Network Security for IP Video Surveillance Guide 2016

Author: Ethan Ace, Published on Feb 03, 2016

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Passwords
  • LDAP / Active Directory Integration
  • VLANs
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

******* ************ ******** ****** *** ** * ******** ****, *** there *** ******* ******* **** *** ******* ****** ****, ********** when **** ** *********** **** **** *****.

** **** *****, ** **** ** ******* ******** **********, **** physical *** *******, **** ** ****** ************ ********, *********:

  • ******* ********* ******
  • *********
  • **** / ****** ********* ***********
  • *****
  • ***.** **************
  • ********* ****** *****
  • ********* ******* *****
  • ********* ****** ********
  • *** ******* *********
  • ******* *****
  • ******** ****** *******
  • ******** ******* ******** *** ***** ************ *******

[***************]

Network ******** ******** ** ****

**** **** ****, ** ****/** ******* ******** *** ****** * key *****, **** ********* ***************, *****, *** ******* ** *** rise.

** ******** *****, ********* **** *** *** *** *******, **** Hikvision *** **** ******* ****** (***:********* ******* *** ******* ******** *******,*** ********* ******* *******,*** ********* ******* ******* *******, ******* ********* ** *****"**** *******" ********).

*******, ** ****, ***** *************** (*** ***** *******) **** ******** in ***** ***** *************, *********:

*** *********** ** ***** ************ ************* *************** *** *********** **** *********** ** ***** *** ***** ******, ********* *** ones ** **** *****.

******* ** *** ******** ** ***** ********* *** ***** ********** frequency, ** ** ******** **** ***** ********** *** ****** ** cyber ******** *** ************ *******, *** *** ** ******* ******* simple ******* ** *** **** *****.

Network ********* ******

** *** ** ******** ** *****, ******* ********* ****** *** common, ********* *************** (** ** *******, *** ********* ********* *****) ** **** *** ******* **** ******. ****/**** ** ***** recommendations ***** ** ************ ********, ** ****, ********* *********** ******** and ***** *******, ******** *********, ********* *****, ***.

*******, **** *************** *** ** ***** *** ****** **** **** IP ***** *********** *** ******* **, ** **** ** ********* for * ***** ******. ******* ************** ******* **** ** ***.**, LDAP ***********, **** **********, ***., *** ****** *** ***** *** time/cost ** ********* *** **** *******, ***** *** ******* ****.

************ ********* ****** ****

****** **, ************ ******** ********* ****** *** ****, ******** * ******* ** *************** **** *************.

*** ***** *************** ** **** ** ***** ****** ****, *** most *** ******* **** ***** *** ******** ******, ********* ** the *********** ** *** ************.

*** **** *****, *** ********, ****** **** **** **** (*** production ***) ** ****** ****** ********** ********, *** ******* ***** best *********, **** ** ****** *********, ******** ********, *** ********* anonymous ******, ******* **** ******* *********, **** ** ***.** **************, SNMP **********, *** ****** *******.

***** *** ***** ****** *** ************-********, ********* ************ ********* ** the ****** ** ***, **** *************** *** ****** ****** *** manufacturers, *** **** ** **** **** ** ******** **** *********, and *** ********* ********* *****.

Strong *********

****** ********* *** *** **** ***** ******** *******, *** *************, ignored ** **** *****. **** ************ ******* *** ******** ** the ***** **** ******* ********* ** *** *********, ********* *******, switches, *********, *** **** (*** ***** ******* ******* ********* ****). ***** ** *** **** ** ****** *** ***** ** access ******* *** **** **** ** ****** *** ****** ** log **** ***'* ******* (***:****** ****** *** ******* ** *******).

** *** **** *****, *** ************ ******* *******, ****************, *******, *** *******, ****** ** ******* **** *** ******** with ****** *********, ********** ** * ****** ********. **** ******** access ** *** ******* ***** ****** ******** ********, ********* * more ******* ******** *** **** ******* *******.

**** ************* ******* ******** *** ******* ******** **** ********** *** the ***** **** (*** *********** ** *** ****, ***** *** ******* *** *********). ******, ** ************* ******* (*)***** **** ******** ******* ********* *********, ****** *** **** **** is ******* ******* ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) ***********, *** *********** *** ******** ** network ***** ******* ** * ******* ****** (**** ****** ****** sign-on). ***** ***** **** ******** ***** ********* ******** ******** *** expiration *****, **** *********** *** ******* ******** **** ***** *** accounts ***** ** *** **** ***** ************. **** ******* ************** overhead, ***** ********** ******** ** *** ** ** ******* *** maintained.

*********, **** *** ** ********** ** ******, ********** *******, ***** many ***** ************* ** *** **** ** **** ****** ***********. Some ***** ** ******* ******* ***** *** ********* ** ****** entities, ********** ********* *** ********* **********, *** *** **** ** these ************* *** ****** ** *** ** *** ***** ******* access *******.

**** / ** ***** ************* ** **** *** ** *******, but, ** ******** ** ***. ***************, ** * ********* ********, is *** ********* ** ****** *** ** ******, ***** ********* run ** *****. ********** ** ****** ******* ** ** **, *** ** *** *** ****** *** ********** ****** *****.

Firewalls/Remote ******

** ******* ************ ****** ******, **** ************ ******* *** *** connected ** *** ******** ** ***, ******* ** * ******* separate ***. **** ******* ****, *** *** **** ******* **** difficult, ** ******* ** ******** *** ********, ******* ****** **********, must ** ****** **** *** ** ***** *****.

***** ******* ***** *** ********* *** ********* ****** * ********, which ****** *******/******** ******* ** **** ******** ** ********* *** ports ***** **** **** **********. ***** ******* ** ********. ******** implemented, **** *** ******* *** **** ******** ** *******.

****** ****** *****

*** ******* ***** ******* ****** ******, ***** *** ******* *** require *** ** **** ***** ** ** ****. *******, **** open **** ******** * ******** *********** *** ** ********. ******* how **** *** ***** ****** ** *** ***. ***** ****** refer ** ************ ************* *** ***** ***** **** ** **** if ****** ****** ** ******** (*** *********** ** ****** *******), and ** **** **** ******** ** ********** ***** *** ** ***** ************ ********.

***/***** ******

*************, **** ************* ***** *** "***** ****" ****** ******, ***** sets ** * ****** ****** *** ** ******** ********** ******* requiring **** *****, ******** *****. **** ******* *** ********* *** cloud *********** *** ****** ******, **** *********** *****,***** *** ***** ***, ********** *****. ************, **** ****** ******* ******** *** ******* **********, **** as *******, **********, *********, ***.

** ******* ***** ******* ** ********* ******* ****** *** ***** ********************.

*****

******* **** (********* ** *****)******* ******** ** ********** ******* **** ******** ******* ********. ** while ***** ********, **** ** ** ***** ************ ********* ** general ****** *** *******, *** ***** ** *** **** ******** switch, *** ********* ******** *** ******** *** ********* ** **** other, *** ***********.

*** *******, ** *** ***** *****, *** ****** *** *** on **** * *** *** ** ******* ** *** ****** PC ** * ******** ****, *** ***** * **** ** the *** (**** *)"***" ******* ** *** ** **** (**** 2).

***** *** **** ******** *** ** ********.** *******, ***** **** * ****** ** **** ***** ********** **** information. **** ****** ** *********** ** *** ****** *** ******* forwarded **** ** ***** ******* ** *** **** ****.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******. ******* ** ****, ***** *** also **** ***** ******** ** *********** *********** ** ******* (***), ***** *********** ******* *******, ******* ***** ******* ***** ** file *********, *** *******, ** ***** ******* ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* ********** ****** ** ******* ************ ******* from ********* * ****** ** ** ******* *** ****** *****. This **** ********* *** **** ** ******* ****** ** ****** a ******** ****** ** ******** * ***** ***** **** * switch ** ****** ******* ****. *** ****** ** ******* ******** ports ** * ****** ****** ** ******* ********, **** *** cost *** **********:

***** ********* ** ********* *** ****** ** ********* ****** ******, this **** **** *** *********** ******* ************ ****** ** * network, ** ******* ***** *********** ****** * ****** (******, ***********, printer) **** * ********** ********** **** ** **** *** ****** its ****, ****** ******** **** ** *** ********* ** ***.** are ** *****.

Disabling ****** ******* *****

**** ******* **** **** ******** ******* ***** ****** **, **** as ******, ***, ***, ***., ** ** ***** ** ********** ** ******* ****. ***** ***** *** ******** ******* ** ******* (** *********** by ******* ****** *** ****** *************** ***** *********** *******).

* ***** ** ****** **** ** * ******* ** ****** reveals ******** **** ***** ***** **** ***** ******** *** *** access *** ***** ********* (**/***):

***** ***** ****** ** ******** ******** ******** ** ******* ********* attacks.

Disabling ****** ********

*********** ******** ** ******* ************ *** ******* ****** ** ****** off. ***** *** ******* ************-******** ****** *********, ******* ********* ****** services, *** ********, ***. ***** ******** ******** *** *** ** a ******** *** ******* ** *******, ******* ********** ********* *** memory, *** ******** ******* ****.

***** ******** ****** ** ******** ** *** ** ******* **** when ******** *******, ** **** **** ** *******:

OS *** ******** *******

** *********** ********** * ****** ** **** ******, **** **** ***** ********** ***** ********* ******* ******, *** example, ***** ****** ****** **** ***** ******* *** ***** *** software ** ****** ************.

*******, ***** ******* (********** ******* ******) ***** ******* ******* ** newly ********** ******** ***************, **** ** ************* *** *************, ***** ******** ******** ** ********* *********. ******* *** ***** significant ****** ****** ** *********.

*****, **** *******, ******* *** ** ********. ***** ********** ********* about ************* ****** ****** ******* ***** ******/********/*** ************* ** *** their *************** *** ******** ******* ** ***.

MAC ******* *********

*** ******* ********* ****** **** * ******** **** ** ******* to ******* ** *** ******. ***** ******* ******* **** *** switch *** *******, **** ** *** **** ********** *** **** by * ***** ******. *** ********* ** ******** **** ***** managed ********.

** ************ ********, *** ********* ** ********* **** ** **********. Once *** *******, *******, *** ******* *** *********, ** ** enabled, *** ********* *******' **** ***** ** *** *********. ***** these ******* ** * ************ ******* *** ****** ******* ***, little ***** *********** ** ********. ** ***** ******** ***** ******* may ********** ** ***** ** *******, ************** *** **** ********* more ********** ** **********.

**** ***** ***** *** ********* ******* ** * ******* ******* switch *********:

*** ********** ********** *** ***** ************ ******** **** ********** *** * ***** ******** ** *** *********.

***.**

***.** ******** ******* ****** ** ******* ** *** ******* ** have ****** *********** ** ** ******* **. **** ****** ****** devices ** ********* **** **** ******* ** * *******.

***** ***.**, * "**********" (****** **** * ******, **, ***.) attempts ** ******* ** ******* *** * ****** ** *** (called *** "*************"). *** ************* **** ****** *** *********** ** the ********** **** * ******, **** *** ************** ****** (********* using * ******** ************, *** ****** ** ****** ****** ***********.

***** ***.** ******** ****** ********, ******* ** * ******* ** support ** *** ** ********** *** ********. *** **** **** connected ******* (*******, ****, ****** ***, ****, ***.) ******* ***.** integration, *** ******** ****, ** ****. **** ** ***** ******* must ** ************ ********** *** ***.**, ****** ********** ************* **** to *** *******.

******* ** ***** *******, ***** ******** **** *** ************** ********, 802.1X ** ****** **** ** *** *** *** **** ******* enterprise ************ ********, **** ***** ****** *** ******* ******** ******** instead.

Locking *****

******* ***** ** ******** **** ********** ******** ********** ** ********* with ******* ******* ** ************ ******* *** **** ***** *** cable *****. ***** ******* ************ **** * ***** **** * switch, ***** *****, ** **** ****, ** **** ****** ****** ports, *** *** **** ** ******* **** * *********** ****.

***** ***** ***** ** ***** *** ********* ** ******** ****** tampering, **** *** *** ********** ** **************, *** * ********** intruder *** ****** ** **** ** ***** **** *** ** pry **** ***** ***** ****** ****. ** ****, ******* ***** should ** ********** **** ** * **** ******* ******** *******, but *** *** **** *******.

*** * ****** ****, **** ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** *** *********** ****** ** *** **** vulnerable ***** ** * *******, *** *****, *******, ** ***** where ************ ******* *** ******** *** ********* *******. ** ******** the ********* ************ ** ***** *****, **** ***** **** ********** or **** *********** ******* *** ** *******. ** ***** ****** be *******, ********** **** ***** ** ****** ********** ****** **. Most ****** ** ********* ******** ******** ********* ** ******** *******:

** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******.

Managing ******* ******** *** ***** ************ *******

***** *** *** ***** ***** *** ******* ******** ** ***** own, **** *** **** ********* **** ********** ** **** ** a ******* (*** ********) ******** ******.

** ************, **** ****** ** ** ** *** ********** *******, but ********* ** ***** **** *** ** *** ******:

  • *** ****:**** *** ************ ******* ** **** ** * ****** *********/********** LAN (******* ******* ******** ** *********), *** ***** **** ****** control *** ******** ****** *** *** ******* *******, *** *** force ***** ************ **** *********** (*** ****** ** *****).
  • **********:** ** *** **** **** *** **** * ******** ****** in *****, *** ********** ********** *** ****** ** ****** *** as **** ** ***** *************, ********* ** ** ** ******** in ***** *** *** ******** ** ** ******** *** ***** liability ** **** ** * ******.

Test **** *********

**** ****** ******** *******.

Comments (16)

"** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******."

** ****** *** ********* ** ****** ******* ** ********** ****** within *** ****** **** ** *** *** *****, ****, *** perhaps ***** ***** ** ***** *** ***!

*** ***** **** *********** ********* ******** **'* * *********** (**** the ******* ***** **** ** ****** ** **********).

*****, ***** ********. *'* *** **** *** *** ***'* ******* software ******** ******* ** *******/*******. **** *********, **'* ** **** that ***** ** **** ****** *** *******'* **** ************ **** the *** ****** ******* *** *** ******* **** ******* **** day ******* *************. ******** ***** ** ******* *** ****** ** security *******, **** *** **** *** ******* **** *** ************* to *** ****'** ******* ** ** ******* *****.

****, **'* **** ** * ***** *******, *** ******** ****** wants ** **** ***** ********** *** ******* ***** ******* **** that **** ** **** ****** *** *** ***** ** *** your ******, *****'* ******-*****.

*** *** ****? * *** ********* ** ******** ****** ** one **** ***** *****:

*** *** * ****** ** *** **** ** ***, *** psw * ****'* ****. ***** *** ** *** ****** ** reset **. **, * ****** ** *********** ** ** *******, told **** ****** ****** ** ***, *** ***** *** ** problem - **** **** ** *** ** *************!

** ***** ***, **** *** '****' ******* ************* ***, ***** every *** ** ********* (****, * *** ***** **** *** list *** *** **** :)).

*** ****'* ********* ** ********.

********.*** **** **** ***** ***** *** ** **** ******?! ********** in ** *****...

*******, ***:***** *** ********* ****** ******** ********.

*********, **** ******* **** *********. * ****** ******* ** *** password ** *** ***. ***** ** ** ********* ***** *** input *** ****** ****** *** *** ******* **** *** ** generates * ********. **** **** ********* **** ** *** ******** and ****** / ******* **** ******** ** ** ** *** same **** / ****** ******.

***** ***, *** ***********.

**,

******* (**** *********) ******** ** * ******* *********** ********.

* ** *** ********** **** **** ** *** ***. **** create * ****** *** *** **** ********** *** ******** ** the ******* ****. **** **** ***** **** ******* **** ***** this ******** ** **** *******.

** ****** **** *** * *** ***** *** *** ******** works *****. *** **** ******* ** **** ** **** ***** its **** ********* **** *** ******** ****** ******.

"*** **** ******* ** **** ** **** ***** *** **** expensive **** *** ******** ****** ******."

*****...

* ******** **** ***** ** ******** ****** **** ** ******** to ****** ******** ** *** ****** (******* ***** ******** **** are *** ****** ** *** ********* *** ***** *****). ** is **** ** * ******* ***********-****, *** ******* ****** *** ******** ** ***** ******** ******* about * ***** ***.

* ***'* **** *** ***** **** ********** **** *** *******, it **** ** ** * ****** ******** * ***.

***.** ** * *** ****. **'* *** ***********, ** ******** expensive ********, **'* ********** ** ********* **** ** *** **** a ***** ***** ******. ** ******** ******* ** **** ***, and ** **** ******* *** ***** **** *** ****** ** the ******, *** *** ** ***.

** ****** ** ***** ** ******* ** ************** ** **** subject, *'** ***** *** **** ** *********. :)

** ***** *** ************* '***-**-***' ******** *** *********?

** ******** **********, *** *** *** ************, * *****-***** ******** enforcement **** **** *** ******** **** ********** ** *** ******. This ******** ** ******* ** ******** ** ******* ** *** edge ** *** ******* ** *********** ******** *** ******* *********. Senstar’s ******** – ***** ******** ******** ****** – *** ************ designed ** *****-****** ******** ******** ********, ***** ***** ******* *** safe-city ************.

** *************:

  • ******* *** ********** ***** ******* *** ******** ** *** *******
  • ****** ****-**** ****** *** *** ******* ** ***** *** ******* to ******* ** ************ ****** ** *** *******
  • ******** ******** *** ******** *******, ** **** *****, ** **** sure **** **** *****, ****, *** ********** *******, **** ********** entities, ** *******
  • ******* ****** *** ****** *****-*******: *** ********, *** ******** ** poisoning, ** ******* ********, ********* *** ***** *********, ********-**** ******** manipulation *** ****** ** ********

*******, *** *************, ** ** ** ********** ******** **** ******** no ********** ******* ** ******* ** *** ************* ****** ** a ******** ****** . ***** ** *******://***.************.***/

**** ******* ******** ***** ******* ******** * **** *** ****** find **** ** ** *******.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******.

**** ** ***-******** ********? ***-******** ******* **** *** ***** *** operate ** **** ********* ******* ********* **** *****.

*****, **** ******** **** ***** **** *** ***-********.

******, **** *** ***-********. **** * ***** ** **** ********* switch ********* ***** * ** **** *********.

** ****-**-****, *.*., * ****** ** * *** ****** ** the **** ******, ** ******** ** ** ** *****. *******, across ***** *****, ***** ***'** ********** ** *** ****** ** the ***, **** ******** ***** ** *****, *** *** (*** probably ****) ***** *** **********. **'** ******* *** ****.

**** * ***** *** ** *** ******* *********. **** **** indeed ******* **** ************** *** *** ******* *****, **'* *** fool ***** ******. *** *** ****** ****** *** *** ******* of **** ** ** ***** *** *** ** * ******* camera *** ******** ***** * **** **** ****

****. ***** *** *** *** ************* *********** ** ******* ******** which ****** **** ******** (********..) ** ********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Camera Multi-Streaming Usage on Nov 22, 2017
IP cameras typically support multiple streams, allowing a single camera to transmit multiple streams at different resolutions, frame rates and even...
Law Breaking Longse Enters USA on Nov 22, 2017
Longse has established itself as world class, at least in spamming the industry, ripping off Milestone and Video Insight as well as Hikvision. But...
Top Maglock Provider Warns Against Using Maglocks on Nov 21, 2017
Do not buy my company's product. It sounds strange indeed, but a senior Allegion consultant stated that maglocks should not be used in common...
CBR vs VBR vs MBR - Surveillance Streaming on Nov 21, 2017
How you stream video has a major impact on quality and bandwidth. And it is not simply CODEC choice (e.g., H.264 vs H.265). Regardless of the...
Panasonic Unified Surveillance Strategy Analyzed on Nov 17, 2017
Panasonic is now a "Unified Surveillance" offering, as their ASIS 2017 booth proclaimed: Looking to make a comeback in the security industry,...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Isonas Cofounders Split, Launch Partner/Competitor on Nov 16, 2017
Breaking up is hard to do, especially when door access security is at stake. But that is exactly what has happened at Isonas. Senior employees...
PoE UPS Tested (Energy Reconnect) on Nov 15, 2017
In security, backup power is important, but most often requires UPS systems or extra cabling to devices for low voltage power. Now, some have...
Hikvision NVR 4.0 Improvements Tested on Nov 14, 2017
Hikvision has released firmware version 4.0 for select NVRs, touting two years of research and development, and claiming "the new generation GUI...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...

Most Recent Industry Reports

Amazon Key In-Home Package Delivery Examined on Nov 21, 2017
Interesting idea or invitation for criminals to rob you? Amazon's recent announcement of Key, a service that will help manage visitors, welcoming...
Top Maglock Provider Warns Against Using Maglocks on Nov 21, 2017
Do not buy my company's product. It sounds strange indeed, but a senior Allegion consultant stated that maglocks should not be used in common...
CBR vs VBR vs MBR - Surveillance Streaming on Nov 21, 2017
How you stream video has a major impact on quality and bandwidth. And it is not simply CODEC choice (e.g., H.264 vs H.265). Regardless of the...
Dahua Hard-Coded Credentials Vulnerability on Nov 20, 2017
A newly discovered Dahua backdoor is described by the researcher discovering it as: not the result of an accidental logic error or poor...
Panasonic Unified Surveillance Strategy Analyzed on Nov 17, 2017
Panasonic is now a "Unified Surveillance" offering, as their ASIS 2017 booth proclaimed: Looking to make a comeback in the security industry,...
Amazon Cloud Cam Is Poor (Tested) on Nov 17, 2017
Retail behemoth Amazon has entered the surveillance market with the Amazon Cloud Cam, the eyes of its just-announced Amazon Key delivery...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest subsidiary's move into alarm systems. They paid more than a...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Isonas Cofounders Split, Launch Partner/Competitor on Nov 16, 2017
Breaking up is hard to do, especially when door access security is at stake. But that is exactly what has happened at Isonas. Senior employees...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact