VPNs And Remote Access For Surveillance?

I assume most professional surveillance systems use VPNs to facilitate remote access to viewing video. Is that correct? Does anyone have any specifics to share in how they do it or what they do?

This questions arose from a thread about fears of being hacked and the use of port forwarding. I commented that most professional systems would avoid port forwarding, opening holes in firewalls, etc.

It would be useful to share experiences.


Disclosure - I am an employee of Genetec. I have used Cisco PIX and ASA devices for years to create secure VPN based connections into closed systems for the purposes of support never to view video. You could encrypt a tunnel for video viewing but I would suggest a VPN concentrator over a low end ASA device and a higher throughput connection to the unit. You could also check out MPLS from your LEC to see if it is a a available if viewing rather than just a support link is what you are after.

Used several different vendors’ mobile VPN solutions. Currently using Cisco AnyConnect Client w/ ASA's. These same systems are used to support several things, not just VPN to the VS system. They can have good performance (buy according to need) and support for a variety of end devices. Used for support and viewing. There are several good names out there for this kind of service. Of course the performance needs to be there both in the VPN concentrator (IIRC Cisco doesn't have separate/standalone VPN concentrators anymore, its ASA based) and in the underlying BW which can already be limited for remote connections.

We use Cisco Client Version 5.0.07.0440. Have used this in a university setting for 3 + years with no problems.

Most integrators I deal with have no clue about VPN's. They leave ports wide open. They install back doors on the VMS server without telling local IT staff. They set all systems, including remote access systems, to simple/ guessable/ common/ shared passwords.

All of the solutions mentioned in the comment stream sound reasonable to a networking person.

Note that the vendors are terrible about providing reasonable authentication mechanisms for remote access, too. Try configuring smartcard login for Remote Desktop to a VMS.

Port forwarding, done soundly, is perfectly reasonable. An actual VPN appliance (like a Cisco ASA 5510) is also reasonable. A bastion host is a good idea because then you can control access.

I very very rarely see VPN's used.

In order of commonality:

1) Simple port-fowarding on non-standard ports

2) Above, but with a short whitelist of allowed IP's

3) VPN

Current version of AxxonNext allows to connect client only using VPN. We tried to promote this as most reliable way and included process of installing VPN in installation process of our product, but we have a lot of complains especially from US and Canada. Integrators don't want to do it. They ask for limited port range to open in router. So, from next version, we decided to offer limited port range.

Seems to me that the common thought here is that it's really not based on the VMS but rather the capabilities of the end user and integrator within the IT security scope of work. The capability of security integrators to operate within the IT space will determine who does and who does not move to the next step in security. The world "we" know is becoming IT driven and those willing to learn and adopt will not only survive, but will thrive as their security know-how is needed desperately by the IT professionals slowly taking over the responsibility for evaluation and deployment of security systems. Matt Golueke

Lets be honest, security dealers of the past 10-15 years are now in unfamiliar IT territory. These are the guys requesting open ports and not installing to best practice. Firewall appliances should be installed by IT personnel or security personnel with a strong background in IT. I honestly feel the new physical security integrators are going to need to be data contractors first and security guys second. You can teach an IT guy security but you cannot teach a security guy IT.

"You can teach an IT guy security but you cannot teach a security guy IT."

That is a very broad brush that you are painting with, Undisclosed..... Why can't a security guy learn IT skills? Does IT use some form of magical wizardry that is unfathomable to all security-trained people? Are IT people somehow possessed with exceptional learning capabilities that security people can not even hope to imagine?

While I completely agree that 'modern' integrators need IT-skilled employees, your last statement is more than a wee bit condescending. And if I were to bet, I'd say your perspective comes directly from being an IT person yourself, Undisclosed.

No, not at all. But I am tired of seeing 'experienced' security dealers using TPlink and Netgear layer 1 devices to run enterprise surveillance installations, and using port forwarding as the proper solution to offsite viewing. It's negligence on the security dealer to skip best practice. There's a proper way to implement security with IT, and many dealers claim to offer it, when really they're just doing what they have always done- plug in cameras and hit record. If this doesn't apply to you, then I don't understand why it struck a bad chord...

The 'bad chord' you struck has to do with the over-generalized nature of your last, throw-off sentence. It diminishes your comments preceding it.

The sentence itself is dismissive, generalist - and simply not true. Your statement paints ALL security integrators with the broad brush of incompetence because we sometimes see what you refer to from some 'old-school' integrators.

Anyone with the right aptitude, desire and intellect can learn anything. IT skills are not an indicator of higher intellect, nor does possessing such skills reflect a greater capacity to learn new stuff.

If we want to debate IT vs Security people, in general, let's open a new discussion. Please keep this to the VPN / firewall / remote access / security aspect.

I'm curious why some people above maintain that port forwarding is an unacceptably risky practice, while others are fine with it?

Can anyone provide a breakdown of the 'pros vs cons' of port forwarding vs VPN access as they see it?

Thanks! :)

In my opinion it goes much deeper than a black and white / good and bad topic and is environment (and detail) specific. Example: Port forwarding with firewalling to allow only select access, possibly folks at the facility or maybe even a smaller subset, and VPN for anything else... probably ok where applicable. Port forwarding so the whole world can bang against it with junk traffic (brute force, vulnerability probes, script kiddy junk, etc. ) probably not a good idea especially knowing how a lot of such boxes are setup and not maintained from an InfoSec perspective. (Patches, etc.).

We rarely tunnel video over VPN, but I always set up a VPN for remote support. OpenVPN TAP connector is my prefrence, as it allows the use of camera discovery utilities that rely on non-routable protocols (It would be a terrible choice for streaming video, however - use TUN).

If the VMS streams video via TCP (most do), this further complicates life as that should push you towards a UDP based VPN transport. A UDP VPN requires quite a bit more work, as you are then required to set up port forwarding at both server and all client locations (or use UPnP). I have broken the no-tcp-over-tcp rule before with success, but I have also had it fail miserably (almost always when something really important is happening and you NEED to see the video).

I think the risk of port forwarding is being overstated. Has anyone ever heard of a network compromise that occured because ports were forwarded for VMS access? (And no - I am not saying that it CAN'T happen).

I'd say the appropriatness of port forwarding vs. VPN depends entirely upon the risks associated with a breach (no port forwarding into the local nuclear power plant, OK?), vs the opportunity costs associated with the added complexity a VPN brings.

I much prefer direct access without the hassle of a VPN. Cisco VPN is some of the worst to deal with. Fortinet and Sonicwall or much better, but still prefer direct access. I'm an IT person who [thinks] I know what I'm doing, but I well understand other peoples concerns about it and agree I've seen old timers who think of passwords in too "generic" of terms. I also in my experiance have yet to see or hear of problems created by port forwarding.

Here's an interesting story for you, though. One day a few years ago I was accessing a customer's DVR over the Internet and doing some maintenance on it. We change the default passwords. I disconnected from the DVR and went to connect again a few minutes later, but I didn't get a login prompt. I thought "that's strange". Then I see it's totally different cameras on the system! What happend was I mistyped the IP address by 1 number and got connected to some other customer's (not ours) same make and model of DVR. What are the statistical probabilities of that!? So I go the sales person to look at the cameras and see if he recognized the area figuring it was probably close by to our customer's place, and told him to go look for the place and see if we could takeover some business, first by telling them someone should change his DVR's passwords.

- Undisclosed 2

Undisclosed 2, interesting story! So both had port forwarding set up then?

Either port forwarding or direct connections, I do not remember the details of they were connected. And yes, a VPN would have mitigated that situation to where at least someone on the public Internet would not have been able to access the system with default password. But no small HOA community would have paid for a VPN for their DVR system at that time. 5 years ago a quality VPN system was still pretty expensive. And HOA members probably would have found it too cumbersome to deal with when a direct connection via port forwarding or direct access (public IP address right on the DVR) with unique passwords was an option. And probably still so today.

Most VPN's are going to be at businesses making maybe $10 million or more a year, and in those cases it's the customer's existing VPN. The integrator doesn't have to worry about providing or setting it up, and you use it whether you like it or not.

Undisclosed 2