Subscriber Discussion

Outdoor IP Cameras - How To Protect Against Intrusion?


I was wondering how to protect an IP camera that is mounted outdoor against getting access to the customers network.

We have some customers that don't want to have IP cameras outside of the building to be sure that there are no ways to get on the customersnetwork.

Of course we can think of MAC filtering, firewalls, routing, password setting on servers, unsing separate networks, etc. Of course routers that are doing MAC filtering, firewall, can also be attacked

But when the customers network is to be used, this should be protected as good as possible.

But maybe there are others that have best practices for this or are there devices that are designed for this purpose?

Well the first question is, who is this customer (you can answer that one internally), and what are the realistic chances that someone will even want to access their network?

If your customer is a national defense contractor, then sure, I could see a spy a week trying to find a way in and investigating every avenue, even climbing up to an outdoor camera and plugging into the cable.

If it's a retail shop and the biggest issue is local crackheads looking for a quick merchandise score... it's probably not so much of a concern.

So assuming that nefarious interests are even going to consider that this might be an IP camera rather than analog and so get the idea to attempt accessing it, the first line of defense should be physical, as in simply making that cable as inaccessible as possible: I'd start with a good, solid vandal dome that's not easy to get into using readily-available "tamperproof" screws... look at the old Extreme domes where the bubble is held in by a large thread-in ring that's then secured with very tiny hex-head set screws.

Then I'd make sure that camera is REALLY well anchored directly to the wall, not on an arm or pendant. Put a bead of urethane sealant/adhesive around the edge before attaching it to the wall as well, to further thwart attempts to remove it. Naturally, it should also be as high as possible, and ideally mounted somewhere that would hamper ladder access.

If at all possible, mount the camera somewhere that won't require the cable to be run in a conduit, somewhere that the cable can come straight into it through the wall. Also, try for a camera that has a "tail" for the wiring, rather than one where the UTP run enters the housing and plugs directly into the camera body - that way, if they do access the inside of the camera, they won't have anything to plug into.

If you do need to use conduit, maybe change up the pairs used in the run - for example, wire it so orange is RX instead of TX, and blue is TX rather than green. Then if someone cuts the conduit to access the run, cutting the wire and re-terminating with their own keystone, they won't be able to get a link, as they'll assume it's using standard T568 pairings.

After that, I'd look at having the cameras on their own separate/routed network, their own MAC-based VLAN within that, MAC filtering on the switch/router, firewalls, and so on.

In the end, anything you do COULD be defeated by someone with enough knowledge and skill... but that also requires them to know WHAT measures you've used, and HOW you've implemented them. For example, say they know the company uses a network... if you put the cameras behind their own router, you could give their network addresses as well, so should someone access it via that camera, they'll think they're on the whole network when they're not. Then set the router up to route only specific MAC addresses through.

Yes, they can spoof a MAC, but if the cameras are powered by PoE, then cutting or disconnecting the line will mean the camera loses power, so they won't be able to get a MAC address or any other info off of it (unless they're packing a PointSource or something up the ladder with them). Make sure to remove any stickers with that info from the camera itself, too.

The more levels of security you use, the longer it will take someone to get through all of them, but it starts with preventing that physical access in the first place. Ultimately, ANY attempts to access the network via this run would require disconnecting the camera... meaning you should have signal-loss alerts configured on your VMS, set to email, text, or push to the appropriate security personnel. As long as there's no dropout in the video feed (even inserting a PinPoint would cause a brief drop), everyone can rest assured that nobody is tampering with the line.

And again, all this assumes that anyone with any level of skill REALLY cares about getting into this network... I'd bet 99% of the people who are worried about this, are people with networks nobody really wants to access anyway, unless maybe they're really REALLY jonesing for a Candy Crush fix and just need an internet connection.

802.1x is a common port authentication protocol that's been around network systems for years. In short, you have to log into the network port to use it. A few camera manufacturer's support this.

IEEE 802.1X - Wikipedia

It's not foolproof, but supplimented by MAC address whitelisting and VLAN's, and maybe even layer 3 switches with protocol and/or port filtering, and you should have a pretty strong barrier to intrusion.

The answers above are really good but the only surefire solution is self destructing cable.

Really anyone can come up with reasons not to install cameras externally. If you are forced to use the customers network and port security or other network security solutions won't work then better start looking for some windows to point the camera out!

You could also use tamper detection to notify in real time when there is an issue such as tampering or cam offline, etc... if it is high security then there should be someone manning the system 24/7 or at least that is responsible for such things.