infrastructure. Usually, just a local WAN router/modem and maybe a switch, and a few cable 'homeruns' to local appliances.
Almost every surveillance network I deploy is 'insulated' with a gateway router - including cameras (which, if IP, are just another computer host, with similar security risks). I run dedicated Cat5/6 cable for these networks, and almost never use/resuse any local LAN - I trust it less than they trust me.
I use a very powerful but inexpensive router as the gateway, as you describe. The NVR and all cameras are NAT'ed behind it. I use 'typical' firewall rules to help protect the router from attack, tarpitting what falls through. To 'slow down' potential hacking via administrative login (either local or remote), I use double port knocking rules and, of course, a strong password.
If the customer is unsophisticated, I'll get on thier local WAN router/modem (usually a common brand, with default user names and passwords still intact!), and set appropriate port forwarding to my gateway router. I used to 'zone' traffic from the private surveillance network, but realized that the WAN router itself was a far greater security risk to the local LAN than any attack from 'within' the private surveillance network, via a 'hack' of the remote access to either my gateway router or the NVR host itself. The principal exception, of course, is local, physical access to the NVR host box itself, and what might be done from a keyboard directly.
If they have an IT admin, then he/she puts the port forwarding rules on thier WAN router, and may create firewall rules to limit (zone) all traffic from my gateway router to the WAN. Sometimes we'll use a VPN for another layer of 'insulation,' but not usually.
Some, very anal, IT folks will put a completely separate WAN access point in place, so there is absolutely no interconnection with the surveillance network and the company's private network. Ironclad, but comes with addtional cost.
All customers have a public URL (DynDns) that I provide them, with specifc ports set for access to the NVR VMS service(s) running.
For NVR host remote administration, I used to use LogMeIn, but have recently gone to TeamViewer. I find it quicker and easier for me to use - not sure if either is more 'secure' than the other, Target notwithstanding. Again, strong passwords for TeamViewer connection and NVR host user login. No Windows Remote enabled, of course.
By the way, as you're an IT instructor, you know all the potential benefits of having a fully-featured router on your 'private' surveillance network, with regards to performance monitoring and tuning, and remote maintenance and administration. I could not be doing this without this type of architecture. Way too many truck rolls and attempts to resolve issues with the end customer at the keyboard, over the phone...
I thought everyone did something like this - at least when existing LAN infrastructure is minimal. The VPN would make it stronger, if you're not confident that the remote access method you use, combined with the private surveillance network isolation you employ, are adequate. If you're using the existing LAN, then the VPN would certainly be recommended - especially if PoS or other high-security exposures are present on it.
Sorry about the anonymous post - but I recently got my mail server hacked (by Russians), and don't want anyone trying to figure out where these installations might be in place... now, am I paranoid, or what?
Started by Scott Zuniga
|less than a minute by Undisclosed Integrator #4|
Started by Ethan Ace
|less than a minute by John Honovich|
Started by Jermaine Wilson
|about 1 hour by Undisclosed Integrator #1|
Started by Donald Maye
|less than a minute by John Honovich|
Started by Jermaine Wilson
|less than a minute by Undisclosed Manufacturer #4|
Back to Top