This is a critical choice in designing video surveillance systems. Though 'convergence' was a big theme of the past decade, deciding what to do has been much harder in practice.
** **** *****, ** ***** **** the *** ******* ** **** ********, pro *** ****, *********:
I like this report in that it reminds all our colleagues of the pros/cons of network design. At the end of the day an integrator has the responsibility to inform the customer of the options. It's the customer who will chose which path to take based on their involvement in the design, implementation and maintenance of the system.
Once you have to apply multicast to a medium+ size network and firewall segments for security reasons/standards the tendency is to separate (dedicate) networks.
The "political" aspect is indeed a primary factor (all over the world...) - sometimes you have other involved parties like the electronics maintenance entity.
The best results we have achieved were in cases which included an SLA between the security and maintenance entities.
With IP Cameras being a hot target for hackers and bots, basic cybersecurity best practices state a dedicated network is definitely the way to go. Restrict services, VLAN IOT devices, enforce password complexity and whitelisting traffic all combine to create a much more resilient IOT network outside the main network, boosting overall network security for the enterprise.
A dedicated vlan is the recommendation on the cyber side. That does not mean dedicated hardware :-) Those things can all be accomplished on the same hardware.
That is true, but when it comes to a layered approach, a network engineer once said to me regarding a VLAN, "..you mean the velvet rope of network security?"
The extra layer of hardware, including a VLAN, is like adding another layer of armor to a tank. Sure a VLAN itself works, but you don't see bomb disposal guys wearing only a helmet and bulletproof vest.
Ha! That gave me a good chuckle but it is fairly overblown. There is a limited set of known ways to compromise vlan security and all are relatively complex. This comes back to the fact that a highly motivated attacker will get in one way or another at some point. Of possible methods, vlan based attacks are generally far from the easiest and we all know that bad actors take the least path of resistance. Unless there is a glaring misconfig (certainly always possible), these attacks are very uncommon. Someone is going to compromise something via phishing or social engineering far before these types of attacks play out unless someone "leaves the door open".
Calling vlans a "velvet rope of security" is more a function of poor network engineering than technological failing. We use vlans extensively across our 120 building, 5 campus enterprise to maintain and monitor a highly secure network. Separate physical networks would be impossible to maintain, support AND secure. For a single building a physically separate net may be workable if not optimal but secure vlans in the larger enterprise are not only possible and desirable but preferable.
How can you deal with the IT department when you have constant packet losses between your IP cameras and the recording iSCSI storages, the network is multicast enabled, ICMP pings show packet losses, and they do not admint that the issue is with their switches ?
Run Wireshark to find where the packets are being dropped and prove to them it is a QoS setting on their end. Obviously, you would need permission to run that on their network and they will probably do it themselves. Hopefully they can admit they are wrong.
Fantastic info! All about the dedicated networks in my mind.
Agree
Disagree
Informative
Unhelpful
Funny
Create New Topic
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Comments (11)
Jacob Hengel
Strong vote for converged networks.
Create New Topic
Vasiles Kiosses
I like this report in that it reminds all our colleagues of the pros/cons of network design. At the end of the day an integrator has the responsibility to inform the customer of the options. It's the customer who will chose which path to take based on their involvement in the design, implementation and maintenance of the system.
Create New Topic
Undisclosed #1
Once you have to apply multicast to a medium+ size network and firewall segments for security reasons/standards the tendency is to separate (dedicate) networks.
The "political" aspect is indeed a primary factor (all over the world...) - sometimes you have other involved parties like the electronics maintenance entity.
The best results we have achieved were in cases which included an SLA between the security and maintenance entities.
Create New Topic
Kyle Smith
With IP Cameras being a hot target for hackers and bots, basic cybersecurity best practices state a dedicated network is definitely the way to go. Restrict services, VLAN IOT devices, enforce password complexity and whitelisting traffic all combine to create a much more resilient IOT network outside the main network, boosting overall network security for the enterprise.
Create New Topic
Undisclosed Integrator #2
How can you deal with the IT department when you have constant packet losses between your IP cameras and the recording iSCSI storages, the network is multicast enabled, ICMP pings show packet losses, and they do not admint that the issue is with their switches ?
Create New Topic
Steve Burman
Fantastic info! All about the dedicated networks in my mind.
Create New Topic