Hikvision Hardening Guide Recommends Port Forwarding

Author: John Honovich, Published on Jun 09, 2017

Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below:

In this note, we examine the risks in this approach and Hikvision's commitment to network security.

*********'* ******* ******** ********* *************** **** ********** ** * '******** *************', *********** *****:

** **** ****, ** ******* *** ***** ** **** ******** and *********'* ********** ** ******* ********.

[***************]

Hardening **********

********* **** ** ****** *************** *** ******** *** ******** ** systems. ********* ****** *** ******* ** ** *** ******* ** video ************ ** ***** **** ***** ** ******* ******** ** the ******* **** ******. *** *******, **** *******'* ***** ** ****** ***** *** ************** ************** ********* *****.

Port ********** *****

**** ********** ***** ***** ***** ********* ** *** ****** ********. While **** ***** ** **** *** *** **** ** *** remote ****** ** ***** *******, ** **** ****** ********* / hackers ** ***** / ****** ***** *******. ** ***** *** vulnerabilities *** *** ****** (*.*.,*********'* ****** ********, *** **** ***** ** ******* *********, ***., ******** *** vulnerability ** ******* ***** **** ****, **** ****, ***.), **** forwarding ***** ** **** ** ******* ****. ******, ********* ******* this,******* ************* ***** **** *********** **** **** *********** ******* ** **** **********.

**** ********** ** * ******* / ****** *********** ** ***** a *** (*.*., ******* ** *** ** *** ***** **********) *** **** ********** ** *** * *** ** '******' a ****** ** * *******. ** ** *** ***** *** a ************ ** ******* *** ** *** **** ********** *** another ** ********* ** ** ** * ******** ************* ** hardening.

HikConnect ***?

*************, *********'* ********* ***** *** *** **********-*******, ***** *** / ***** *******, ***** ********** *** **** *** **** ********** *** ** a ******* **** *** ********* ** * *********** ** ***** DDNS ********.

*******, ***-******* ******** ****** ********* ****** ** * ****'* ******** network / ***, ***** ****** *** *** *** ** **** given *********'* ************* ***** ****** *** ******* ********** *********.

Cisco *** ****** ****?

********* ********* ** **** ***** ************* ***********, ********* ****** ****** and ************** *****. *******, ***** *** ****** *** ****** *** ************ **** forwarding ** * '******** *************' ** '*********'.

** *** ***** ****, ** ** **** ** ***** ***** and ****** ***** **** ** *** ******* **** **** **** clear **** **** *** ********* ** ********* ****** ***** ********.

Featuring ******* *******?

*******, *** ****** ** ******* ******* ** *********'* ********* ******* is ********.

******* ******* ***, ** ***** *** ******, ******** ** **** and *** *****. *** ******* *******, **** *********,**** *** ***** *** ******* ******** ******.

******* ** ***, ** ********* ** ********* ***** *** ******* about ********* ***** ******* / ********, **** ********** ******* ******* is *** * **** *** ** ** ****.

Comments (17)

* **** **** ****** *** **** ***** ***** **** ******* to ******? * *** ***** ** ******* **** **** ******* gear *** *** ******* *****, ***** *** ********* ********** (* reach, * ****), *** **** **** ** *** ******.

** **** ***** ** *** ******* ** **** ** * de ***** ******** *** **** *******, ***** ** *** **** their ****** *** **** **********, *** ****** ****'* ******* * Sonicwall, *******, ** ******** ********* ***** ***** *** *******.

**, * ***** ** *** *** ******** ********* *** **** network *********, *** ******** ******'* **** ****** **** ** *** a ******* ****** *******.

* **** **** ****** *** **** ***** ***** **** ******* to ******?

**** ** ******:***** **** ******* ** ****** * ***** ***, ***** ****.

**, * ***** ** *** *** ******** ********* *** **** network *********, *** ******** ******'* **** ****** **** ** *** a ******* ****** *******.

****'* ***** ******* **'* **** *** ********** ********* ** ********* a ******* ********* ***** ******* ** ***** ** ***** ***** with ****** / ********** ****** *** **** ***** *************. ********* a ******* ****** **** **** ********** ************ ** ******** ** do ****.

* **** **** ****** *** **** ***** ***** **** ******* to ******?

***'* *****, ***, * ****** **** *** ***. *** ***** because * ***'* ****** *** **** ****** **** *******.

********* ** ***** *********, * ******* ******* ****** ******* ***** attempts ** *** ***** ** *** *** *** ***** ** the ***** ****! *** **** *** ******* ******* *******. ***, why *** * ******.

****'* *******, *** ** *** ******** ** ********* ******** ** have *********, **** **** **** ****** ** ** ********* *** have **** **** *** * *** ****.

*******, * **** *** ***** * *** ***** ******* *** hacked, ** * *** ********** ********.

***, ******* ***** *** **** **********. **'** *** ***** ** RMAs ** *** ******* ** ***** ***** *** ********* ******** since ****.

** **** ** ***** ******, ** *** ******** **** "********* guide", *** ****** ****** * "***** ** *** ****" **** soon.

* ******* ******* ****** ******* ***** ******** ** *** ***** of *** *** *** ***** ** *** ***** ****

*** *** **** ******* ** **? ********* **** ******* ***** attempts **** **** ******* ***** ******* ** *** ****** ********, which ***** ******** **** *** ******* ************ ******* / ********* devices.

*******, * ******* ******* **** **** ****: "*** ************* ** ***** ******. ** ***** * **** *** toaster, *** ** *** *********** ** ** ****."

* **** ** ******** ****** ** *** *** **** * public **. ******** *** *** **** ***, *** **'* *** only ****** ***** *** ** * *** ***** ** **** up *** *** ***** ****** ******, * ****'* *** * need *** * ******. ***** *'** **** ** *** ** behind *** *** *** ** ** *****. *** **** ** I'm ******* ************ ** ***** ****** **** ***** ***** **** kind ** ******** ***** **** *** ****** ** *********** * failed ***** *******.

* ****** *** *** ******** *** ***** ** *** **** port ******** *** *** ****** ** *** **** *** **** authentication ********, ** ** * **** *** ** **** ** the ********* ****. ***** * ****** ***** **** ** ** the ** *** *** ********** ** ********** ******** ******* **** from * ********* ****** **, *** ******** ***** ** ******* to *** ****** (**** ** ***) ** **** * ***** source **.

* *** ***** ** ******* ** *** **** *******, **** my ***** ** **** *** ** ************ ** *** **** forwarding **. ****** ******* *** ****** ****** *** ***** **** all ***** ****. *******, **** ** * **** **** ****, as ******* ***** *** ***** ******* ** *** ******* ********* the *** ** * ******. ** **** ****, *** * would ********* * ****** ** ******** ******** ********. **** **** will ******* * *****/****** *****, ***** **** * **** *** would ****** *** * ****** ** ******* *** ***.

*** ******* ** ***** **** ********** **. ****** ******* *** device *** *** ***** ** **** *** "************" ****, **** as *********, *****, ******, ***, ***., ** **** *** ********** if *** ****'* ******* *** ****. ** ** ** ** the *****, **** ********** ** ********** **** *** ********.

* ********* ********* ***** **** ********** ** *** ** ***** technologies *** *** ** ****, *** **** ** ******* **** the ******* ***** *** *******. **** ******* *** *** *** not **** ******. ***** *** ***'* **** *** ****** ******, don't *******.

*** ******* ***** ** **** ******* **** ***** *** ** me ** **** **** *** *** ************ ***. *** *** going ** ** *** ***-***, **-*** ****** ** *** **** setup ******* *** *** * ***** **** *** *** ********** hacks *** ******** *** **** ** * ****** ** ** away **** **. ******, **** *** ** **** ** **. And ** ****, ***** ** ***** **** ****** *** **** funny, **** **** **** ******* ** **** * ********* ***** with *** ***** ** ***** **** ** *** ********.

*** * ***** **** *** *** ********** ***** *** ******** for **** ** * ****** ** ** **** **** **

* ** *** **** ** **** *** *** ****. ** raised *** ******** ***** *** ********* ***** ** ********* ***** to *********** *** ** ********.

***, ********* *** ****** *** ***** *********, **** ***, ***** we ********* **** *** *** **** ********** ******* ***** *******.

****'* ****.* ***** **** ********** ****.* **** **** ********** ***** ******* ** *******.

*** ***** **** ******* ** ***, **** ****'* ************ ** Hikvision, ** * ******* ******* ***** ***** **** ********** **** follows *** ******* ********* / ************ **** *******:

** *** ******* *****, **** *** ***** ******* ************ **** forwarding *** ******** ****** ********* *** ** ***** '*********' *****.

* **** * ***** **** ** ***** ****** ********* ***** and * ***** ** *** *** ***** ****** **** ** their ** ***** ** ****** ******. * ***** **** ***** that *** ****** ****** **** ** ** ********* **** *** should **** *** **** ** ** ******** ** **** ******* the ***** ****** *** *** *** (** ***** *** **** of ******* ***'***)

****** **** ** *** ***** ******* ********. ** **** * practical **********, *** *** ******** ****, *********, *** #* ************ in *** *****, ****** ********* ******* ** * *** ** anyone ********** * *** ******? ** ***/**** **** ****** **** they ********* *******. ********** ** *** ************, * ***** ***** port ********** ** * **** ****** ***** **** *** *** setup?? ** ***?

"I ***** ***** **** ********** ** * **** ****** ***** **** *** *** *****?? ** ***?"

*** ** *** ***** **** ********** **** ******?

****** **** ** *** ***** ******* ********. ** **** * practical **********, *** *** ******** ****, *********, *** #* ************ in *** *****, ****** ********* ******* ** * *** ** anyone ********** * *** ******?

****, **'* * ********* *****. * ********* ***** **, ** definition, *** ****** *** ********** ***** ********. **, ***, ** a ***** **** ** ***** ********** ***** ********, * *** or, ** ***** *** ******* ******, ****** ****** **** ******** ***** ** ***'* ******** ** ***** internal ***.

********** ** *** ************, * ***** ***** **** ********** ** a **** ****** ***** **** *** *** *****?? ** ***?

**** ******* **** *** ***** ** *** ******** / *********** / ********* / *********** ** **** *** / ***** ********.

***** ** *** ***** *******. **** * ************* ** ***** in * *** ** ***** *******, ** ** ***** **** and ******* *** *** *****. **** * ************* ** ***** in * ****** ********* ****** **** **** **** **********, *** vulnerability ****, ** * ****** ** ******** ***** *** **** years ** **** ******* ***** ******** ******** ** ********** ***** lag, ** *** *** *****.

***** ** *** *** ** **** ***** ******** *****.

****, **'* * ********* *****. * ********* ***** **, ** definition, *** ****** *** ********** ***** ********. **, ***, ** a ***** **** ** ***** ********** ***** ********, * *** or, ** ***** *** ******* ******, ****** ****** **** ******** ***** ** ***'* ******** ** ***** internal ***.

**********, * **** ***** *** **** ** ***** ************ ** with **** ************ ** **** ******** *** * ***** ******* the ******** ** ********* *********, ******* **** *** ******** ** not, ** ***** * *** ** *** ** *** *********. I **** ** *** ****** **** ** ****** ****** **** system *** *** ******* ***** ************ "*** *** **** ******* cable **** ** ********* ** *** **** ** **** ******, unplug **!"

* *** ** * ****** ******** *** **** ****'* ******* P2P ******. ** ** **** ***** ** *** **** ********* situation. ** ***** ******* ** *** *** *** **** ****** management ******** ******* *** **** ** ** **** ****** **** forwarding. *** **** "******" **** **** **********.

** **** **** ************ ** **** ******** *** * ***** telling *** ******** ** ********* *********, ******* **** *** ******** or ***, ** ***** * *** ** *** ** *** practical.

****, ** ** ******* **** *** **** ***** ************* *** just ***** ** *** ***** ********, ******* **** **** **'*********** *** **** ********** ** ********* ********** (**** *********** ******* about *****).

*** **'* ******* ** *** **** ********** ** '******** *************' inside ** * ********* *****. **** ****** *** *** ******* about ***** ******** *** ***** ** *** *** ******** ********** about ********* (*.*., * ******* **** **** **** **** ******** who **** **** *** ********** **** ********** ******* ******* ** a ********* ***** ****** ***** ***** ** *********** ** ***** security).

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Guide

Ladders For Installers Guide on Sep 25, 2018
Ladders are one of the most important pieces of worksite equipment for the surveillance technician. Too often, however, even highly experienced...
IP Camera Cable Labeling Guide on Sep 14, 2018
Labeling cables can save a lot of money and headaches. While it is easy to overlook, taking time to label runs during installation significantly...
VMS Export Shootout - Avigilon, Dahua, Exacq, Genetec, Hikvision, Milestone on Sep 13, 2018
When crimes, accidents or problems occur, exporting video from one's video surveillance system is critical to proving incidents. But who does it...
Door Fundamentals For Access Control Guide on Sep 12, 2018
Assuming every door can be secured with either a maglock or an electric strike can be a painful assumption in the field. While those items can be...
IP Camera Cable Termination Guide on Sep 06, 2018
Terminating cables properly is critical to network performance, but it can be a tricky task with multiple steps. Fortunately, this task is easy to...
IP Camera Cabling Installation Guide on Aug 29, 2018
IPVM is preparing the industry's first Video Surveillance Installation book and our upcoming Video Surveillance Installation Course. We have...
Inputs/Outputs For Video Surveillance Guide on Aug 24, 2018
While many cameras have Input/Output (I/O) ports, few are actually used and most designers do not even consider them. However, a good understanding...
France Political Scandal Reveals Video Surveillance Problems on Aug 22, 2018
In what French media describes as "the most damaging crisis yet for" French President Marcon, a political scandal has revealed major gaps in the...
SNMP / Network Monitoring For Surveillance 2018 on Aug 21, 2018
Surveillance systems typically rely on the the VMS to report issues, but this most often just means knowing a camera is "down" with no warning or...
Backup Power For Maglocks Guide on Aug 20, 2018
When the main power fails, many believe maglocks must leave doors unlocked. However, battery backed up maglocks are allowed according to IBC /...

Most Recent Industry Reports

Ladders For Installers Guide on Sep 25, 2018
Ladders are one of the most important pieces of worksite equipment for the surveillance technician. Too often, however, even highly experienced...
Favorite Access Control Reader Manufacturer 2018 on Sep 25, 2018
Favorite reader votes are in, and it is not close. A global access giant ran away with the votes in a one-sided contest. But for many, the...
Genetec Takes Aim At 'Untrustworthy' 'Foreign Government-Owned Vendors' on Sep 24, 2018
Genetec is taking aim at 'untrustworthy' 'foreign government-owned vendors'. This is not a new theme for Genetec as nearly 2 years ago, Genetec...
4MP Camera Shootout - Axis, Dahua, DW, Hanwha, Hikvision, Uniview, Vivotek on Sep 24, 2018
4MP usage continues to climb, especially for low cost fixed lens models. To see who was best, we bought and tested seven 4MP models from Axis,...
Alexa Guard Expands Amazon's Security Offerings, Boosts ADT's Stock on Sep 21, 2018
Amazon is expanding their security offerings yet again, this time with Alexa Guard that delivers security audio analytics and a virtual "Fake...
UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact