Network Security for IP Video Surveillance Guide

Author: Ethan Ace, Published on Feb 03, 2016

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Passwords
  • LDAP / Active Directory Integration
  • VLANs
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

******* ************ ******** ****** *** ** * ******** ****, *** there *** ******* ******* **** *** ******* ****** ****, ********** when **** ** *********** **** **** *****.

** **** *****, ** **** ** ******* ******** **********, **** physical *** *******, **** ** ****** ************ ********, *********:

  • ******* ********* ******
  • *********
  • **** / ****** ********* ***********
  • *****
  • ***.** **************
  • ********* ****** *****
  • ********* ******* *****
  • ********* ****** ********
  • *** ******* *********
  • ******* *****
  • ******** ****** *******
  • ******** ******* ******** *** ***** ************ *******

[***************]

Network ******** ********

**** **** ****, ******* ******** *** ****** * *** *****, with ********* ***************, *****, *** ******* ** *** ****.

** **** *** **** *-* *****, ***** *************** (*** ***** effects) **** ******** ** ******** *************, *********:

** ******** *****, ********* **** *** *** *** *******, **** Hikvision *** **** ******* ****** (***:********* ******* *** ******* ******** *******,*** ********* ******* *******,*** ********* ******* ******* *******, ******* ********* ** *****"**** *******" ********).

******* ** *** ******** ** ***** ********* *** ***** ********** frequency, ** ** ******** **** ***** ********** *** ****** ** cyber ******** *** ************ *******, *** *** ** ******* ******* simple ******* ** *** **** *****.

Network ********* ******

** *** ** ******** ** *****, ******* ********* ****** *** common, ********* *************** (** ** *******, *** ********* ********* *****) ** **** *** ******* **** ******. ****/**** ** ***** recommendations ***** ** ************ ********, ** ****, ********* *********** ******** and ***** *******, ******** *********, ********* *****, ***.

*******, **** *************** *** ** ***** *** ****** **** **** IP ***** *********** *** ******* **, ** **** ** ********* for * ***** ******. ******* ************** ******* **** ** ***.**, LDAP ***********, **** **********, ***., *** ****** *** ***** *** time/cost ** ********* *** **** *******, ***** *** ******* ****.

************ ********* ****** ****

****** **, ************ ******** ********* ****** *** ****, ******** * ******* ** *************** **** *************.

*** ***** *************** ** **** ** ***** ****** ****, *** most *** ******* **** ***** *** ******** ******, ********* ** the *********** ** *** ************.

*** **** *****, *** ********, ****** **** **** **** (*** production ***) ** ****** ****** ********** ********, *** ******* ***** best *********, **** ** ****** *********, ******** ********, *** ********* anonymous ******, ******* **** ******* *********, **** ** ***.** **************, SNMP **********, *** ****** *******.

***** *** ***** ****** *** ************-********, ********* ************ ********* ** the ****** ** ***, **** *************** *** ****** ****** *** manufacturers, *** **** ** **** **** ** ******** **** *********, and *** ********* ********* *****.

Strong *********

****** ********* *** *** **** ***** ******** *******, *** *************, ignored ** **** *****. **** ************ ******* *** ******** ** the ***** **** ******* ********* ** *** *********, ********* *******, switches, *********, *** **** (*** ***** ******* ******* ********* ****). ***** ** *** **** ** ****** *** ***** ** access ******* *** **** **** ** ****** *** ****** ** log **** ***'* ******* (***:****** ****** *** ******* ** *******).

** *** **** *****, *** ************ ******* *******, ****************, *******, *** *******, ****** ** ******* **** *** ******** with ****** *********, ********** ** * ****** ********. **** ******** access ** *** ******* ***** ****** ******** ********, ********* * more ******* ******** *** **** ******* *******.

**** ************* ******* ******** *** ******* ******** **** ********** *** the ***** **** (*** *********** ** *** ****, ***** *** ******* *** *********). ******, ** ************* ******* (*)***** **** ******** ******* ********* *********, ****** *** **** **** is ******* ******* ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) ***********, *** *********** *** ******** ** network ***** ******* ** * ******* ****** (**** ****** ****** sign-on). ***** ***** **** ******** ***** ********* ******** ******** *** expiration *****, **** *********** *** ******* ******** **** ***** *** accounts ***** ** *** **** ***** ************. **** ******* ************** overhead, ***** ********** ******** ** *** ** ** ******* *** maintained.

*********, **** *** ** ********** ** ******, ********** *******, ***** many ***** ************* ** *** **** ** **** ****** ***********. Some ***** ** ******* ******* ***** *** ********* ** ****** entities, ********** ********* *** ********* **********, *** *** **** ** these ************* *** ****** ** *** ** *** ***** ******* access *******.

**** / ** ***** ************* ** **** *** ** *******, but, ** ******** ** ***. ***************, ** * ********* ********, is *** ********* ** ****** *** ** ******, ***** ********* run ** *****. ********** ** ****** ******* ** ** **, *** ** *** *** ****** *** ********** ****** *****.

Firewalls/Remote ******

** ******* ************ ****** ******, **** ************ ******* *** *** connected ** *** ******** ** ***, ******* ** * ******* separate ***. **** ******* ****, *** *** **** ******* **** difficult, ** ******* ** ******** *** ********, ******* ****** **********, must ** ****** **** *** ** ***** *****.

***** ******* ***** *** ********* *** ********* ****** * ********, which ****** *******/******** ******* ** **** ******** ** ********* *** ports ***** **** **** **********. ***** ******* ** ********. ******** implemented, **** *** ******* *** **** ******** ** *******.

****** ****** *****

*** ******* ***** ******* ****** ******, ***** *** ******* *** require *** ** **** ***** ** ** ****. *******, **** open **** ******** * ******** *********** *** ** ********. ******* how **** *** ***** ****** ** *** ***. ***** ****** refer ** ************ ************* *** ***** ***** **** ** **** if ****** ****** ** ******** (*** *********** ** ****** *******), and ** **** **** ******** ** ********** ***** *** ** ***** ************ ********.

***/***** ******

*************, **** ************* ***** *** "***** ****" ****** ******, ***** sets ** * ****** ****** *** ** ******** ********** ******* requiring **** *****, ******** *****. **** ******* *** ********* *** cloud *********** *** ****** ******, **** *********** *****,***** *** ***** ***, ********** *****. ************, **** ****** ******* ******** *** ******* **********, **** as *******, **********, *********, ***.

** ******* ***** ******* ** ********* ******* ****** *** ***** ********************.

*****

******* **** (********* ** *****)******* ******** ** ********** ******* **** ******** ******* ********. ** while ***** ********, **** ** ** ***** ************ ********* ** general ****** *** *******, *** ***** ** *** **** ******** switch, *** ********* ******** *** ******** *** ********* ** **** other, *** ***********.

*** *******, ** *** ***** *****, *** ****** *** *** on **** * *** *** ** ******* ** *** ****** PC ** * ******** ****, *** ***** * **** ** the *** (**** *)"***" ******* ** *** ** **** (**** 2).

***** *** **** ******** *** ** ********.** *******, ***** **** * ****** ** **** ***** ********** **** information. **** ****** ** *********** ** *** ****** *** ******* forwarded **** ** ***** ******* ** *** **** ****.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******. ******* ** ****, ***** *** also **** ***** ******** ** *********** *********** ** ******* (***), ***** *********** ******* *******, ******* ***** ******* ***** ** file *********, *** *******, ** ***** ******* ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* ********** ****** ** ******* ************ ******* from ********* * ****** ** ** ******* *** ****** *****. This **** ********* *** **** ** ******* ****** ** ****** a ******** ****** ** ******** * ***** ***** **** * switch ** ****** ******* ****. *** ****** ** ******* ******** ports ** * ****** ****** ** ******* ********, **** *** cost *** **********:

***** ********* ** ********* *** ****** ** ********* ****** ******, this **** **** *** *********** ******* ************ ****** ** * network, ** ******* ***** *********** ****** * ****** (******, ***********, printer) **** * ********** ********** **** ** **** *** ****** its ****, ****** ******** **** ** *** ********* ** ***.** are ** *****.

Disabling ****** ******* *****

**** ******* **** **** ******** ******* ***** ****** **, **** as ******, ***, ***, ***., ** ** ***** ** ********** ** ******* ****. ***** ***** *** ******** ******* ** ******* (** *********** by ******* ****** *** ****** *************** ***** *********** *******).

* ***** ** ****** **** ** * ******* ** ****** reveals ******** **** ***** ***** **** ***** ******** *** *** access *** ***** ********* (**/***):

***** ***** ****** ** ******** ******** ******** ** ******* ********* attacks.

Disabling ****** ********

*********** ******** ** ******* ************ *** ******* ****** ** ****** off. ***** *** ******* ************-******** ****** *********, ******* ********* ****** services, *** ********, ***. ***** ******** ******** *** *** ** a ******** *** ******* ** *******, ******* ********** ********* *** memory, *** ******** ******* ****.

***** ******** ****** ** ******** ** *** ** ******* **** when ******** *******, ** **** **** ** *******:

OS *** ******** *******

** *********** ********** * ****** ** **** ******, **** **** ***** ********** ***** ********* ******* ******, *** example, ***** ****** ****** **** ***** ******* *** ***** *** software ** ****** ************.

*******, ***** ******* (********** ******* ******) ***** ******* ******* ** newly ********** ******** ***************, **** ** ************* *** *************, ***** ******** ******** ** ********* *********. ******* *** ***** significant ****** ****** ** *********.

*****, **** *******, ******* *** ** ********. ***** ********** ********* about ************* ****** ****** ******* ***** ******/********/*** ************* ** *** their *************** *** ******** ******* ** ***.

MAC ******* *********

*** ******* ********* ****** **** * ******** **** ** ******* to ******* ** *** ******. ***** ******* ******* **** *** switch *** *******, **** ** *** **** ********** *** **** by * ***** ******. *** ********* ** ******** **** ***** managed ********.

** ************ ********, *** ********* ** ********* **** ** **********. Once *** *******, *******, *** ******* *** *********, ** ** enabled, *** ********* *******' **** ***** ** *** *********. ***** these ******* ** * ************ ******* *** ****** ******* ***, little ***** *********** ** ********. ** ***** ******** ***** ******* may ********** ** ***** ** *******, ************** *** **** ********* more ********** ** **********.

**** ***** ***** *** ********* ******* ** * ******* ******* switch *********:

*** ********** ********** *** ***** ************ ******** **** ********** *** * ***** ******** ** *** *********.

***.**

***.** ******** ******* ****** ** ******* ** *** ******* ** have ****** *********** ** ** ******* **. **** ****** ****** devices ** ********* **** **** ******* ** * *******.

***** ***.**, * "**********" (****** **** * ******, **, ***.) attempts ** ******* ** ******* *** * ****** ** *** (called *** "*************"). *** ************* **** ****** *** *********** ** the ********** **** * ******, **** *** ************** ****** (********* using * ******** ************, *** ****** ** ****** ****** ***********.

***** ***.** ******** ****** ********, ******* ** * ******* ** support ** *** ** ********** *** ********. *** **** **** connected ******* (*******, ****, ****** ***, ****, ***.) ******* ***.** integration, *** ******** ****, ** ****. **** ** ***** ******* must ** ************ ********** *** ***.**, ****** ********** ************* **** to *** *******.

******* ** ***** *******, ***** ******** **** *** ************** ********, 802.1X ** ****** **** ** *** *** *** **** ******* enterprise ************ ********, **** ***** ****** *** ******* ******** ******** instead.

Locking *****

******* ***** ** ******** **** ********** ******** ********** ** ********* with ******* ******* ** ************ ******* *** **** ***** *** cable *****. ***** ******* ************ **** * ***** **** * switch, ***** *****, ** **** ****, ** **** ****** ****** ports, *** *** **** ** ******* **** * *********** ****.

***** ***** ***** ** ***** *** ********* ** ******** ****** tampering, **** *** *** ********** ** **************, *** * ********** intruder *** ****** ** **** ** ***** **** *** ** pry **** ***** ***** ****** ****. ** ****, ******* ***** should ** ********** **** ** * **** ******* ******** *******, but *** *** **** *******.

*** * ****** ****, **** ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** *** *********** ****** ** *** **** vulnerable ***** ** * *******, *** *****, *******, ** ***** where ************ ******* *** ******** *** ********* *******. ** ******** the ********* ************ ** ***** *****, **** ***** **** ********** or **** *********** ******* *** ** *******. ** ***** ****** be *******, ********** **** ***** ** ****** ********** ****** **. Most ****** ** ********* ******** ******** ********* ** ******** *******:

** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******.

Managing ******* ******** *** ***** ************ *******

***** *** *** ***** ***** *** ******* ******** ** ***** own, **** *** **** ********* **** ********** ** **** ** a ******* (*** ********) ******** ******.

** ************, **** ****** ** ** ** *** ********** *******, but ********* ** ***** **** *** ** *** ******:

  • *** ****:**** *** ************ ******* ** **** ** * ****** *********/********** LAN (******* ******* ******** ** *********), *** ***** **** ****** control *** ******** ****** *** *** ******* *******, *** *** force ***** ************ **** *********** (*** ****** ** *****).
  • **********:** ** *** **** **** *** **** * ******** ****** in *****, *** ********** ********** *** ****** ** ****** *** as **** ** ***** *************, ********* ** ** ** ******** in ***** *** *** ******** ** ** ******** *** ***** liability ** **** ** * ******.

Test **** *********

**** ****** ******** *******.

Comments (16)

"** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******."

** ****** *** ********* ** ****** ******* ** ********** ****** within *** ****** **** ** *** *** *****, ****, *** perhaps ***** ***** ** ***** *** ***!

*** ***** **** *********** ********* ******** **'* * *********** (**** the ******* ***** **** ** ****** ** **********).

*****, ***** ********. *'* *** **** *** *** ***'* ******* software ******** ******* ** *******/*******. **** *********, **'* ** **** that ***** ** **** ****** *** *******'* **** ************ **** the *** ****** ******* *** *** ******* **** ******* **** day ******* *************. ******** ***** ** ******* *** ****** ** security *******, **** *** **** *** ******* **** *** ************* to *** ****'** ******* ** ** ******* *****.

****, **'* **** ** * ***** *******, *** ******** ****** wants ** **** ***** ********** *** ******* ***** ******* **** that **** ** **** ****** *** *** ***** ** *** your ******, *****'* ******-*****.

*** *** ****? * *** ********* ** ******** ****** ** one **** ***** *****:

*** *** * ****** ** *** **** ** ***, *** psw * ****'* ****. ***** *** ** *** ****** ** reset **. **, * ****** ** *********** ** ** *******, told **** ****** ****** ** ***, *** ***** *** ** problem - **** **** ** *** ** *************!

** ***** ***, **** *** '****' ******* ************* ***, ***** every *** ** ********* (****, * *** ***** **** *** list *** *** **** :)).

*** ****'* ********* ** ********.

********.*** **** **** ***** ***** *** ** **** ******?! ********** in ** *****...

*******, ***:***** *** ********* ****** ******** ********.

*********, **** ******* **** *********. * ****** ******* ** *** password ** *** ***. ***** ** ** ********* ***** *** input *** ****** ****** *** *** ******* **** *** ** generates * ********. **** **** ********* **** ** *** ******** and ****** / ******* **** ******** ** ** ** *** same **** / ****** ******.

***** ***, *** ***********.

**,

******* (**** *********) ******** ** * ******* *********** ********.

* ** *** ********** **** **** ** *** ***. **** create * ****** *** *** **** ********** *** ******** ** the ******* ****. **** **** ***** **** ******* **** ***** this ******** ** **** *******.

** ****** **** *** * *** ***** *** *** ******** works *****. *** **** ******* ** **** ** **** ***** its **** ********* **** *** ******** ****** ******.

"*** **** ******* ** **** ** **** ***** *** **** expensive **** *** ******** ****** ******."

*****...

* ******** **** ***** ** ******** ****** **** ** ******** to ****** ******** ** *** ****** (******* ***** ******** **** are *** ****** ** *** ********* *** ***** *****). ** is **** ** * ******* ***********-****, *** ******* ****** *** ******** ** ***** ******** ******* about * ***** ***.

* ***'* **** *** ***** **** ********** **** *** *******, it **** ** ** * ****** ******** * ***.

***.** ** * *** ****. **'* *** ***********, ** ******** expensive ********, **'* ********** ** ********* **** ** *** **** a ***** ***** ******. ** ******** ******* ** **** ***, and ** **** ******* *** ***** **** *** ****** ** the ******, *** *** ** ***.

** ****** ** ***** ** ******* ** ************** ** **** subject, *'** ***** *** **** ** *********. :)

** ***** *** ************* '***-**-***' ******** *** *********?

** ******** **********, *** *** *** ************, * *****-***** ******** enforcement **** **** *** ******** **** ********** ** *** ******. This ******** ** ******* ** ******** ** ******* ** *** edge ** *** ******* ** *********** ******** *** ******* *********. Senstar’s ******** – ***** ******** ******** ****** – *** ************ designed ** *****-****** ******** ******** ********, ***** ***** ******* *** safe-city ************.

** *************:

  • ******* *** ********** ***** ******* *** ******** ** *** *******
  • ****** ****-**** ****** *** *** ******* ** ***** *** ******* to ******* ** ************ ****** ** *** *******
  • ******** ******** *** ******** *******, ** **** *****, ** **** sure **** **** *****, ****, *** ********** *******, **** ********** entities, ** *******
  • ******* ****** *** ****** *****-*******: *** ********, *** ******** ** poisoning, ** ******* ********, ********* *** ***** *********, ********-**** ******** manipulation *** ****** ** ********

*******, *** *************, ** ** ** ********** ******** **** ******** no ********** ******* ** ******* ** *** ************* ****** ** a ******** ****** . ***** ** *******://***.************.***/

**** ******* ******** ***** ******* ******** * **** *** ****** find **** ** ** *******.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******.

**** ** ***-******** ********? ***-******** ******* **** *** ***** *** operate ** **** ********* ******* ********* **** *****.

*****, **** ******** **** ***** **** *** ***-********.

******, **** *** ***-********. **** * ***** ** **** ********* switch ********* ***** * ** **** *********.

** ****-**-****, *.*., * ****** ** * *** ****** ** the **** ******, ** ******** ** ** ** *****. *******, across ***** *****, ***** ***'** ********** ** *** ****** ** the ***, **** ******** ***** ** *****, *** *** (*** probably ****) ***** *** **********. **'** ******* *** ****.

**** * ***** *** ** *** ******* *********. **** **** indeed ******* **** ************** *** *** ******* *****, **'* *** fool ***** ******. *** *** ****** ****** *** *** ******* of **** ** ** ***** *** *** ** * ******* camera *** ******** ***** * **** **** ****

****. ***** *** *** *** ************* *********** ** ******* ******** which ****** **** ******** (********..) ** ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Directory of 30+ LPR / ANPR Providers on Feb 21, 2018
License Plate Recognition / Automatic Number Plate Recognition are a type of video analytics software that can identify and match license / number...
New Whole Foods Installs Hackable Access Control on Feb 21, 2018
Whole Foods has built a reputation for high quality. And their 2017 Amazon acquisition has increased that, plus added deep pockets for buying...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2018, with more and more users relying on mobile apps as their main way of operating the system....
Bosch Merges Video, Intrusion and Access Businesses on Feb 19, 2018
Bosch is merging their "video systems, intrusion detection, as well as its access control and management software business units to form a single...
Why 3VR Failed on Feb 16, 2018
3VR destroyed transformed ~$65 million in VC funding into a $6.9 million exit. The reason they failed is simple. They bet on analytics. They...
Mercury Releases New Series 3 Redboard Access Panels on Feb 15, 2018
Mercury Security has their first major product release post-HID buyout, and things literally look different. The Series 3 SIO boards now are red...
Assa's Lowest Power Draw Maglock: Securitron M680E Examined on Feb 14, 2018
Securitron produces some of the most extreme maglocks on the market, including massively strong maglocks and even ones with integrated CCTV cams...
Hanwha Wisenet X 5MP Camera Tested (XNV-8080R) on Feb 13, 2018
Wisenet X is Hanwha's high-end camera line. We tested their Wisenet X 1080p camera last year. Now Hanwha is offering 5MP cameras listing super low...
Favorite NVR / VMS Manufacturers 2018 on Feb 12, 2018
There is a new integrator favorite VMS. In 2016, 2 VMSes were effectively tied for top choice. One of those VMSes favorability was stable while...
IP Cameras Default Passwords Directory on Feb 09, 2018
Below is a directory of 50+ manufacturer's default passwords. Note: Change Default Passwords Leaving default passwords is dangerous and makes it...

Most Recent Industry Reports

Directory of 30+ LPR / ANPR Providers on Feb 21, 2018
License Plate Recognition / Automatic Number Plate Recognition are a type of video analytics software that can identify and match license / number...
New Whole Foods Installs Hackable Access Control on Feb 21, 2018
Whole Foods has built a reputation for high quality. And their 2017 Amazon acquisition has increased that, plus added deep pockets for buying...
Remote Network Access for Video Surveillance Guide on Feb 21, 2018
Remotely accessing surveillance systems is key in 2018, with more and more users relying on mobile apps as their main way of operating the system....
Visio For Video Surveillance Design on Feb 20, 2018
Many integrators have standardized on AutoCAD for camera layouts but new users may be overwhelmed by its learning curve. Microsoft's Visio...
Health Care Insurance Integrator Benefits Statistics on Feb 20, 2018
How common and how much healthcare coverage is typically provided by security companies? 150+ integrators explained how their companies provide the...
Hikvision Deletes Genetec Support on Feb 20, 2018
There will be no peace between Hikvision and Genetec. A year after Genetec expelled Hikvision (and Huawei, citing Chinese government control...
Change Orders - Sometimes Necessary, Sometimes Unethical on Feb 19, 2018
Change orders are a common element in project sales. Sometimes they are a necessity and appropriate ways to deal with arising issues, but sometimes...
Bosch Merges Video, Intrusion and Access Businesses on Feb 19, 2018
Bosch is merging their "video systems, intrusion detection, as well as its access control and management software business units to form a single...
Why 3VR Failed on Feb 16, 2018
3VR destroyed transformed ~$65 million in VC funding into a $6.9 million exit. The reason they failed is simple. They bet on analytics. They...
"Fear Mongering": Hikvision USA Cybersecurity Director Dismisses Chinese Government Ownership Concerns on Feb 16, 2018
The facts are: The Chinese government created Hikvision and is Hikvision's controlling shareholder. Hikvision's Chairman, a Communist Party...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact