P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding

By: IPVM Team, Published on Apr 02, 2018

Following criticism of Hikvision's ongoing port forwarding recommendation (e.g., Hikvision Hardening Guide Recommends Port Forwarding and Hikvision HQ Contradicts Cybersecurity Director), Hikvision has issued a new document entitled About "Port Forwarding" defending the use of the practice. Hikvision's defense is:

This is a fascinating defense considering Hikvision has been actively promoting their own P2P service, HikConnect, for more than a year. On the other hand, it is understandable since Hikvision has ongoing customer complaints about slow and unreliable HikConnect access (e.g., Broken Hikvision App Exposes Hypocrisy).

In this new document, Hikvision does acknowledge the dangers of port forwarding and not to directly connect, with an exception:

*** *** '******* ****** purposes' ********* ** ********* that (*) ********* ****** make ***** *** ******* provide ***** *** ****** access *** (*) *** many ** ***** ******* *** too ***** ** *********** improficient ** *** ** VPNs.

**** *** *** **** option *** ********. **** a *** *******, *** are ********* ** *** security *** *************** ** the *** ********.

Defense ********* ********* **********

********* ******************* ** *** *** priority:

** **** ***** *** true, ********* ***** *** recommend **** ********** ** all *******, ** **** ********** explain ** *** *** document's ***** ****:

*******, *** ********** ** selling **** ******** ** unsophisticated ******* *** ***** is, *************, * ****** priority than *************.

Comments (44)

Hikvision now recommends IP address filtering as a security measure for using port forwarding but it is not practical.

Allowing ranges for entire ISPs or mobile providers is hardly secure, as they may literally contain millions of IP addresses.

Second, if you're attempting to reach your home or business system remotely from a hotel, a coffee shop, a friend's house, etc., you'll be unable to connect. And that will require a service call to the integrator each time this happens, etc.

IP address filtering is great in a closed, local network where devices are static addressed. But for remote access, except in very well defined circumstances, it's likely to be unusable.

Is there no possible way that a network can be setup to minimize risks of using port forwarding for remote access to NVR and or camera?

 

Using a DMZ is a good approach. Here's a diagram from a Google search and for our purposes let's pretend DMZ 2 is actually just the main home or business network.

DMZ

 

In this case, between the Internet and the "Web Servers" which could be cameras, NVR's, or a VMS for example, you would forward only the ports needed by those services.

Then the firewall between DMZ 1 and the rest of the network wouldn't have any ports forwarded. You should still be able to access the devices in the DMZ from the main network because you're making an "outbound" connection through the second firewall into the DMZ network.

If the services in the DMZ are compromised, they could still lose access to cameras/video, be spied on by anonymous internet goers, etc. And those systems could still be used in a botnet that you may never be aware of. But in theory the main network remains a lot more secure than without a DMZ.

Unfortunately DMZ isn't a magic bullet. If a service in the DMZ is compromised, an attacker could then intercept communication between the client on the network and whatever service is in the DMZ. That means they could grab passwords, or take advantage of exploits in whatever protocols are used to potentially get through the second firewall into a vulnerable client PC.

Thanks for the "Fair and Balanced" reporting on Hikvision....... (Late) April Fools!

Sean, do you have a counterargument or are you just defending your ride of the Hikvision money train to obscene profits?

I would genuinely like to hear if you could mount a coherent counterargument defending Hikvision's position here.

I'm just a lowly  passenger of the train, you are the lead engineer driving the train at the caboose.

I'm still waiting on your reporting on the positive press release news on the transparency center. Understandably, you are are still "evaluating" it. 

Given your excellence in fairness, how long did it take you to evaluate this press release before you reported on it? 

press release news on the transparency center

The appointment-only one in CA that is limited to government employees?

That is about as "transparent" as this headlight:

I'm still waiting on your reporting on the positive press release news on the transparency center. 

You've asked about this, we debated this at length here. I think there are a number of important unopen questions - e.g., what the NDA does or does not include? how can the evaluator verify it is the same source code that is in production? how much time do they really get? how can Hikvision make it more conducive to doing the review without being holed in a hotel room in City of Industry, CA for weeks, etc.?

ISC West is next week. Hikvision has hired a new global PR head. I am trying to talk to them to see if anyone will answer questions. 

Sean, my commitment to you is this, the week after ISC West we will either publish a report on it or I'll let you know that Hikvision has agreed to answer questions and I'll give a date for publication, with their response (which is what I prefer - it could be positive but they do need to answer some questions to maximize how positive it might be).

Hey Sean,

Why do you think Hikvision opened a 'transparency center' to begin with?

Nobody else feels the need to do so....

I wonder why that is?

Ok i will answer your question coherently as well.

I totally agree with you, they should have said this:

Press Release
Title: Top 3 ways to get remote viewing

#1) Use VPN, if that don't work...
#2) Use P2P, if that don't work....
#3) There is no #3, you are totally screwed if you can't figure the other 2 out. I mean sure, there is another way, but it would be totally stupid of us to mention it. So no, really there is no other way, you are screwed.

I think that satisfy your requirements yes?

Why does a VPN 'not work'? It's not like it's deep learning NVR... VPNs are a mature technology. The only issues are technical competence in setting it up and the willingness to spend the extra few hundred to do it.

If P2P does 'not work' that is on Hikvision. Seriously, Hikvision should proudly stand behind HikConnect and say "no, we only recommend using VPN or HikConnect." Agree/disagree?

What customers use for remote connection with Genetec,Milestone,Avigilon and etc..?

 

 

#2, good question. Let's clarify what manufacturers, including Hikvision, are and are not responsible for.

The sheer act of port forwarding is not necessarily the manufacturer's responsibility.

The manufacturer's responsibility is what they direct their customers to do. And Hikvision, for years and until today, continue to tell their customers that port forwarding is acceptable, both in writing and when you call support (we have tested this repeatedly over the last 6 months).

A good contrast is what an integrator said about Axis today when he called and asked for support port forwarding:

Support said port forwarding is a security issue

That's reasonable for Hikvision to do the same, yes/no?

 

"The sheer act of port forwarding is not necessarily the manufacturer's responsibility"

In any manufacture's VMS manuals you can find info about ports for remote connection

Yes/No?

#2, 'any'? I am sure there are some out there as there are many VMSes in the world.

I don't know of any hardening guide where a VMS or IP camera manufacturer recommends port forwarding. Hikvision is so far unique there.

I applaud you for attempting to defend Hikvision but wouldn't it better for Hikvision to simply stop recommending it? Then you would have even a stronger case to go after companies that 1/100th Hikvision's size.

I am sure you know how to "Google":)

Yes, any manufactures in their manual provide info about which ports to be open for remote communication

Do you want me to help you? :)

Yes, please help. I am sure you have some manufacturers in mind so please share. In the future, you can post immediately. The drama of the setup is appreciated but unnecessary.

Ok,

after googling for few sec

Digital Watchdog!

 LAN SETUP: • Connect the DVR to the router • Enter the NETWORK menu • Change the Network Type to DYNAMIC and press IP DETECT This will pull the IP information from the router: IP address, Subnet, Gateway • After the progress bar reaches 100 percent, change the Network Type back to STATIC • You can now change the IP to be outside the Router’s DHCP range If you wish to keep the same IP you will have to reserve the IP to the DVR’s MAC ADDRESS on the router • Change DNS SERVER1 to: 168.126.63.1 • Change DNS SERVER 2 to: 168.126.63.2 You can find these DNS servers in the HELP MENU of the DVR. • Enable UPNP and AUTO Private IP , then SAVE AUTO Private IP will open the PORTS if the unit is connected to a basic router going to a basic modem. • After the progress bar reaches 100 percent, go to the DDNS tab. • Check the box to Use DDNS • Select the DDNS server Note: dwddns.net and dwddns2.net are hosted by Digital Watchdog. Dyndns.com is a third party service used only if you are unable to successfully register with DW. • Create a DVR NAME (no caps, no spaces) then click START to register the name with our DDNS service (Do not enter a User and Password on this tab. These options are only used when dyndns.com is selected) • Once you get “SUCCESS” for the registration, click on SAVE. (if it shows “FAILED” or no message at all, reboot the unit and try again.) ***Test the remote connection to see if the Auto Private IP function work*** Note: If you fail to connect then you must open the ports on the Router or Firewall. ROUTER SETUP: • Now you will have to open the ports on the router. The ports to be opened are under the NETWORK tab of the DVR. You may have to change the web port to 8245 as it is often blocked by the provider. TCP port 9010 needs to be opened as TCP /UDP • You can get port forwarding assistance by going to www.portforward.com , contacting the Router manufacturer’s tech support or you may call our technical support line at 1-866-446-595 • Once the ports have been opened you will then be able to connect remotely using the new DDNS address, which is the name you created plus the DDNS server. EX: johndoe.dwddns.net If you changed the web port, you must add it to the address when connecting in Internet 

More may be later:)

By the way I expect my Acc to be extended for few thousand years:)

Security Center Installation and Upgrade
Guide
5.4 SR2

page 43

Default ports used by Security Center
After installing Security Center, you must ensure that all the correct ports are open and redirected
for firewall and network address translation purposes, so all the Security Center components can
communicate properly.
During the Security Center installation, you are given the option of allowing Security Center to create
firewall rules for its applications. If you select this option, all Security Center applications are added as
exceptions to the internal Windows firewall. However, you still must make sure that all the ports used
by Security Center are open.
You can configure different port numbers than the ones that are used by default.
Common communication ports
The following table lists the default network ports used by Security Center applications:
Computer Inbound Outbound Port usage
Main server TCP 5500 Directory connection requests
Client workstations
(Security Desk and Config
Tool)
TCP 5500 Directory connection requests
Client workstations
(Config Tool)
TCP 443 Communication with GTAP for SMA validation/
sending feedback
TCP 5500 TCP 5500 Communication between servers
TCP 4502 TCP 4502 Backward and Silverlight communication
All servers
HTTP 80 Connection via Server Admin
Servers upgraded from an
earlier version
TCP 4503 TCP 4503 Communication with servers of an earlier
version
Intrusion Manager TCP 3001 TCP 3001 Bosch intrusion panels
REST service TCP 4592 TCP 4592 Communication between System Availability
Monitor Agent (SAMA) and Directory server

 

 

In 60 min I will check my Acc!

expect to see chage:)

Good work, you will surely receive your rewards at Tao next week ;)

I've reached out to both vendors to ask for a response (the same as we did with Hikvision until they refused to speak to us). By end of tomorrow, we will update appropriately including criticism as warranted by their response.

Here is idea for you!

if you really willing to help integrator's

find some really easy VPN setup

and create course

instead lots of Bla Bla:) 

We have a VPNs for Video Surveillance Guide that explains how to find a low-cost VPN, set it up, etc. I just made it public to help more integrators.

And if we can add to that, happy to do so. Thanks #2.

Update: I have preliminary responses from both as they are both reviewing their documentation. They and I are checking on some things with further follow up tomorrow.

holy crap!  this may the worst-written technical documentation I've read in a while.

I always use port forwarding procedure, I never felt that I can trust any of those P2P services and I don’t even use Hikvision products. Is there anyway to setup a private P2P server? Again I don’t trust any of the manufacturers p2p. What are your recommendations?

thanks

I’m not sure if you are aware of this (or maybe we were misinformed), but HikConnect is limited to a five to ten minute timeout. It’s not intended for extended usage or access. 

We were told this at a recent Hikvision Roadshow event. While we don’t generally use HikConnect, I did think it was similar to the P2P offering in that you could use it continuously. Knowing that it’s really just to pop in and take a peek once in a while severely limits it’s usefullness. 

It would also explain why port forwarding is still required. The Hik technician that assisted in the Roadshow explained that we should never use standard ports and that security thru obscurity was the best option. He had a nice story about a 40 year old script kiddie in his moms basement that was itching to hack you just for the lulz. At which point, the sales guy insinuated that the Hikvision tech was said person in the basement. Laughter ensued.

I’m not sure if you are aware of this (or maybe we were misinformed), but HikConnect is limited to a five to ten minute timeout. It’s not intended for extended usage or access.

We were told this at a recent Hikvision Roadshow event. While we don’t generally use HikConnect, I did think it was similar to the P2P offering in that you could use it continuously. Knowing that it’s really just to pop in and take a peek once in a while severely limits it’s usefullness.

I looked into this today and couldn't find aything in their documentation about a timeout. I even called tech support to ask about this and the tech told me that it is a viable way to view cameras and he was clear that there is no timeout after a certain amount of time, although there are better options (iVMS). 

To test this I have a phone with Hik-Connect on in live view of a camera that has been running for ~1 hour now and it still hasn't timed out. 

 

I will reach back out to the Hikvision reps that held the Roadshow for clarification and follow up with their response. 

I found another site where people were complaining about the 5 min timeout

Here is a link to the Hik-Connect datasheet where you can find the 5 min timeout. So, if you are NOT using port forwarding, meaning using their P2P service, there is a 5 min timeout for live viewing. If you are using port forwarding, NOT using P2P, it is unlimited.

I will reach back out to the Hikvision reps that held the Roadshow for clarification and follow up with their response.

Thanks, curious to hear what he has to say since tech support told me otherwise.

I found another site where people were complaining about the 5 min timeout

Looks like people are saying that it happens randomly? I have never seen this happen before. Currently added 4 cameras to live view through p2p service running for ~30 minutes with no timeouts.

Here is a link to the Hik-Connect datasheet where you can find the 5 min timeout. So, if you are NOT using port forwarding, meaning using their P2P service, there is a 5 min timeout for live viewing. If you are using port forwarding, NOT using P2P, it is unlimited.

I am using the P2P service to view these cameras and I have yet to see a timeout happen.

Here is his response:

When you connect through the cloud portion of hik connect, there is a 10-minute timeout. This is for people that leave their phones connected inadvertently.
 
If you connect through the hik connect ddns there is no time out

To clarify, HikConnect DDNS = port forwarding? I am curious then how many are using the 'full' HikConnect P2P vs HikConnect DDNS / port forwarding?

>HikConnect DDNS = port forwarding

 

no, HikConnect DDNS  is simply a service for keeping track of a DVR’s public IP address (which may change  depending upon their Internet provider ).  DDNS= Dynamic domain name system .   

 You don’t have to use Hikvision ddns, but with or without it you do still need to use port forwarding.

 ( Port forwarding is how your local router knows that a request to 63.32.2.4:80 should be “forwarded” to local device 192.168.1.7:80 , as an example ) .   Without port forwarding, your local router does not know where a public ip request to port 80 should be directed to locally.

 With a P2P or cloud-based service, you don’t have to use either (assuming hik’s p2p / cloud is online/working)

That's my point, that using HikConnect DDNS, like other DDNS services, effectively requires using port forwarding. I apologize for the unclarity.

I can confirm I've been looking at a camera in iVMS and on my iPhone via Hik-Connect, no port forwarding, for about 20 minutes now.

Here is another nugget I found. Solution #3 is my all time fav!

 

How to deal with error ‘receiving data from device timed out’ appearing in iVMS-4500?

May 26, 2016 Views:1346

 

Answer

[Possible reasons]

1. Poor network condition

2. Incorrect port forwarding

3. Firewall blockage

 

[Solutions]

1. Try changing to wifi or other mobile telecom operator

2. Make sure the port forwarding is correctly configured and that the server port is active. Sometimes the port might be blocked or occupied. Users can try changing to other ports, for example, HTTP port changing to 81, server port changing to 8001, RTSP port changing to 1554, etc.

3. Turning off the firewall of the modem/router

 This post/scenario reminds me of a discussion I had over on the Plex forms (Plex is a media server , not cctv related ,  but its server requires port forwarding,  and to even use  Plex , you need a server - ergo open ports. ) 

 Granted these users may not be knowledgeable users or not security focused, but I was surprised at the amount of backlash I got in pushing for a cloud/P2P (or using a firewall hole punching technique) alternative or option to the mandatory port forwarding.     Legit Plex clients that would be using the port forwarding , usually come from random IPs addresses (thus just about ruling out ip ACL‘s  on those ports that you must forward ) .

 Anyway here is the link if anyone’s interested (the short of it is users were citing the risk of Plex or a nefarious after getting control of the Plex cloud/P2P system and then having the ability to access or direct the millions of servers that were using this system , vs  Port forwarding using port forwarding where users maintain control -   Horrible, almost invalid, points in my opinion.)

Allow firewall hole punching to increase security

 Also a much related link is the technique of firewall hole punching that I’ve seen used in various scenarios ( I found this during my discussion above) :

TCP hole punching

I've never thought the value exceeded the risk with Plex's cloud based authentication and remote access. It doesn't seem wise to trust a closed-source third party with the keys to the network when most of their users are hosting large volumes of illegally acquired copyrighted material.

My preference would still be VPN or perhaps an nginx reverse proxy if I'm feeling daring.

 

 

Good points.

 It’s worth noting, that you don’t have to use their cloud authentication (at all) + you can set your server up to white list local IP ranges (Ie only the subnet of  your local network, and/or the IP range/subnet of your VPN clients).   Of course you may then deal with performance issues, but it’s nice they give you that option. 

 Also imo, the value in their product ( your local plex server) is its ability to transcode video in real time depending on what the streaming device *can* support.   (Ie store your videos in any format ,  The server will organize them and deal with the client devices format/streaming needs.   EXample: playing a .avi stored video in Safari browser on an iOS device , which only supports mp4 video ,  plex server will transcode in real time into that MP4 format ) 

 

(btw  for those unfamiliar with plex and  wondering what does any of this have to do with CCTV- very little to nil: it was mainly in regards to the similarity of their open ports versus P2P/cloud accessibility and (lackof)security as it relates to the exact same issue with ip cameras) 

Read this IPVM report for free.

This article is part of IPVM's 6,533 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Hikvision Chairman Targeted For Sanctions As Federal Watchdog Calls Out Hikvision "Serious Religious Freedom Violations" on May 21, 2020
The US government's religious freedom watchdog has criticized Hikvision for...
Hikvision And Dahua Now Blocked From Conforming ONVIF Products on Apr 03, 2020
Dahua and Hikvision, sanctioned for human rights abuses, are now blocked from...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Hikvision Fever Screening Thermal Solutions Examined on Apr 13, 2020
Hikvision is marketing "safer, faster, smarter" with their Fever Screening...
Uniview H1 2020 Financials Examined on Sep 08, 2020
While Dahua and Hikvision, helped by fever camera sales, are recovering from...
The SIA Board Strongly Supports ISC West October 2020 on Apr 23, 2020
The SIA Board strongly supports the upcoming October 2020 ISC West, amidst...
Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020
Dahua USA has issued a press release admitting a controversial point in the...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations at an all-time low, optimism about relations...
U.S. Government Accountability Office Urges Facial Recognition Regulation on Aug 27, 2020
The US Government Accountability Office (GAO) is urging facial recognition...
US Passes Uyghur Human Rights Law Condemning Mass Surveillance on Jun 18, 2020
The US government has passed the Uyghur Human Rights Policy Act of 2020,...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to...
Hikvision Admits Sanctions Harming Its Financial Performance on Mar 27, 2020
While Hikvision initially downplayed being sanctioned for human rights...
FDA Gives Guidance on 'Coronavirus' Thermal Fever Detection Systems on Mar 30, 2020
The US FDA has given IPVM guidance on the use of thermal fever detection...
Temperature Screening Is Ineffective, Says US, UK, Canada, Israel, And Ireland Health Leaders on Aug 25, 2020
Health leaders around the world are increasingly speaking out about the...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...

Recent Reports

Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
Today is your last chance to save $50 on registration for the Fall 2020 Video...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...