Hikvision Hardening Guide Recommends Port Forwarding

I must have missed the memo where Cisco sold Linksys to Belkin?

Note to others: Cisco sold Linksys to Belkin 4 years ago, March 2013.

So, I guess if you are trusting Hikvision for your network hardening, you probably wouldn't know better than to use a Linksys router anyways.

That's funny because it's true but presumably Hikvision is releasing a network hardening guide because it wants to build trust with larger / enterprise buyers who care about cybersecurity. Featuring a Linksys router with port forwarding instructions is unlikely to do that.

That's strange, out of the hundreds of Hikvision products we have installed, none have been hacked to my knowledge and have only ever had a few RMAs. 

However, I have had quite a few Dahua devices get hacked, so I can sympathize somewhat.

But, neither brand has been unreliable. We've had maybe 20 RMAs in the history of using Dahua and Hikvision products since 2010.

To stay on topic though, if you followed this "hardening guide", you should expect a "knock at the door" very soon. 

now I guess they see the inevitable hacks and distrust for them as a reason to go away from it

I do not know if that was the case. We raised our concerns about the hardening guide to Hikvision prior to publication but no response.

Btw, Hikvision did update the guide yesterday, June 8th, after we contacted them but the port forwarding section still remains.

Here's the 1.1 April 2017 version and the 1.2 June 2017 version for those looking to compare.

One thing that clearly is new, post IPVM's notification to Hikvision, is a warning section about using port forwarding that follows the Linksys screencap / instructions that remains:

As the excerpt shows, they are still clearly recommending port forwarding for Internet access generally and in their 'hardening' guide.

People want to see their cameras remotely. So from a practical standpoint, are you alluding that, Hikvision, the #1 manufacturer in the world, should recommend setting up a VPN to anyone installing a Hik device?

Sean, it's a hardening guide. A hardening guide is, by definition, for people who prioritize cyber security. So, yes, in a guide that is about maximizing cyber security, a VPN or, to throw out another option, a DMZ is better than punching holes in one's firewall to their internal LAN.

Regardless of the manufacturer, I would think port forwarding is a more secure setup than any P2P setup?? Or nay?

That depends what you think of the security / precautions / readiness / proficiency of your P2P / cloud provider.

There is one clear benefit. When a vulnerability is found in a P2P or cloud service, it is fixed once and patched for all users. When a vulnerability is found in a remote unmanaged device that uses port forwarding, the vulnerability will, as a matter of practice exist for many years in most devices since firmware upgrades of individual users lag, to say the least.

in with your instructions to your customer and I think telling the millions of Hikvision customers, whether they are advanced or not, to setup a VPN is not at all practical.

Sure, so if someone does not care about cybersecurity and just wants to see video remotely, letting them know it's possible to use port forwarding is perfectly reasonable (with appropriate warning about risks).

But it's strange to put port forwarding as 'standard configuration' inside of a hardening guide. Many people who are serious about cyber security are going to see and conclude negatively about Hikvision (i.e., a company with that many past problems who then goes and recommends port forwarding Linksys routers in a hardening guide either lacks skill or seriousness in cyber security).