Hikvision Hardening Guide Recommends Port Forwarding

Author: John Honovich, Published on Jun 09, 2017

Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below:

In this note, we examine the risks in this approach and Hikvision's commitment to network security.

*********'* ******* ******** ********* *************** **** ********** ** * '******** *************', *********** *****:

** **** ****, ** ******* *** ***** ** **** ******** and *********'* ********** ** ******* ********.

[***************]

Hardening **********

********* **** ** ****** *************** *** ******** *** ******** ** systems. ********* ****** *** ******* ** ** *** ******* ** video ************ ** ***** **** ***** ** ******* ******** ** the ******* **** ******. *** *******, **** *******'* ***** ** ****** ***** *** ************** ************** ********* *****.

Port ********** *****

**** ********** ***** ***** ***** ********* ** *** ****** ********. While **** ***** ** **** *** *** **** ** *** remote ****** ** ***** *******, ** **** ****** ********* / hackers ** ***** / ****** ***** *******. ** ***** *** vulnerabilities *** *** ****** (*.*.,*********'* ****** ********, *** **** ***** ** ******* *********, ***., ******** *** vulnerability ** ******* ***** **** ****, **** ****, ***.), **** forwarding ***** ** **** ** ******* ****. ******, ********* ******* this,******* ************* ***** **** *********** **** **** *********** ******* ** **** **********.

**** ********** ** * ******* / ****** *********** ** ***** a *** (*.*., ******* ** *** ** *** ***** **********) *** **** ********** ** *** * *** ** '******' a ****** ** * *******. ** ** *** ***** *** a ************ ** ******* *** ** *** **** ********** *** another ** ********* ** ** ** * ******** ************* ** hardening.

HikConnect ***?

*************, *********'* ********* ***** *** *** **********-*******, ***** *** / ***** *******, ***** ********** *** **** *** **** ********** *** ** a ******* **** *** ********* ** * *********** ** ***** DDNS ********.

*******, ***-******* ******** ****** ********* ****** ** * ****'* ******** network / ***, ***** ****** *** *** *** ** **** given *********'* ************* ***** ****** *** ******* ********** *********.

Cisco *** ****** ****?

********* ********* ** **** ***** ************* ***********, ********* ****** ****** and ************** *****. *******, ***** *** ****** *** ****** *** ************ **** forwarding ** * '******** *************' ** '*********'.

** *** ***** ****, ** ** **** ** ***** ***** and ****** ***** **** ** *** ******* **** **** **** clear **** **** *** ********* ** ********* ****** ***** ********.

Featuring ******* *******?

*******, *** ****** ** ******* ******* ** *********'* ********* ******* is ********.

******* ******* ***, ** ***** *** ******, ******** ** **** and *** *****. *** ******* *******, **** *********,**** *** ***** *** ******* ******** ******.

******* ** ***, ** ********* ** ********* ***** *** ******* about ********* ***** ******* / ********, **** ********** ******* ******* is *** * **** *** ** ** ****.

Comments (17)

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | 06/09/17 12:29pm

* **** **** ****** *** **** ***** ***** **** ******* to ******? * *** ***** ** ******* **** **** ******* gear *** *** ******* *****, ***** *** ********* ********** (* reach, * ****), *** **** **** ** *** ******.

** **** ***** ** *** ******* ** **** ** * de ***** ******** *** **** *******, ***** ** *** **** their ****** *** **** **********, *** ****** ****'* ******* * Sonicwall, *******, ** ******** ********* ***** ***** *** *******.

**, * ***** ** *** *** ******** ********* *** **** network *********, *** ******** ******'* **** ****** **** ** *** a ******* ****** *******.

John Honovich

IPVM | In reply to Jon Dillabaugh | 06/09/17 12:34pm

* **** **** ****** *** **** ***** ***** **** ******* to ******?

**** ** ******:***** **** ******* ** ****** * ***** ***, ***** ****.

**, * ***** ** *** *** ******** ********* *** **** network *********, *** ******** ******'* **** ****** **** ** *** a ******* ****** *******.

****'* ***** ******* **'* **** *** ********** ********* ** ********* a ******* ********* ***** ******* ** ***** ** ***** ***** with ****** / ********** ****** *** **** ***** *************. ********* a ******* ****** **** **** ********** ************ ** ******** ** do ****.

Thumbnail usa shield

Luis Carmona

IPVMU Certified | In reply to Jon Dillabaugh | 06/09/17 12:01pm

* **** **** ****** *** **** ***** ***** **** ******* to ******?

***'* *****, ***, * ****** **** *** ***. *** ***** because * ***'* ****** *** **** ****** **** *******.

Undisclosed Integrator #1

06/09/17 12:42pm

********* ** ***** *********, * ******* ******* ****** ******* ***** attempts ** *** ***** ** *** *** *** ***** ** the ***** ****! *** **** *** ******* ******* *******. ***, why *** * ******.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Undisclosed Integrator #1 | 06/09/17 12:47pm

****'* *******, *** ** *** ******** ** ********* ******** ** have *********, **** **** **** ****** ** ** ********* *** have **** **** *** * *** ****.

*******, * **** *** ***** * *** ***** ******* *** hacked, ** * *** ********** ********.

***, ******* ***** *** **** **********. **'** *** ***** ** RMAs ** *** ******* ** ***** ***** *** ********* ******** since ****.

** **** ** ***** ******, ** *** ******** **** "********* guide", *** ****** ****** * "***** ** *** ****" **** soon.

John Honovich

IPVM | In reply to Undisclosed Integrator #1 | 06/09/17 11:48am

* ******* ******* ****** ******* ***** ******** ** *** ***** of *** *** *** ***** ** *** ***** ****

*** *** **** ******* ** **? ********* **** ******* ***** attempts **** **** ******* ***** ******* ** *** ****** ********, which ***** ******** **** *** ******* ************ ******* / ********* devices.

*******, * ******* ******* **** **** ****: "*** ************* ** ***** ******. ** ***** * **** *** toaster, *** ** *** *********** ** ** ****."

Undisclosed Integrator #1

In reply to John Honovich | 06/09/17 03:09pm

* **** ** ******** ****** ** *** *** **** * public **. ******** *** *** **** ***, *** **'* *** only ****** ***** *** ** * *** ***** ** **** up *** *** ***** ****** ******, * ****'* *** * need *** * ******. ***** *'** **** ** *** ** behind *** *** *** ** ** *****. *** **** ** I'm ******* ************ ** ***** ****** **** ***** ***** **** kind ** ******** ***** **** *** ****** ** *********** * failed ***** *******.

Thumbnail usa shield

Luis Carmona

IPVMU Certified | In reply to Undisclosed Integrator #1 | 06/09/17 12:23pm

* ****** *** *** ******** *** ***** ** *** **** port ******** *** *** ****** ** *** **** *** **** authentication ********, ** ** * **** *** ** **** ** the ********* ****. ***** * ****** ***** **** ** ** the ** *** *** ********** ** ********** ******** ******* **** from * ********* ****** **, *** ******** ***** ** ******* to *** ****** (**** ** ***) ** **** * ***** source **.

Undisclosed Manufacturer #2

In reply to Undisclosed Integrator #1 | 06/09/17 02:31pm

* *** ***** ** ******* ** *** **** *******, **** my ***** ** **** *** ** ************ ** *** **** forwarding **. ****** ******* *** ****** ****** *** ***** **** all ***** ****. *******, **** ** * **** **** ****, as ******* ***** *** ***** ******* ** *** ******* ********* the *** ** * ******. ** **** ****, *** * would ********* * ****** ** ******** ******** ********. **** **** will ******* * *****/****** *****, ***** **** * **** *** would ****** *** * ****** ** ******* *** ***.

*** ******* ** ***** **** ********** **. ****** ******* *** device *** *** ***** ** **** *** "************" ****, **** as *********, *****, ******, ***, ***., ** **** *** ********** if *** ****'* ******* *** ****. ** ** ** ** the *****, **** ********** ** ********** **** *** ********.

* ********* ********* ***** **** ********** ** *** ** ***** technologies *** *** ** ****, *** **** ** ******* **** the ******* ***** *** *******. **** ******* *** *** *** not **** ******. ***** *** ***'* **** *** ****** ******, don't *******.

Undisclosed Distributor #3

06/09/17 08:04am

*** ******* ***** ** **** ******* **** ***** *** ** me ** **** **** *** *** ************ ***. *** *** going ** ** *** ***-***, **-*** ****** ** *** **** setup ******* *** *** * ***** **** *** *** ********** hacks *** ******** *** **** ** * ****** ** ** away **** **. ******, **** *** ** **** ** **. And ** ****, ***** ** ***** **** ****** *** **** funny, **** **** **** ******* ** **** * ********* ***** with *** ***** ** ***** **** ** *** ********.

John Honovich

IPVM | In reply to Undisclosed Distributor #3 | 06/09/17 06:55pm

*** * ***** **** *** *** ********** ***** *** ******** for **** ** * ****** ** ** **** **** **

* ** *** **** ** **** *** *** ****. ** raised *** ******** ***** *** ********* ***** ** ********* ***** to *********** *** ** ********.

***, ********* *** ****** *** ***** *********, **** ***, ***** we ********* **** *** *** **** ********** ******* ***** *******.

****'* ****.* ***** **** ********** ****.* **** **** ********** ***** ******* ** *******.

*** ***** **** ******* ** ***, **** ****'* ************ ** Hikvision, ** * ******* ******* ***** ***** **** ********** **** follows *** ******* ********* / ************ **** *******:

** *** ******* *****, **** *** ***** ******* ************ **** forwarding *** ******** ****** ********* *** ** ***** '*********' *****.

Thumbnail newheadshot

Sean Nelson

Nelly Security | 06/09/17 06:22pm

* **** * ***** **** ** ***** ****** ********* ***** and * ***** ** *** *** ***** ****** **** ** their ** ***** ** ****** ******. * ***** **** ***** that *** ****** ****** **** ** ** ********* **** *** should **** *** **** ** ** ******** ** **** ******* the ***** ****** *** *** *** (** ***** *** **** of ******* ***'***)

****** **** ** *** ***** ******* ********. ** **** * practical **********, *** *** ******** ****, *********, *** #* ************ in *** *****, ****** ********* ******* ** * *** ** anyone ********** * *** ******? ** ***/**** **** ****** **** they ********* *******. ********** ** *** ************, * ***** ***** port ********** ** * **** ****** ***** **** *** *** setup?? ** ***?

Undisclosed #4

In reply to Sean Nelson | 06/09/17 08:00pm

"I ***** ***** **** ********** ** * **** ****** ***** **** *** *** *****?? ** ***?"

*** ** *** ***** **** ********** **** ******?

John Honovich

IPVM | In reply to Sean Nelson | 06/09/17 01:37pm

****** **** ** *** ***** ******* ********. ** **** * practical **********, *** *** ******** ****, *********, *** #* ************ in *** *****, ****** ********* ******* ** * *** ** anyone ********** * *** ******?

****, **'* * ********* *****. * ********* ***** **, ** definition, *** ****** *** ********** ***** ********. **, ***, ** a ***** **** ** ***** ********** ***** ********, * *** or, ** ***** *** ******* ******, ****** ****** **** ******** ***** ** ***'* ******** ** ***** internal ***.

********** ** *** ************, * ***** ***** **** ********** ** a **** ****** ***** **** *** *** *****?? ** ***?

**** ******* **** *** ***** ** *** ******** / *********** / ********* / *********** ** **** *** / ***** ********.

***** ** *** ***** *******. **** * ************* ** ***** in * *** ** ***** *******, ** ** ***** **** and ******* *** *** *****. **** * ************* ** ***** in * ****** ********* ****** **** **** **** **********, *** vulnerability ****, ** * ****** ** ******** ***** *** **** years ** **** ******* ***** ******** ******** ** ********** ***** lag, ** *** *** *****.

Thumbnail profile

Michael Gonzalez

06/09/17 11:24pm

***** ** *** *** ** **** ***** ******** *****.

Thumbnail newheadshot

Sean Nelson

Nelly Security | 06/09/17 10:00pm

****, **'* * ********* *****. * ********* ***** **, ** definition, *** ****** *** ********** ***** ********. **, ***, ** a ***** **** ** ***** ********** ***** ********, * *** or, ** ***** *** ******* ******, ****** ****** **** ******** ***** ** ***'* ******** ** ***** internal ***.

**********, * **** ***** *** **** ** ***** ************ ** with **** ************ ** **** ******** *** * ***** ******* the ******** ** ********* *********, ******* **** *** ******** ** not, ** ***** * *** ** *** ** *** *********. I **** ** *** ****** **** ** ****** ****** **** system *** *** ******* ***** ************ "*** *** **** ******* cable **** ** ********* ** *** **** ** **** ******, unplug **!"

* *** ** * ****** ******** *** **** ****'* ******* P2P ******. ** ** **** ***** ** *** **** ********* situation. ** ***** ******* ** *** *** *** **** ****** management ******** ******* *** **** ** ** **** ****** **** forwarding. *** **** "******" **** **** **********.

John Honovich

IPVM | In reply to Sean Nelson | 06/10/17 08:19am

** **** **** ************ ** **** ******** *** * ***** telling *** ******** ** ********* *********, ******* **** *** ******** or ***, ** ***** * *** ** *** ** *** practical.

****, ** ** ******* **** *** **** ***** ************* *** just ***** ** *** ***** ********, ******* **** **** **'*********** *** **** ********** ** ********* ********** (**** *********** ******* about *****).

*** **'* ******* ** *** **** ********** ** '******** *************' inside ** * ********* *****. **** ****** *** *** ******* about ***** ******** *** ***** ** *** *** ******** ********** about ********* (*.*., * ******* **** **** **** **** ******** who **** **** *** ********** **** ********** ******* ******* ** a ********* ***** ****** ***** ***** ** *********** ** ***** security).

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Guide

French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...
Winter 2019 IP Networking Course on Nov 05, 2018
This is the only networking course designed specifically for video surveillance professionals.  Lots of network training exists but none of it...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
Video Surveillance Hard Drive Failure Statistics 2018 on Nov 02, 2018
Hard drive failures can be significant service problems but how common of an issue are they in video surveillance? How long do drives last when...
Contactless Access Credentials Guide on Oct 29, 2018
Contactless credentials are the most common component used in an access control system and while many look alike externally, important differences...
Security Fence Guide on Oct 24, 2018
Fences, while a low tech barricade, are a cornerstone of good security. Few physical security elements are as effective at keeping threats away as...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Higher Power PoE 802.3bt Ratified, Impact on Security Products Examined on Oct 12, 2018
Power over Ethernet has become one of the most popular features of many video, access, and other security products. See our PoE for IP Video...
Door Hinges Guide on Oct 10, 2018
Some of the trickiest access control problems are caused by bad door hinges. From doors not closing right, to locks not locking, worn or warped...

Most Recent Industry Reports

Milestone Disrupts Milestone With Arcules on Nov 19, 2018
Milestone is now competing against... Milestone's own spinout Arcules New IPVM testing shows that Arcules has incorporated a substantial amount of...
Pressure Mounts Against Dahua and Hikvision Xinjiang Business on Nov 19, 2018
Pressure is mounting against Hikvision, Dahua, and other companies operating in Xinjiang as an international outcry brews against the Chinese...
Arcules Cloud VMS Tested on Nov 19, 2018
Arcules is a big bet, or as they describe themselves a 'bold company', spun out and backed by Milestone and Canon.  But how good is Arcules cloud...
'Sticker' Surveillance Camera Developed (CSEM Witness) on Nov 16, 2018
The Swiss Center for Electronics and Microtechnology (CSEM) has announced what it calls the: world’s first fully autonomous camera that can be...
ISC East 2018 Mini-Show Final Report on Nov 16, 2018
This is our second (updated) and final show report from ISC East. ISC East, by its own admission, is not a national or international show, billed...
Facial Detection Tested on Nov 16, 2018
Facial detection and recognition are increasingly offered by video surveillance manufacturers. Facial detection detects faces in an image/video...
Throughtek P2P/Cloud Solution Profile on Nov 15, 2018
Many IoT manufacturers either do not have the capabilities or the interest to develop their own cloud management software for their devices....
ASIS Offering Custom Research For Manufacturers on Nov 15, 2018
Manufacturers often want to know what industry people think about trends and, in particular, the segments and product they offer.  ASIS and its...
Hikvision Silent on "Bad Architectural Practices" Cybersecurity Report on Nov 14, 2018
A 'significant vulnerability was found in Hikvision cameras' by VDOO, a startup cybersecurity specialist. Hikvision has fixed the specific...
French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact