Network Security for IP Video Surveillance Guide 2016

Author: Ethan Ace, Published on Feb 03, 2016

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Passwords
  • LDAP / Active Directory Integration
  • VLANs
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

******* ************ ******** ****** *** ** * ******** ****, *** there *** ******* ******* **** *** ******* ****** ****, ********** when **** ** *********** **** **** *****.

** **** *****, ** **** ** ******* ******** **********, **** physical *** *******, **** ** ****** ************ ********, *********:

  • ******* ********* ******
  • *********
  • **** / ****** ********* ***********
  • *****
  • ***.** **************
  • ********* ****** *****
  • ********* ******* *****
  • ********* ****** ********
  • *** ******* *********
  • ******* *****
  • ******** ****** *******
  • ******** ******* ******** *** ***** ************ *******

[***************]

Network ******** ******** ** ****

**** **** ****, ** ****/** ******* ******** *** ****** * key *****, **** ********* ***************, *****, *** ******* ** *** rise.

** ******** *****, ********* **** *** *** *** *******, **** Hikvision *** **** ******* ****** (***:********* ******* *** ******* ******** *******,*** ********* ******* *******,*** ********* ******* ******* *******, ******* ********* ** *****"**** *******" ********).

*******, ** ****, ***** *************** (*** ***** *******) **** ******** in ***** ***** *************, *********:

*** *********** ** ***** ************ ************* *************** *** *********** **** *********** ** ***** *** ***** ******, ********* *** ones ** **** *****.

******* ** *** ******** ** ***** ********* *** ***** ********** frequency, ** ** ******** **** ***** ********** *** ****** ** cyber ******** *** ************ *******, *** *** ** ******* ******* simple ******* ** *** **** *****.

Network ********* ******

** *** ** ******** ** *****, ******* ********* ****** *** common, ********* *************** (** ** *******, *** ********* ********* *****) ** **** *** ******* **** ******. ****/**** ** ***** recommendations ***** ** ************ ********, ** ****, ********* *********** ******** and ***** *******, ******** *********, ********* *****, ***.

*******, **** *************** *** ** ***** *** ****** **** **** IP ***** *********** *** ******* **, ** **** ** ********* for * ***** ******. ******* ************** ******* **** ** ***.**, LDAP ***********, **** **********, ***., *** ****** *** ***** *** time/cost ** ********* *** **** *******, ***** *** ******* ****.

************ ********* ****** ****

****** **, ************ ******** ********* ****** *** ****, ******** * ******* ** *************** **** *************.

*** ***** *************** ** **** ** ***** ****** ****, *** most *** ******* **** ***** *** ******** ******, ********* ** the *********** ** *** ************.

*** **** *****, *** ********, ****** **** **** **** (*** production ***) ** ****** ****** ********** ********, *** ******* ***** best *********, **** ** ****** *********, ******** ********, *** ********* anonymous ******, ******* **** ******* *********, **** ** ***.** **************, SNMP **********, *** ****** *******.

***** *** ***** ****** *** ************-********, ********* ************ ********* ** the ****** ** ***, **** *************** *** ****** ****** *** manufacturers, *** **** ** **** **** ** ******** **** *********, and *** ********* ********* *****.

Strong *********

****** ********* *** *** **** ***** ******** *******, *** *************, ignored ** **** *****. **** ************ ******* *** ******** ** the ***** **** ******* ********* ** *** *********, ********* *******, switches, *********, *** **** (*** ***** ******* ******* ********* ****). ***** ** *** **** ** ****** *** ***** ** access ******* *** **** **** ** ****** *** ****** ** log **** ***'* ******* (***:****** ****** *** ******* ** *******).

** *** **** *****, *** ************ ******* *******, ****************, *******, *** *******, ****** ** ******* **** *** ******** with ****** *********, ********** ** * ****** ********. **** ******** access ** *** ******* ***** ****** ******** ********, ********* * more ******* ******** *** **** ******* *******.

**** ************* ******* ******** *** ******* ******** **** ********** *** the ***** **** (*** *********** ** *** ****, ***** *** ******* *** *********). ******, ** ************* ******* (*)***** **** ******** ******* ********* *********, ****** *** **** **** is ******* ******* ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) ***********, *** *********** *** ******** ** network ***** ******* ** * ******* ****** (**** ****** ****** sign-on). ***** ***** **** ******** ***** ********* ******** ******** *** expiration *****, **** *********** *** ******* ******** **** ***** *** accounts ***** ** *** **** ***** ************. **** ******* ************** overhead, ***** ********** ******** ** *** ** ** ******* *** maintained.

*********, **** *** ** ********** ** ******, ********** *******, ***** many ***** ************* ** *** **** ** **** ****** ***********. Some ***** ** ******* ******* ***** *** ********* ** ****** entities, ********** ********* *** ********* **********, *** *** **** ** these ************* *** ****** ** *** ** *** ***** ******* access *******.

**** / ** ***** ************* ** **** *** ** *******, but, ** ******** ** ***. ***************, ** * ********* ********, is *** ********* ** ****** *** ** ******, ***** ********* run ** *****. ********** ** ****** ******* ** ** **, *** ** *** *** ****** *** ********** ****** *****.

Firewalls/Remote ******

** ******* ************ ****** ******, **** ************ ******* *** *** connected ** *** ******** ** ***, ******* ** * ******* separate ***. **** ******* ****, *** *** **** ******* **** difficult, ** ******* ** ******** *** ********, ******* ****** **********, must ** ****** **** *** ** ***** *****.

***** ******* ***** *** ********* *** ********* ****** * ********, which ****** *******/******** ******* ** **** ******** ** ********* *** ports ***** **** **** **********. ***** ******* ** ********. ******** implemented, **** *** ******* *** **** ******** ** *******.

****** ****** *****

*** ******* ***** ******* ****** ******, ***** *** ******* *** require *** ** **** ***** ** ** ****. *******, **** open **** ******** * ******** *********** *** ** ********. ******* how **** *** ***** ****** ** *** ***. ***** ****** refer ** ************ ************* *** ***** ***** **** ** **** if ****** ****** ** ******** (*** *********** ** ****** *******), and ** **** **** ******** ** ********** ***** *** ** ***** ************ ********.

***/***** ******

*************, **** ************* ***** *** "***** ****" ****** ******, ***** sets ** * ****** ****** *** ** ******** ********** ******* requiring **** *****, ******** *****. **** ******* *** ********* *** cloud *********** *** ****** ******, **** *********** *****,***** *** ***** ***, ********** *****. ************, **** ****** ******* ******** *** ******* **********, **** as *******, **********, *********, ***.

** ******* ***** ******* ** ********* ******* ****** *** ***** ********************.

*****

******* **** (********* ** *****)******* ******** ** ********** ******* **** ******** ******* ********. ** while ***** ********, **** ** ** ***** ************ ********* ** general ****** *** *******, *** ***** ** *** **** ******** switch, *** ********* ******** *** ******** *** ********* ** **** other, *** ***********.

*** *******, ** *** ***** *****, *** ****** *** *** on **** * *** *** ** ******* ** *** ****** PC ** * ******** ****, *** ***** * **** ** the *** (**** *)"***" ******* ** *** ** **** (**** 2).

***** *** **** ******** *** ** ********.** *******, ***** **** * ****** ** **** ***** ********** **** information. **** ****** ** *********** ** *** ****** *** ******* forwarded **** ** ***** ******* ** *** **** ****.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******. ******* ** ****, ***** *** also **** ***** ******** ** *********** *********** ** ******* (***), ***** *********** ******* *******, ******* ***** ******* ***** ** file *********, *** *******, ** ***** ******* ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* ********** ****** ** ******* ************ ******* from ********* * ****** ** ** ******* *** ****** *****. This **** ********* *** **** ** ******* ****** ** ****** a ******** ****** ** ******** * ***** ***** **** * switch ** ****** ******* ****. *** ****** ** ******* ******** ports ** * ****** ****** ** ******* ********, **** *** cost *** **********:

***** ********* ** ********* *** ****** ** ********* ****** ******, this **** **** *** *********** ******* ************ ****** ** * network, ** ******* ***** *********** ****** * ****** (******, ***********, printer) **** * ********** ********** **** ** **** *** ****** its ****, ****** ******** **** ** *** ********* ** ***.** are ** *****.

Disabling ****** ******* *****

**** ******* **** **** ******** ******* ***** ****** **, **** as ******, ***, ***, ***., ** ** ***** ** ********** ** ******* ****. ***** ***** *** ******** ******* ** ******* (** *********** by ******* ****** *** ****** *************** ***** *********** *******).

* ***** ** ****** **** ** * ******* ** ****** reveals ******** **** ***** ***** **** ***** ******** *** *** access *** ***** ********* (**/***):

***** ***** ****** ** ******** ******** ******** ** ******* ********* attacks.

Disabling ****** ********

*********** ******** ** ******* ************ *** ******* ****** ** ****** off. ***** *** ******* ************-******** ****** *********, ******* ********* ****** services, *** ********, ***. ***** ******** ******** *** *** ** a ******** *** ******* ** *******, ******* ********** ********* *** memory, *** ******** ******* ****.

***** ******** ****** ** ******** ** *** ** ******* **** when ******** *******, ** **** **** ** *******:

OS *** ******** *******

** *********** ********** * ****** ** **** ******, **** **** ***** ********** ***** ********* ******* ******, *** example, ***** ****** ****** **** ***** ******* *** ***** *** software ** ****** ************.

*******, ***** ******* (********** ******* ******) ***** ******* ******* ** newly ********** ******** ***************, **** ** ************* *** *************, ***** ******** ******** ** ********* *********. ******* *** ***** significant ****** ****** ** *********.

*****, **** *******, ******* *** ** ********. ***** ********** ********* about ************* ****** ****** ******* ***** ******/********/*** ************* ** *** their *************** *** ******** ******* ** ***.

MAC ******* *********

*** ******* ********* ****** **** * ******** **** ** ******* to ******* ** *** ******. ***** ******* ******* **** *** switch *** *******, **** ** *** **** ********** *** **** by * ***** ******. *** ********* ** ******** **** ***** managed ********.

** ************ ********, *** ********* ** ********* **** ** **********. Once *** *******, *******, *** ******* *** *********, ** ** enabled, *** ********* *******' **** ***** ** *** *********. ***** these ******* ** * ************ ******* *** ****** ******* ***, little ***** *********** ** ********. ** ***** ******** ***** ******* may ********** ** ***** ** *******, ************** *** **** ********* more ********** ** **********.

**** ***** ***** *** ********* ******* ** * ******* ******* switch *********:

*** ********** ********** *** ***** ************ ******** **** ********** *** * ***** ******** ** *** *********.

***.**

***.** ******** ******* ****** ** ******* ** *** ******* ** have ****** *********** ** ** ******* **. **** ****** ****** devices ** ********* **** **** ******* ** * *******.

***** ***.**, * "**********" (****** **** * ******, **, ***.) attempts ** ******* ** ******* *** * ****** ** *** (called *** "*************"). *** ************* **** ****** *** *********** ** the ********** **** * ******, **** *** ************** ****** (********* using * ******** ************, *** ****** ** ****** ****** ***********.

***** ***.** ******** ****** ********, ******* ** * ******* ** support ** *** ** ********** *** ********. *** **** **** connected ******* (*******, ****, ****** ***, ****, ***.) ******* ***.** integration, *** ******** ****, ** ****. **** ** ***** ******* must ** ************ ********** *** ***.**, ****** ********** ************* **** to *** *******.

******* ** ***** *******, ***** ******** **** *** ************** ********, 802.1X ** ****** **** ** *** *** *** **** ******* enterprise ************ ********, **** ***** ****** *** ******* ******** ******** instead.

Locking *****

******* ***** ** ******** **** ********** ******** ********** ** ********* with ******* ******* ** ************ ******* *** **** ***** *** cable *****. ***** ******* ************ **** * ***** **** * switch, ***** *****, ** **** ****, ** **** ****** ****** ports, *** *** **** ** ******* **** * *********** ****.

***** ***** ***** ** ***** *** ********* ** ******** ****** tampering, **** *** *** ********** ** **************, *** * ********** intruder *** ****** ** **** ** ***** **** *** ** pry **** ***** ***** ****** ****. ** ****, ******* ***** should ** ********** **** ** * **** ******* ******** *******, but *** *** **** *******.

*** * ****** ****, **** ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** *** *********** ****** ** *** **** vulnerable ***** ** * *******, *** *****, *******, ** ***** where ************ ******* *** ******** *** ********* *******. ** ******** the ********* ************ ** ***** *****, **** ***** **** ********** or **** *********** ******* *** ** *******. ** ***** ****** be *******, ********** **** ***** ** ****** ********** ****** **. Most ****** ** ********* ******** ******** ********* ** ******** *******:

** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******.

Managing ******* ******** *** ***** ************ *******

***** *** *** ***** ***** *** ******* ******** ** ***** own, **** *** **** ********* **** ********** ** **** ** a ******* (*** ********) ******** ******.

** ************, **** ****** ** ** ** *** ********** *******, but ********* ** ***** **** *** ** *** ******:

  • *** ****:**** *** ************ ******* ** **** ** * ****** *********/********** LAN (******* ******* ******** ** *********), *** ***** **** ****** control *** ******** ****** *** *** ******* *******, *** *** force ***** ************ **** *********** (*** ****** ** *****).
  • **********:** ** *** **** **** *** **** * ******** ****** in *****, *** ********** ********** *** ****** ** ****** *** as **** ** ***** *************, ********* ** ** ** ******** in ***** *** *** ******** ** ** ******** *** ***** liability ** **** ** * ******.

Test **** *********

**** ****** ******** *******.

Comments (16)

"** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******."

** ****** *** ********* ** ****** ******* ** ********** ****** within *** ****** **** ** *** *** *****, ****, *** perhaps ***** ***** ** ***** *** ***!

*** ***** **** *********** ********* ******** **'* * *********** (**** the ******* ***** **** ** ****** ** **********).

*****, ***** ********. *'* *** **** *** *** ***'* ******* software ******** ******* ** *******/*******. **** *********, **'* ** **** that ***** ** **** ****** *** *******'* **** ************ **** the *** ****** ******* *** *** ******* **** ******* **** day ******* *************. ******** ***** ** ******* *** ****** ** security *******, **** *** **** *** ******* **** *** ************* to *** ****'** ******* ** ** ******* *****.

****, **'* **** ** * ***** *******, *** ******** ****** wants ** **** ***** ********** *** ******* ***** ******* **** that **** ** **** ****** *** *** ***** ** *** your ******, *****'* ******-*****.

*** *** ****? * *** ********* ** ******** ****** ** one **** ***** *****:

*** *** * ****** ** *** **** ** ***, *** psw * ****'* ****. ***** *** ** *** ****** ** reset **. **, * ****** ** *********** ** ** *******, told **** ****** ****** ** ***, *** ***** *** ** problem - **** **** ** *** ** *************!

** ***** ***, **** *** '****' ******* ************* ***, ***** every *** ** ********* (****, * *** ***** **** *** list *** *** **** :)).

*** ****'* ********* ** ********.

********.*** **** **** ***** ***** *** ** **** ******?! ********** in ** *****...

*******, ***:***** *** ********* ****** ******** ********.

*********, **** ******* **** *********. * ****** ******* ** *** password ** *** ***. ***** ** ** ********* ***** *** input *** ****** ****** *** *** ******* **** *** ** generates * ********. **** **** ********* **** ** *** ******** and ****** / ******* **** ******** ** ** ** *** same **** / ****** ******.

***** ***, *** ***********.

**,

******* (**** *********) ******** ** * ******* *********** ********.

* ** *** ********** **** **** ** *** ***. **** create * ****** *** *** **** ********** *** ******** ** the ******* ****. **** **** ***** **** ******* **** ***** this ******** ** **** *******.

** ****** **** *** * *** ***** *** *** ******** works *****. *** **** ******* ** **** ** **** ***** its **** ********* **** *** ******** ****** ******.

"*** **** ******* ** **** ** **** ***** *** **** expensive **** *** ******** ****** ******."

*****...

* ******** **** ***** ** ******** ****** **** ** ******** to ****** ******** ** *** ****** (******* ***** ******** **** are *** ****** ** *** ********* *** ***** *****). ** is **** ** * ******* ***********-****, *** ******* ****** *** ******** ** ***** ******** ******* about * ***** ***.

* ***'* **** *** ***** **** ********** **** *** *******, it **** ** ** * ****** ******** * ***.

***.** ** * *** ****. **'* *** ***********, ** ******** expensive ********, **'* ********** ** ********* **** ** *** **** a ***** ***** ******. ** ******** ******* ** **** ***, and ** **** ******* *** ***** **** *** ****** ** the ******, *** *** ** ***.

** ****** ** ***** ** ******* ** ************** ** **** subject, *'** ***** *** **** ** *********. :)

** ***** *** ************* '***-**-***' ******** *** *********?

** ******** **********, *** *** *** ************, * *****-***** ******** enforcement **** **** *** ******** **** ********** ** *** ******. This ******** ** ******* ** ******** ** ******* ** *** edge ** *** ******* ** *********** ******** *** ******* *********. Senstar’s ******** – ***** ******** ******** ****** – *** ************ designed ** *****-****** ******** ******** ********, ***** ***** ******* *** safe-city ************.

** *************:

  • ******* *** ********** ***** ******* *** ******** ** *** *******
  • ****** ****-**** ****** *** *** ******* ** ***** *** ******* to ******* ** ************ ****** ** *** *******
  • ******** ******** *** ******** *******, ** **** *****, ** **** sure **** **** *****, ****, *** ********** *******, **** ********** entities, ** *******
  • ******* ****** *** ****** *****-*******: *** ********, *** ******** ** poisoning, ** ******* ********, ********* *** ***** *********, ********-**** ******** manipulation *** ****** ** ********

*******, *** *************, ** ** ** ********** ******** **** ******** no ********** ******* ** ******* ** *** ************* ****** ** a ******** ****** . ***** ** *******://***.************.***/

**** ******* ******** ***** ******* ******** * **** *** ****** find **** ** ** *******.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******.

**** ** ***-******** ********? ***-******** ******* **** *** ***** *** operate ** **** ********* ******* ********* **** *****.

*****, **** ******** **** ***** **** *** ***-********.

******, **** *** ***-********. **** * ***** ** **** ********* switch ********* ***** * ** **** *********.

** ****-**-****, *.*., * ****** ** * *** ****** ** the **** ******, ** ******** ** ** ** *****. *******, across ***** *****, ***** ***'** ********** ** *** ****** ** the ***, **** ******** ***** ** *****, *** *** (*** probably ****) ***** *** **********. **'** ******* *** ****.

**** * ***** *** ** *** ******* *********. **** **** indeed ******* **** ************** *** *** ******* *****, **'* *** fool ***** ******. *** *** ****** ****** *** *** ******* of **** ** ** ***** *** *** ** * ******* camera *** ******** ***** * **** **** ****

****. ***** *** *** *** ************* *********** ** ******* ******** which ****** **** ******** (********..) ** ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Reseting IP Cameras - 30 Manufacturer Directory on Sep 22, 2017
Every camera has a reset button (well, almost) but it is not always clear what these buttons do, how long they need to be held, what settings they...
Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
Cloud Guy Prints Book, Misses Irony on Sep 15, 2017
On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...
September IP Networking Course on Sep 14, 2017
LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...
Genetec Launches Community Connect Examined on Sep 14, 2017
Genetec has done best in large-scale, enterprise systems and relatively worse in smaller systems such as SMB. Now, Genetec is launching...
Master Keying Tutorial on Sep 14, 2017
Mechanical keys are the most fundamental, albeit unsophisticated, form of access control. Like access control, Master Keying allows large scale use...

Most Recent Industry Reports

Reseting IP Cameras - 30 Manufacturer Directory on Sep 22, 2017
Every camera has a reset button (well, almost) but it is not always clear what these buttons do, how long they need to be held, what settings they...
Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
New IPVM Calculator V3 Released on Sep 20, 2017
The New IPVM Calculator V3 is released. An entirely new architecture delivers the following benefits: Turbo The calculator is now ~50% faster in...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact