Cybersecurity for IP Video Surveillance Guide

By: IPVM Team, Published on May 18, 2018

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

IPVM Image

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Password Security
  • LDAP / Active Directory Integration
  • VLANs (Virtual LANs)
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

******* ************ ******** ****** can ** * ******** task, *** ***** *** several ******* **** *** greatly ****** ****, ********** when **** ** *********** with **** *****.

IPVM Image

** **** *****, ** look ** ******* ******** techniques, **** ******** *** logical, **** ** ****** surveillance ********, *********:

  • ******* ********* ******
  • ******** ********
  • **** / ****** ********* Integration
  • ***** (******* ****)
  • ***.** **************
  • ********* ****** *****
  • ********* ******* *****
  • ********* ****** ********
  • *** ******* *********
  • ******* *****
  • ******** ****** *******
  • ******** ******* ******** *** Video ************ *******

[***************]

Cybersecurity ********

**** **** ****, ************* has ****** * *** issue, **** ********* ***************, hacks, *** ******* ** the ****.

** **** *** **** 2 *****, ***** *************** (and ***** *******) **** reported ** ******** *************, including:

******* ** *** ******** of ***** ********* *** their ********** *********, ** is ******** **** ***** understand *** ****** ** cyber ******** *** ************ systems, *** *** ** protect ******* ****** ******* at *** **** *****.

Network ********* ******

** *** ** ******** at *****, ******* ********* guides *** ******, ********* recommendations (** ** *******, see ********* ********* *****) ** **** *** network **** ******. ****/**** of ***** *************** ***** to ************ ********, ** well, ********* *********** ******** and ***** *******, ******** passwords, ********* *****, ***.

*******, **** *************** *** be ***** *** ****** what **** ** ***** integrators *** ******* **, or **** ** ********* for * ***** ******. Complex ************** ******* **** as ***.**, **** ***********, SNMP **********, ***., *** simply *** ***** *** time/cost ** ********* *** many *******, ***** *** limited ****.

Surveillance ********* ****** ************ ******

****** **, ************ ******** hardening ****** **** ************ been ****. *******, **** number *** ******* ** the **** * *****

*** ***** *************** ** each ** ***** ****** vary, *** **** *** divided **** ***** *** advanced ******, ********* ** the *********** ** *** installation.

*** **** *****, *** instance, ****** **** **** only (*** ********** ***) to ****** ****** ********** networks, *** ******* ***** best *********, **** ** strong *********, ******** ********, and ********* ********* ******, through **** ******* *********, such ** ***.** **************, SNMP **********, *** ****** servers.

***** ***** ****** *** manufacturer-specific, ********* ************ ********* to *** ****** ** VMS, **** *************** *** useful ****** *** *************, and **** ** **** with ** ******** **** practices, *** *** ********* discussed *****.

Strong *********

****** ********* *** *** most ***** ******** *******, but *************, ******* ** many *****. **** ************ systems *** ******** ** the ***** **** ******* passwords ** *** *********, including *******, ********, *********, and **** (*** ***** ******* ******* ********* List). ***** ** *** make ** ****** *** techs ** ****** ******* but **** **** ** simple *** ****** ** log **** ***'* ******* (see:****** ****** *** ******* IP *******).

** *** **** *****, all ************ ******* *******, including *******, *******, *** servers, ****** ** ******* from *** ******** **** strong *********, ********** ** a ****** ********. **** prevents ****** ** *** network ***** ****** ******** guessing, ********* * **** skilled ******** *** **** complex *******.

**** ************* ******* ******** the ******* ******** **** connecting *** *** ***** time (*** *********** ** *** ****, Dahua *** ******* *** passwords). ******, ** ************* ******* (*)***** **** ******** ******* passwords *********, ****** *** well **** ** ******* remains ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) integration, *** *********** *** assigned ** ******* ***** managed ** * ******* server (**** ****** ****** sign-on). ***** ***** **** accounts ***** ********* ******** strength *** ********** *****, this *********** *** ******* security **** ***** *** accounts ***** ** *** have ***** ************. **** reduces ************** ********, ***** individual ******** ** *** to ** ******* *** maintained.

*********, **** *** ** restricted ** ******, ********** systems, ***** **** ***** installations ** *** **** an **** ****** ***********. Some ***** ** ******* systems ***** *** ********* in ****** ********, ********** education *** ********* **********, may *** **** ** these ************* *** ****** to *** ** *** their ******* ****** *******.

**** / ** ***** theoretically ** **** *** IP *******, ***, ** practice ** ***. ***************, as * ********* ********, is *** ********* ** almost *** ** ******, which ********* *** ** Linux. ********** ** ****** ******* to ** **, *** ** *** not ****** *** ********** market *****.

Firewalls/Remote ******

** ******* ************ ****** access, **** ************ ******* are *** ********* ** the ******** ** ***, instead ** * ******* separate ***. **** ******* risk, *** *** **** service **** *********, ** updates ** ************ ******** and ********, ******* ****** downloaded, **** ** ****** from *** ** ***** means.

***** ******* ***** *** connected *** ********* ****** a ********, ***** ****** inbound/outbound ******* ** **** specific ** ********* *** ports ***** **** **** authorized. ***** ******* ** rejected. ******** ***********, **** may ******* *** **** majority ** *******. **** cameras *** ***** ************ equipment ** ** ********* to **** ******* ******** up ** ****. ***** have **** *** ***** security *************** ******* ** insecure *******. *** ***** is ************** ** ***** ********, *** *** ***** is ********** ********** ********* **************** **** ** ********* insecure **** / *** routers.

Remote ****** *****

*** ******* ***** ************* ******, ***** *** ******* may ******* *** ** more ***** ** ** open. *******, **** **** port ******** * ******** opportunity *** ** ********. Exactly *** **** *** which ****** ** *** VMS. ***** ****** ***** to ************ ************* *** which ***** **** ** open ** ****** ****** is ******** (*** *********** or ****** *******), *** we **** **** ******** in ********** ***** *** ** Video ************ ********.

P2P/Cloud ******

*************, **** ************* ***** for "***** ****" ****** access, ***** **** ** a ****** ****** *** an ******** ********** ******* requiring **** *****, ******** risks. **** ******* *** recorders *** ***** *********** for ****** ******, **** as********* *****,***** *** ***** ***, ********** *****. ************, **** ****** desktop ******** *** ******* technology, **** ** *******, TeamViewer, *********, ***.

** ******* ***** ******* in ********* ******* ****** *** Video ********************.

*****

******* **** (********* ** VLANs)******* ******** ** ********** traffic **** ******** ******* networks. ** ***** ***** services, **** ** ** based ************ ********* ** general ****** *** *******, may ***** ** *** same ******** ******, *** practical ******** *** ******** are ********* ** **** other, *** ***********.

*** *******, ** *** image *****, *** ************ equipment ** **** * may *** ** ******* by *** ****** ** on **** *, *** could * **** ** the ****** (**** *)"***" traffic ** *** **** VLAN (**** *).

***** *** **** ******** set ** ********.** *******, ***** **** * header ** **** ***** containing **** ***********. **** header ** *********** ** the ****** *** ******* forwarded **** ** ***** devices ** *** **** VLAN.

**** **** ***** ******* may *** ** *********** across *****, ********* *********** still *****. ******** ***** video ******* *** ********** impact **** *** ****** application ***********, ***** ***** file ********* *** ****** the ************ *******. ******* of ****, ***** *** also **** ***** ******** in *********** *********** ** ******* (***), ***** *********** ******* traffic, ******* ***** ******* ahead ** **** *********, for *******, ** ***** quality ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* overlooked ****** ** ******* unauthorized ******* **** ********* a ****** ** ** disable *** ****** *****. This **** ********* *** risk ** ******* ****** to ****** * ******** subnet ** ******** * patch ***** **** * switch ** ****** ******* jack. *** ****** ** disable ******** ***** ** a ****** ****** ** managed ********, **** *** cost *** **********:

IPVM Image

***** ********* ** ********* the ****** ** ********* access ******, **** **** does *** *********** ******* unauthorized ****** ** * network, ** ******* ***** potentially ****** * ****** (camera, ***********, *******) **** a ********** ********** **** or **** *** ****** its ****, ****** ******** such ** *** ********* or ***.** *** ** place.

Disabling ****** ******* *****

**** ******* **** **** unneeded ******* ***** ****** on, **** ** ******, SSH, ***, ***., ** we ***** ** ********** ** ******* ****. ***** ***** *** favorite ******* ** ******* (as *********** ** ******* miners *** ****** *************** found *********** *******).

* ***** ** ****** scan ** * ******* IP ****** ******* ******** open ***** ***** **** those ******** *** *** access *** ***** ********* (80/554):

IPVM Image

***** ***** ****** ** disabled ******** ******** ** prevent ********* *******.

Disabling ****** ********

*********** ******** ** ******* workstations *** ******* ****** be ****** ***. ***** may ******* ************-******** ****** utilities, ******* ********* ****** services, *** ********, ***. These ******** ******** *** act ** * ******** for ******* ** *******, consume ********** ********* *** memory, *** ******** ******* time.

***** ******** ****** ** disabled ** *** ** operate **** **** ******** started, ** **** **** in *******:

IPVM Image

OS *** ******** *******

** *********** ********** * ****** ** some ******, **** **** ***** installing ***** ********* ******* Update, *** *******, ***** others ****** **** ***** updates *** ***** *** software ** ****** ************.

*******, ***** ******* (********** Windows ******) ***** ******* patches ** ***** ********** security ***************, **** ** the********** *** *************, ***** ******** ******** of ********* *********. ******* for ***** *********** ****** should ** *********.

*****, **** *******, ******* may ** ********. ***** especially ********* ***** ************* issues ****** ******* ***** camera/recorder/VMS ************* ** *** their *************** *** ******** updates ** ***.

MAC ******* *********

*** ******* ********* ****** only * ******** **** of ******* ** ******* to *** ******. ***** devices ******* **** *** switch *** *******, **** if *** **** ********** was **** ** * valid ******. *** ********* is ******** **** ***** managed ********.

** ************ ********, *** filtering ** ********* **** to **********. **** *** cameras, *******, *** ******* are *********, ** ** enabled, *** ********* *******' MACs ***** ** *** whitelist. ***** ***** ******* in * ************ ******* are ****** ******* ***, little ***** *********** ** required. ** ***** ******** where ******* *** ********** be ***** ** *******, administrators *** **** ********* more ********** ** **********.

**** ***** ***** *** filtering ******* ** * typical ******* ****** *********:

IPVM Image

*** ********** ********** *** ***** Surveillance ******** **** ********** *** a ***** ******** ** MAC *********.

***.**

***.** ******** ******* ****** to ******* ** *** network ** **** ****** credentials ** ** ******* on. **** ****** ****** devices ** ********* **** just ******* ** * network.

***** ***.**, * "**********" (client **** * ******, PC, ***.) ******** ** connect ** ******* *** a ****** ** *** (called *** "*************"). *** authenticator **** ****** *** credentials ** *** ********** with * ******, **** the ************** ****** (********* using * ******** ************, *** ****** ** denies ****** ***********.

***** ***.** ******** ****** security, ******* ** * network ** ******* ** can ** ********** *** involved. *** **** **** connected ******* (*******, ****, client ***, ****, ***.) support ***.** ***********, *** switches ****, ** ****. Each ** ***** ******* must ** ************ ********** for ***.**, ****** ********** configuration **** ** *** install.

******* ** ***** *******, which ******** **** *** administration ********, ***.** ** rarely **** ** *** but *** **** ******* enterprise ************ ********, **** users ****** *** ******* security ******** *******.

Locking *****

******* ***** ** ******** that ********** ******** ********** or ********* **** ******* cabling ** ************ ******* are **** ***** *** cable *****. ***** ******* mechanically **** * ***** into * ******, ***** panel, ** **** ****, or **** ****** ****** ports, *** *** **** be ******* **** * proprietary ****.

IPVM Image

***** ***** ***** ** locks *** ********* ** stopping ****** *********, **** are *** ********** ** indestructible, *** * ********** intruder *** ****** ** able ** ***** **** out ** *** **** loose ***** ****** ****. As ****, ******* ***** should ** ********** **** of * **** ******* security *******, *** *** the **** *******.

*** * ****** ****, read ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** for *********** ****** ** the **** ********** ***** of * *******, *** rooms, *******, ** ***** where ************ ******* *** switches *** ********* *******. By ******** *** ********* availability ** ***** *****, many ***** **** ********** or **** *********** ******* can ** *******. ** doors ****** ** *******, individual **** ***** ** switch ********** ****** **. Most ****** ** ********* includes ******** ********* ** standard *******:

IPVM Image

** * ******, **** facilities ****** ********** ****** control ** ****** ** network ********* *****. *******, even ***-****** ********** **** and ***** *** ** a ***** *** ** protecting ********* ***** **** properly *******.

Managing ************* *** ***** ************ *******

***** *** *** ***** below *** ******* ******** on ***** ***, **** are **** ********* **** documented ** **** ** a ******* (*** ********) security ******.

** ************, **** ****** is ** ** *** individual *******, *** ********* it ***** **** *** of *** ******:

  • *** ****:**** *** ************ ******* is **** ** * larger *********/********** *** (******* sharing ******** ** *********), end ***** **** ****** control *** ******** ****** for *** ******* *******, and *** ***** ***** requirements **** *********** (*** better ** *****).
  • **********:** ** *** **** does *** **** * security ****** ** *****, the ********** ********** *** choose ** ****** *** as **** ** ***** documentation, ********* ** ** be ******** ** ***** for *** ******** ** be ******** *** ***** liability ** **** ** a ******.

Test **** *********

**** ****** ******** *******.

[****: **** ***** *** originally ********* ** **** but ************* ******* ** 2018 **** ********** ******* exploit/vulnerability ***********, ********* ******, image ********, *** ****]

Comments (12)

Excellent overview. Thank you.

Vivotek Security Hardening guide is listed twice, once under the Hanwha hyper link and also under the Vivotek Security Hardening guide. Great subject matter however thank you for the information.

U2 - Thank you, this has been updated.

(Milestone employee posting)

The current Milestone link looks like it's from 2016.

Milestone does update their Hardening Guide for each one of their three releases per year - search for "hardening guide" at their Content Portal at https://content.milestonesys.com

bit.ly link for current one: https://bit.ly/2Li7BXq

This is why I pay money to IPVM. Very well done. Do you think there will ever be a Cybersecurity for Access Control Guide? We're actually working a lot of these things into our security specifications.

 

Hello Brian:

We are not opposed to doing an access guide at all, but releasing one is not imminent.

However, the good news is that many of the recommendations here apply to IP access as well.  Disabling unused switch ports, turning off Telnet/ SSH/ FTP, using VLANs, and using strong (non-default!) passwords is good practice for access too.

Excellent, thanks!

I am surprised to see UPnP and Bonjour comes on by default even on non-consumer cameras.  

Wow..mind blown..

A lot of useful information, great job putting this together, guys. 

In hardening a new network what is your priority of work?

FYI:

The "Dahua Best Practices" link returns a 404 error, "Page Not Found" message. Go To Homepage>Support>Cybersecurity will get one to the desired destination. I do highly recommend those who want a decent chuckle to click the link above in this article as Dahua's typed message above the search box should do the trick. Enjoy!

Thanks for the heads up U5. I have updated the report their new link.

Login to read this IPVM report.

Related Reports

Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Access Control ADA and Disability Laws Tutorial on Feb 17, 2020
Safe access control is paramount, especially for those with...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Help Security End Users Facing Coronavirus Improve Remote Access on Mar 24, 2020
Many end-users and integrators are struggling with the impact of coronavirus...
Converged vs Dedicated Networks For Surveillance Tutorial on Feb 12, 2020
Use the existing network or deploy a new one? This is a critical choice in...
Hazardous & Explosion Proof Access Control Tutorial on Feb 27, 2020
Controlling access to hazardous environments requires equipment meeting...
Facial Recognition 101 on Mar 18, 2020
Facial recognition interest, use and fear is increasing. This guide aims to...
Dynamic vs Static IP Addresses Tutorial on Apr 16, 2020
While many cameras default to DHCP out of the box, that does not mean you...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
How Mobile Access Control Can and Cannot Help With Coronavirus on Mar 23, 2020
With coronavirus concerns continuing to rise, many access control companies...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...