Following criticism of Hikvision's ongoing port forwarding recommendation (e.g., Hikvision Hardening Guide Recommends Port Forwarding and Hikvision HQ Contradicts Cybersecurity Director), Hikvision has issued a new document entitled About "Port Forwarding" defending the use of the practice. Hikvision's defense is:

This is a fascinating defense considering Hikvision has been actively promoting their own P2P service, HikConnect, for more than a year. On the other hand, it is understandable since Hikvision has ongoing customer complaints about slow and unreliable HikConnect access (e.g., Broken Hikvision App Exposes Hypocrisy).
In this new document, Hikvision does acknowledge the dangers of port forwarding and not to directly connect, with an exception:

*** *** '******* ****** purposes' ********* ** ********* that (*) ********* ****** make ***** *** ******* provide ***** *** ****** access *** (*) *** many ** ***** ******* *** too ***** ** *********** improficient ** *** ** VPNs.
**** *** *** **** option *** ********. **** a *** *******, *** are ********* ** *** security *** *************** ** the *** ********.
Defense ********* ********* **********
********* ******************* ** *** *** priority:

** **** ***** *** true, ********* ***** *** recommend **** ********** ** all *******, ** **** ********** explain ** *** *** document's ***** ****:

*******, *** ********** ** selling **** ******** ** unsophisticated ******* *** ***** is, *************, * ****** priority than *************.
Read this IPVM report for free.
This article is part of IPVM's 6,743 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.
Comments (44)
Ethan Ace
Hikvision now recommends IP address filtering as a security measure for using port forwarding but it is not practical.
Allowing ranges for entire ISPs or mobile providers is hardly secure, as they may literally contain millions of IP addresses.
Second, if you're attempting to reach your home or business system remotely from a hotel, a coffee shop, a friend's house, etc., you'll be unable to connect. And that will require a service call to the integrator each time this happens, etc.
IP address filtering is great in a closed, local network where devices are static addressed. But for remote access, except in very well defined circumstances, it's likely to be unusable.
Create New Topic
Sean Nelson
04/02/18 09:42pm
Thanks for the "Fair and Balanced" reporting on Hikvision....... (Late) April Fools!
Create New Topic
Undisclosed #3
yes, but Hikcentral streamlines surveillance management...
Create New Topic
Alex Gonzalez
I always use port forwarding procedure, I never felt that I can trust any of those P2P services and I don’t even use Hikvision products. Is there anyway to setup a private P2P server? Again I don’t trust any of the manufacturers p2p. What are your recommendations?
thanks
Create New Topic
Jon Dillabaugh
04/04/18 12:40pm
I’m not sure if you are aware of this (or maybe we were misinformed), but HikConnect is limited to a five to ten minute timeout. It’s not intended for extended usage or access.
We were told this at a recent Hikvision Roadshow event. While we don’t generally use HikConnect, I did think it was similar to the P2P offering in that you could use it continuously. Knowing that it’s really just to pop in and take a peek once in a while severely limits it’s usefullness.
It would also explain why port forwarding is still required. The Hik technician that assisted in the Roadshow explained that we should never use standard ports and that security thru obscurity was the best option. He had a nice story about a 40 year old script kiddie in his moms basement that was itching to hack you just for the lulz. At which point, the sales guy insinuated that the Hikvision tech was said person in the basement. Laughter ensued.
Create New Topic
Rob Kilpatrick
I looked into this today and couldn't find aything in their documentation about a timeout. I even called tech support to ask about this and the tech told me that it is a viable way to view cameras and he was clear that there is no timeout after a certain amount of time, although there are better options (iVMS).
To test this I have a phone with Hik-Connect on in live view of a camera that has been running for ~1 hour now and it still hasn't timed out.
Create New Topic
Jon Dillabaugh
04/04/18 07:19pm
Here is another nugget I found. Solution #3 is my all time fav!
How to deal with error ‘receiving data from device timed out’ appearing in iVMS-4500?
May 26, 2016 Views:1346
Answer
[Possible reasons]
1. Poor network condition
2. Incorrect port forwarding
3. Firewall blockage
[Solutions]
1. Try changing to wifi or other mobile telecom operator
2. Make sure the port forwarding is correctly configured and that the server port is active. Sometimes the port might be blocked or occupied. Users can try changing to other ports, for example, HTTP port changing to 81, server port changing to 8001, RTSP port changing to 1554, etc.
3. Turning off the firewall of the modem/router
Create New Topic
Undisclosed End User #4
This post/scenario reminds me of a discussion I had over on the Plex forms (Plex is a media server , not cctv related , but its server requires port forwarding, and to even use Plex , you need a server - ergo open ports. )
Granted these users may not be knowledgeable users or not security focused, but I was surprised at the amount of backlash I got in pushing for a cloud/P2P (or using a firewall hole punching technique) alternative or option to the mandatory port forwarding. Legit Plex clients that would be using the port forwarding , usually come from random IPs addresses (thus just about ruling out ip ACL‘s on those ports that you must forward ) .
Anyway here is the link if anyone’s interested (the short of it is users were citing the risk of Plex or a nefarious after getting control of the Plex cloud/P2P system and then having the ability to access or direct the millions of servers that were using this system , vs Port forwarding using port forwarding where users maintain control - Horrible, almost invalid, points in my opinion.)
Allow firewall hole punching to increase security
Also a much related link is the technique of firewall hole punching that I’ve seen used in various scenarios ( I found this during my discussion above) :
TCP hole punching
Create New Topic