P2P 'Fail To' 'Quick And Steady Access' - Hikvision Defends Port Forwarding

Hikvision now recommends IP address filtering as a security measure for using port forwarding but it is not practical.

Allowing ranges for entire ISPs or mobile providers is hardly secure, as they may literally contain millions of IP addresses.

Second, if you're attempting to reach your home or business system remotely from a hotel, a coffee shop, a friend's house, etc., you'll be unable to connect. And that will require a service call to the integrator each time this happens, etc.

IP address filtering is great in a closed, local network where devices are static addressed. But for remote access, except in very well defined circumstances, it's likely to be unusable.

I always use port forwarding procedure, I never felt that I can trust any of those P2P services and I don’t even use Hikvision products. Is there anyway to setup a private P2P server? Again I don’t trust any of the manufacturers p2p. What are your recommendations?

thanks

I’m not sure if you are aware of this (or maybe we were misinformed), but HikConnect is limited to a five to ten minute timeout. It’s not intended for extended usage or access.

We were told this at a recent Hikvision Roadshow event. While we don’t generally use HikConnect, I did think it was similar to the P2P offering in that you could use it continuously. Knowing that it’s really just to pop in and take a peek once in a while severely limits it’s usefullness.

I looked into this today and couldn't find aything in their documentation about a timeout. I even called tech support to ask about this and the tech told me that it is a viable way to view cameras and he was clear that there is no timeout after a certain amount of time, although there are better options (iVMS). 

To test this I have a phone with Hik-Connect on in live view of a camera that has been running for ~1 hour now and it still hasn't timed out. 

Here is another nugget I found. Solution #3 is my all time fav!

How to deal with error ‘receiving data from device timed out’ appearing in iVMS-4500?

May 26, 2016 Views:1346

Answer

[Possible reasons]

1. Poor network condition

2. Incorrect port forwarding

3. Firewall blockage

[Solutions]

1. Try changing to wifi or other mobile telecom operator

2. Make sure the port forwarding is correctly configured and that the server port is active. Sometimes the port might be blocked or occupied. Users can try changing to other ports, for example, HTTP port changing to 81, server port changing to 8001, RTSP port changing to 1554, etc.

3. Turning off the firewall of the modem/router

 This post/scenario reminds me of a discussion I had over on the Plex forms (Plex is a media server , not cctv related ,  but its server requires port forwarding,  and to even use  Plex , you need a server - ergo open ports. ) 

 Granted these users may not be knowledgeable users or not security focused, but I was surprised at the amount of backlash I got in pushing for a cloud/P2P (or using a firewall hole punching technique) alternative or option to the mandatory port forwarding.     Legit Plex clients that would be using the port forwarding , usually come from random IPs addresses (thus just about ruling out ip ACL‘s  on those ports that you must forward ) .

 Anyway here is the link if anyone’s interested (the short of it is users were citing the risk of Plex or a nefarious after getting control of the Plex cloud/P2P system and then having the ability to access or direct the millions of servers that were using this system , vs  Port forwarding using port forwarding where users maintain control -   Horrible, almost invalid, points in my opinion.)

Allow firewall hole punching to increase security

 Also a much related link is the technique of firewall hole punching that I’ve seen used in various scenarios ( I found this during my discussion above) :

TCP hole punching