I like this report in that it reminds all our colleagues of the pros/cons of network design. At the end of the day an integrator has the responsibility to inform the customer of the options. It's the customer who will chose which path to take based on their involvement in the design, implementation and maintenance of the system.
With IP Cameras being a hot target for hackers and bots, basic cybersecurity best practices state a dedicated network is definitely the way to go. Restrict services, VLAN IOT devices, enforce password complexity and whitelisting traffic all combine to create a much more resilient IOT network outside the main network, boosting overall network security for the enterprise.
That is true, but when it comes to a layered approach, a network engineer once said to me regarding a VLAN, "..you mean the velvet rope of network security?"
The extra layer of hardware, including a VLAN, is like adding another layer of armor to a tank. Sure a VLAN itself works, but you don't see bomb disposal guys wearing only a helmet and bulletproof vest.
Ha! That gave me a good chuckle but it is fairly overblown. There is a limited set of known ways to compromise vlan security and all are relatively complex. This comes back to the fact that a highly motivated attacker will get in one way or another at some point. Of possible methods, vlan based attacks are generally far from the easiest and we all know that bad actors take the least path of resistance. Unless there is a glaring misconfig (certainly always possible), these attacks are very uncommon. Someone is going to compromise something via phishing or social engineering far before these types of attacks play out unless someone "leaves the door open".
Calling vlans a "velvet rope of security" is more a function of poor network engineering than technological failing. We use vlans extensively across our 120 building, 5 campus enterprise to maintain and monitor a highly secure network. Separate physical networks would be impossible to maintain, support AND secure. For a single building a physically separate net may be workable if not optimal but secure vlans in the larger enterprise are not only possible and desirable but preferable.
How can you deal with the IT department when you have constant packet losses between your IP cameras and the recording iSCSI storages, the network is multicast enabled, ICMP pings show packet losses, and they do not admint that the issue is with their switches ?
Run Wireshark to find where the packets are being dropped and prove to them it is a QoS setting on their end. Obviously, you would need permission to run that on their network and they will probably do it themselves. Hopefully they can admit they are wrong.