Cybersecurity for IP Video Surveillance Guide

By IPVM Team, Published on May 18, 2018

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

IPVM Image

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Password Security
  • LDAP / Active Directory Integration
  • VLANs (Virtual LANs)
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

Cybersecurity ********

**** **** ****, ************* has ****** * *** issue, **** ********* ***************, hacks, *** ******* ** the ****.

** **** *** **** 2 *****, ***** *************** (and ***** *******) **** reported ** ******** *************, including:

******* ** *** ******** of ***** ********* *** their ********** *********, ** is ******** **** ***** understand *** ****** ** cyber ******** *** ************ systems, *** *** ** protect ******* ****** ******* at *** **** *****.

Network ********* ******

** *** ** ******** at *****, ******* ********* guides *** ******, ********* recommendations (** ** *******, see ********* ********* *****) ** **** *** network **** ******. ****/**** of ***** *************** ***** to ************ ********, ** well, ********* *********** ******** and ***** *******, ******** passwords, ********* *****, ***.

*******, **** *************** *** be ***** *** ****** what **** ** ***** integrators *** ******* **, or **** ** ********* for * ***** ******. Complex ************** ******* **** as ***.**, **** ***********, SNMP **********, ***., *** simply *** ***** *** time/cost ** ********* *** many *******, ***** *** limited ****.

Surveillance ********* ****** ************ ******

****** **, ************ ******** hardening ****** **** ************ been ****. *******, **** number *** ******* ** the **** * *****

*** ***** *************** ** each ** ***** ****** vary, *** **** *** divided **** ***** *** advanced ******, ********* ** the *********** ** *** installation.

*** **** *****, *** instance, ****** **** **** only (*** ********** ***) to ****** ****** ********** networks, *** ******* ***** best *********, **** ** strong *********, ******** ********, and ********* ********* ******, through **** ******* *********, such ** ***.** **************, SNMP **********, *** ****** servers.

***** ***** ****** *** manufacturer-specific, ********* ************ ********* to *** ****** ** VMS, **** *************** *** useful ****** *** *************, and **** ** **** with ** ******** **** practices, *** *** ********* discussed *****.

Strong *********

****** ********* *** *** most ***** ******** *******, but *************, ******* ** many *****. **** ************ systems *** ******** ** the ***** **** ******* passwords ** *** *********, including *******, ********, *********, and **** (*** ***** ******* ******* ********* List). ***** ** *** make ** ****** *** techs ** ****** ******* but **** **** ** simple *** ****** ** log **** ***'* ******* (see:****** ****** *** ******* IP *******).

** *** **** *****, all ************ ******* *******, including *******, *******, *** servers, ****** ** ******* from *** ******** **** strong *********, ********** ** a ****** ********. **** prevents ****** ** *** network ***** ****** ******** guessing, ********* * **** skilled ******** *** **** complex *******.

**** ************* ******* ******** the ******* ******** **** connecting *** *** ***** time (*** *********** ** *** ****, Dahua *** ******* *** passwords). ******, ** ************* ******* (*)***** **** ******** ******* passwords *********, ****** *** well **** ** ******* remains ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) integration, *** *********** *** assigned ** ******* ***** managed ** * ******* server (**** ****** ****** sign-on). ***** ***** **** accounts ***** ********* ******** strength *** ********** *****, this *********** *** ******* security **** ***** *** accounts ***** ** *** have ***** ************. **** reduces ************** ********, ***** individual ******** ** *** to ** ******* *** maintained.

*********, **** *** ** restricted ** ******, ********** systems, ***** **** ***** installations ** *** **** an **** ****** ***********. Some ***** ** ******* systems ***** *** ********* in ****** ********, ********** education *** ********* **********, may *** **** ** these ************* *** ****** to *** ** *** their ******* ****** *******.

**** / ** ***** theoretically ** **** *** IP *******, ***, ** practice ** ***. ***************, as * ********* ********, is *** ********* ** almost *** ** ******, which ********* *** ** Linux. ********** ** ****** ******* to ** **, *** ** *** not ****** *** ********** market *****.

Firewalls/Remote ******

** ******* ************ ****** access, **** ************ ******* are *** ********* ** the ******** ** ***, instead ** * ******* separate ***. **** ******* risk, *** *** **** service **** *********, ** updates ** ************ ******** and ********, ******* ****** downloaded, **** ** ****** from *** ** ***** means.

***** ******* ***** *** connected *** ********* ****** a ********, ***** ****** inbound/outbound ******* ** **** specific ** ********* *** ports ***** **** **** authorized. ***** ******* ** rejected. ******** ***********, **** may ******* *** **** majority ** *******. **** cameras *** ***** ************ equipment ** ** ********* to **** ******* ******** up ** ****. ***** have **** *** ***** security *************** ******* ** insecure *******. *** ***** is ************** ** ***** ********, *** *** ***** is ********** ********** ********* **************** **** ** ********* insecure **** / *** routers.

Remote ****** *****

*** ******* ***** ************* ******, ***** *** ******* may ******* *** ** more ***** ** ** open. *******, **** **** port ******** * ******** opportunity *** ** ********. Exactly *** **** *** which ****** ** *** VMS. ***** ****** ***** to ************ ************* *** which ***** **** ** open ** ****** ****** is ******** (*** *********** or ****** *******), *** we **** **** ******** in ********** ***** *** ** Video ************ ********.

P2P/Cloud ******

*************, **** ************* ***** for "***** ****" ****** access, ***** **** ** a ****** ****** *** an ******** ********** ******* requiring **** *****, ******** risks. **** ******* *** recorders *** ***** *********** for ****** ******, **** as********* *****,***** *** ***** ***, ********** *****. ************, **** ****** desktop ******** *** ******* technology, **** ** *******, TeamViewer, *********, ***.

** ******* ***** ******* in ********* ******* ****** *** Video ********************.

*****

******* **** (********* ** VLANs)******* ******** ** ********** traffic **** ******** ******* networks. ** ***** ***** services, **** ** ** based ************ ********* ** general ****** *** *******, may ***** ** *** same ******** ******, *** practical ******** *** ******** are ********* ** **** other, *** ***********.

*** *******, ** *** image *****, *** ************ equipment ** **** * may *** ** ******* by *** ****** ** on **** *, *** could * **** ** the ****** (**** *)"***" traffic ** *** **** VLAN (**** *).

***** *** **** ******** set ** ********.** *******, ***** **** * header ** **** ***** containing **** ***********. **** header ** *********** ** the ****** *** ******* forwarded **** ** ***** devices ** *** **** VLAN.

**** **** ***** ******* may *** ** *********** across *****, ********* *********** still *****. ******** ***** video ******* *** ********** impact **** *** ****** application ***********, ***** ***** file ********* *** ****** the ************ *******. ******* of ****, ***** *** also **** ***** ******** in *********** *********** ** ******* (***), ***** *********** ******* traffic, ******* ***** ******* ahead ** **** *********, for *******, ** ***** quality ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* overlooked ****** ** ******* unauthorized ******* **** ********* a ****** ** ** disable *** ****** *****. This **** ********* *** risk ** ******* ****** to ****** * ******** subnet ** ******** * patch ***** **** * switch ** ****** ******* jack. *** ****** ** disable ******** ***** ** a ****** ****** ** managed ********, **** *** cost *** **********:

IPVM Image

***** ********* ** ********* the ****** ** ********* access ******, **** **** does *** *********** ******* unauthorized ****** ** * network, ** ******* ***** potentially ****** * ****** (camera, ***********, *******) **** a ********** ********** **** or **** *** ****** its ****, ****** ******** such ** *** ********* or ***.** *** ** place.

Disabling ****** ******* *****

**** ******* **** **** unneeded ******* ***** ****** on, **** ** ******, SSH, ***, ***., ** we ***** ** ********** ** ******* ****. ***** ***** *** favorite ******* ** ******* (as *********** ** ******* miners *** ****** *************** found *********** *******).

* ***** ** ****** scan ** * ******* IP ****** ******* ******** open ***** ***** **** those ******** *** *** access *** ***** ********* (80/554):

IPVM Image

***** ***** ****** ** disabled ******** ******** ** prevent ********* *******.

Disabling ****** ********

*********** ******** ** ******* workstations *** ******* ****** be ****** ***. ***** may ******* ************-******** ****** utilities, ******* ********* ****** services, *** ********, ***. These ******** ******** *** act ** * ******** for ******* ** *******, consume ********** ********* *** memory, *** ******** ******* time.

***** ******** ****** ** disabled ** *** ** operate **** **** ******** started, ** **** **** in *******:

IPVM Image

OS *** ******** *******

** *********** ********** * ****** ** some ******, **** **** ***** installing ***** ********* ******* Update, *** *******, ***** others ****** **** ***** updates *** ***** *** software ** ****** ************.

*******, ***** ******* (********** Windows ******) ***** ******* patches ** ***** ********** security ***************, **** ** the********** *** *************, ***** ******** ******** of ********* *********. ******* for ***** *********** ****** should ** *********.

*****, **** *******, ******* may ** ********. ***** especially ********* ***** ************* issues ****** ******* ***** camera/recorder/VMS ************* ** *** their *************** *** ******** updates ** ***.

MAC ******* *********

*** ******* ********* ****** only * ******** **** of ******* ** ******* to *** ******. ***** devices ******* **** *** switch *** *******, **** if *** **** ********** was **** ** * valid ******. *** ********* is ******** **** ***** managed ********.

** ************ ********, *** filtering ** ********* **** to **********. **** *** cameras, *******, *** ******* are *********, ** ** enabled, *** ********* *******' MACs ***** ** *** whitelist. ***** ***** ******* in * ************ ******* are ****** ******* ***, little ***** *********** ** required. ** ***** ******** where ******* *** ********** be ***** ** *******, administrators *** **** ********* more ********** ** **********.

**** ***** ***** *** filtering ******* ** * typical ******* ****** *********:

IPVM Image

*** ********** ********** *** ***** Surveillance ******** **** ********** *** a ***** ******** ** MAC *********.

***.**

***.** ******** ******* ****** to ******* ** *** network ** **** ****** credentials ** ** ******* on. **** ****** ****** devices ** ********* **** just ******* ** * network.

***** ***.**, * "**********" (client **** * ******, PC, ***.) ******** ** connect ** ******* *** a ****** ** *** (called *** "*************"). *** authenticator **** ****** *** credentials ** *** ********** with * ******, **** the ************** ****** (********* using * ******** ************, *** ****** ** denies ****** ***********.

***** ***.** ******** ****** security, ******* ** * network ** ******* ** can ** ********** *** involved. *** **** **** connected ******* (*******, ****, client ***, ****, ***.) support ***.** ***********, *** switches ****, ** ****. Each ** ***** ******* must ** ************ ********** for ***.**, ****** ********** configuration **** ** *** install.

******* ** ***** *******, which ******** **** *** administration ********, ***.** ** rarely **** ** *** but *** **** ******* enterprise ************ ********, **** users ****** *** ******* security ******** *******.

Locking *****

******* ***** ** ******** that ********** ******** ********** or ********* **** ******* cabling ** ************ ******* are **** ***** *** cable *****. ***** ******* mechanically **** * ***** into * ******, ***** panel, ** **** ****, or **** ****** ****** ports, *** *** **** be ******* **** * proprietary ****.

IPVM Image

***** ***** ***** ** locks *** ********* ** stopping ****** *********, **** are *** ********** ** indestructible, *** * ********** intruder *** ****** ** able ** ***** **** out ** *** **** loose ***** ****** ****. As ****, ******* ***** should ** ********** **** of * **** ******* security *******, *** *** the **** *******.

*** * ****** ****, read ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** for *********** ****** ** the **** ********** ***** of * *******, *** rooms, *******, ** ***** where ************ ******* *** switches *** ********* *******. By ******** *** ********* availability ** ***** *****, many ***** **** ********** or **** *********** ******* can ** *******. ** doors ****** ** *******, individual **** ***** ** switch ********** ****** **. Most ****** ** ********* includes ******** ********* ** standard *******:

IPVM Image

** * ******, **** facilities ****** ********** ****** control ** ****** ** network ********* *****. *******, even ***-****** ********** **** and ***** *** ** a ***** *** ** protecting ********* ***** **** properly *******.

Managing ************* *** ***** ************ *******

***** *** *** ***** below *** ******* ******** on ***** ***, **** are **** ********* **** documented ** **** ** a ******* (*** ********) security ******.

** ************, **** ****** is ** ** *** individual *******, *** ********* it ***** **** *** of *** ******:

  • *** ****:**** *** ************ ******* is **** ** * larger *********/********** *** (******* sharing ******** ** *********), end ***** **** ****** control *** ******** ****** for *** ******* *******, and *** ***** ***** requirements **** *********** (*** better ** *****).
  • **********:** ** *** **** does *** **** * security ****** ** *****, the ********** ********** *** choose ** ****** *** as **** ** ***** documentation, ********* ** ** be ******** ** ***** for *** ******** ** be ******** *** ***** liability ** **** ** a ******.

Test **** *********

**** ****** ******** *******.

[****: **** ***** *** originally ********* ** **** but ************* ******* ** 2018 **** ********** ******* exploit/vulnerability ***********, ********* ******, image ********, *** ****]

Comments (14)

Excellent overview. Thank you.

Vivotek Security Hardening guide is listed twice, once under the Hanwha hyper link and also under the Vivotek Security Hardening guide. Great subject matter however thank you for the information.

U2 - Thank you, this has been updated.

(Milestone employee posting)

The current Milestone link looks like it's from 2016.

Milestone does update their Hardening Guide for each one of their three releases per year - search for "hardening guide" at their Content Portal at https://content.milestonesys.com

bit.ly link for current one: https://bit.ly/2Li7BXq

This is why I pay money to IPVM. Very well done. Do you think there will ever be a Cybersecurity for Access Control Guide? We're actually working a lot of these things into our security specifications.

 

Hello Brian:

We are not opposed to doing an access guide at all, but releasing one is not imminent.

However, the good news is that many of the recommendations here apply to IP access as well.  Disabling unused switch ports, turning off Telnet/ SSH/ FTP, using VLANs, and using strong (non-default!) passwords is good practice for access too.

Excellent, thanks!

I am surprised to see UPnP and Bonjour comes on by default even on non-consumer cameras.  

Wow..mind blown..

A lot of useful information, great job putting this together, guys. 

In hardening a new network what is your priority of work?

FYI:

The "Dahua Best Practices" link returns a 404 error, "Page Not Found" message. Go To Homepage>Support>Cybersecurity will get one to the desired destination. I do highly recommend those who want a decent chuckle to click the link above in this article as Dahua's typed message above the search box should do the trick. Enjoy!

Thanks for the heads up U5. I have updated the report their new link.

i like the idea of locking network plugs, how might i go about finding them?

Read this IPVM report for free.

This article is part of IPVM's 6,596 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
The Future of H.266 For Video Surveillance Examined on Aug 17, 2020
First H.264, now H.265, is H.266 next? H.266 was recently announced amid...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Access Control Levels and Schedules Tutorial on Sep 29, 2020
Configuring access levels and setting up schedules is central to maintaining...
Dedicated Vs Converged IP Video Networks Statistics 2020 on Sep 10, 2020
Running one's video system on a converged network with other devices can save...
Door Fundamentals For Access Control Guide on Aug 24, 2020
Doors vary greatly in how difficult and costly it is to add electronic access...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Monitoring Alarm Systems From Home - Innovation or Danger? on Oct 13, 2020
Remote monitoring by alarm companies since COVID-19 is bringing cost savings...
China's SMIC Hit By US Trade Restrictions, Impact On Video Surveillance on Oct 13, 2020
US trade restrictions have hit Semiconductor Manufacturing International...

Recent Reports

VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...