Network Security for IP Video Surveillance Guide

Author: Ethan Ace, Published on Feb 03, 2016

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Passwords
  • LDAP / Active Directory Integration
  • VLANs
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

******* ************ ******** ****** *** ** * ******** ****, *** there *** ******* ******* **** *** ******* ****** ****, ********** when **** ** *********** **** **** *****.

** **** *****, ** **** ** ******* ******** **********, **** physical *** *******, **** ** ****** ************ ********, *********:

  • ******* ********* ******
  • *********
  • **** / ****** ********* ***********
  • *****
  • ***.** **************
  • ********* ****** *****
  • ********* ******* *****
  • ********* ****** ********
  • *** ******* *********
  • ******* *****
  • ******** ****** *******
  • ******** ******* ******** *** ***** ************ *******

[***************]

Network ******** ********

**** **** ****, ******* ******** *** ****** * *** *****, with ********* ***************, *****, *** ******* ** *** ****.

** **** *** **** *-* *****, ***** *************** (*** ***** effects) **** ******** ** ******** *************, *********:

** ******** *****, ********* **** *** *** *** *******, **** Hikvision *** **** ******* ****** (***:********* ******* *** ******* ******** *******,*** ********* ******* *******,*** ********* ******* ******* *******, ******* ********* ** *****"**** *******" ********).

******* ** *** ******** ** ***** ********* *** ***** ********** frequency, ** ** ******** **** ***** ********** *** ****** ** cyber ******** *** ************ *******, *** *** ** ******* ******* simple ******* ** *** **** *****.

Network ********* ******

** *** ** ******** ** *****, ******* ********* ****** *** common, ********* *************** (** ** *******, *** ********* ********* *****) ** **** *** ******* **** ******. ****/**** ** ***** recommendations ***** ** ************ ********, ** ****, ********* *********** ******** and ***** *******, ******** *********, ********* *****, ***.

*******, **** *************** *** ** ***** *** ****** **** **** IP ***** *********** *** ******* **, ** **** ** ********* for * ***** ******. ******* ************** ******* **** ** ***.**, LDAP ***********, **** **********, ***., *** ****** *** ***** *** time/cost ** ********* *** **** *******, ***** *** ******* ****.

************ ********* ****** ****

****** **, ************ ******** ********* ****** *** ****, ******** * ******* ** *************** **** *************.

*** ***** *************** ** **** ** ***** ****** ****, *** most *** ******* **** ***** *** ******** ******, ********* ** the *********** ** *** ************.

*** **** *****, *** ********, ****** **** **** **** (*** production ***) ** ****** ****** ********** ********, *** ******* ***** best *********, **** ** ****** *********, ******** ********, *** ********* anonymous ******, ******* **** ******* *********, **** ** ***.** **************, SNMP **********, *** ****** *******.

***** *** ***** ****** *** ************-********, ********* ************ ********* ** the ****** ** ***, **** *************** *** ****** ****** *** manufacturers, *** **** ** **** **** ** ******** **** *********, and *** ********* ********* *****.

Strong *********

****** ********* *** *** **** ***** ******** *******, *** *************, ignored ** **** *****. **** ************ ******* *** ******** ** the ***** **** ******* ********* ** *** *********, ********* *******, switches, *********, *** **** (*** ***** ******* ******* ********* ****). ***** ** *** **** ** ****** *** ***** ** access ******* *** **** **** ** ****** *** ****** ** log **** ***'* ******* (***:****** ****** *** ******* ** *******).

** *** **** *****, *** ************ ******* *******, ****************, *******, *** *******, ****** ** ******* **** *** ******** with ****** *********, ********** ** * ****** ********. **** ******** access ** *** ******* ***** ****** ******** ********, ********* * more ******* ******** *** **** ******* *******.

**** ************* ******* ******** *** ******* ******** **** ********** *** the ***** **** (*** *********** ** *** ****, ***** *** ******* *** *********). ******, ** ************* ******* (*)***** **** ******** ******* ********* *********, ****** *** **** **** is ******* ******* ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) ***********, *** *********** *** ******** ** network ***** ******* ** * ******* ****** (**** ****** ****** sign-on). ***** ***** **** ******** ***** ********* ******** ******** *** expiration *****, **** *********** *** ******* ******** **** ***** *** accounts ***** ** *** **** ***** ************. **** ******* ************** overhead, ***** ********** ******** ** *** ** ** ******* *** maintained.

*********, **** *** ** ********** ** ******, ********** *******, ***** many ***** ************* ** *** **** ** **** ****** ***********. Some ***** ** ******* ******* ***** *** ********* ** ****** entities, ********** ********* *** ********* **********, *** *** **** ** these ************* *** ****** ** *** ** *** ***** ******* access *******.

**** / ** ***** ************* ** **** *** ** *******, but, ** ******** ** ***. ***************, ** * ********* ********, is *** ********* ** ****** *** ** ******, ***** ********* run ** *****. ********** ** ****** ******* ** ** **, *** ** *** *** ****** *** ********** ****** *****.

Firewalls/Remote ******

** ******* ************ ****** ******, **** ************ ******* *** *** connected ** *** ******** ** ***, ******* ** * ******* separate ***. **** ******* ****, *** *** **** ******* **** difficult, ** ******* ** ******** *** ********, ******* ****** **********, must ** ****** **** *** ** ***** *****.

***** ******* ***** *** ********* *** ********* ****** * ********, which ****** *******/******** ******* ** **** ******** ** ********* *** ports ***** **** **** **********. ***** ******* ** ********. ******** implemented, **** *** ******* *** **** ******** ** *******.

****** ****** *****

*** ******* ***** ******* ****** ******, ***** *** ******* *** require *** ** **** ***** ** ** ****. *******, **** open **** ******** * ******** *********** *** ** ********. ******* how **** *** ***** ****** ** *** ***. ***** ****** refer ** ************ ************* *** ***** ***** **** ** **** if ****** ****** ** ******** (*** *********** ** ****** *******), and ** **** **** ******** ** ********** ***** *** ** ***** ************ ********.

***/***** ******

*************, **** ************* ***** *** "***** ****" ****** ******, ***** sets ** * ****** ****** *** ** ******** ********** ******* requiring **** *****, ******** *****. **** ******* *** ********* *** cloud *********** *** ****** ******, **** *********** *****,***** *** ***** ***, ********** *****. ************, **** ****** ******* ******** *** ******* **********, **** as *******, **********, *********, ***.

** ******* ***** ******* ** ********* ******* ****** *** ***** ********************.

*****

******* **** (********* ** *****)******* ******** ** ********** ******* **** ******** ******* ********. ** while ***** ********, **** ** ** ***** ************ ********* ** general ****** *** *******, *** ***** ** *** **** ******** switch, *** ********* ******** *** ******** *** ********* ** **** other, *** ***********.

*** *******, ** *** ***** *****, *** ****** *** *** on **** * *** *** ** ******* ** *** ****** PC ** * ******** ****, *** ***** * **** ** the *** (**** *)"***" ******* ** *** ** **** (**** 2).

***** *** **** ******** *** ** ********.** *******, ***** **** * ****** ** **** ***** ********** **** information. **** ****** ** *********** ** *** ****** *** ******* forwarded **** ** ***** ******* ** *** **** ****.

**** **** ***** ******* *** *** ** *********** ****** *****, bandwidth *********** ***** *****. ******** ***** ***** ******* *** ********** impact **** *** ****** *********** ***********, ***** ***** **** ********* may ****** *** ************ *******. ******* ** ****, ***** *** also **** ***** ******** ** *********** *********** ** ******* (***), ***** *********** ******* *******, ******* ***** ******* ***** ** file *********, *** *******, ** ***** ******* ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* ********** ****** ** ******* ************ ******* from ********* * ****** ** ** ******* *** ****** *****. This **** ********* *** **** ** ******* ****** ** ****** a ******** ****** ** ******** * ***** ***** **** * switch ** ****** ******* ****. *** ****** ** ******* ******** ports ** * ****** ****** ** ******* ********, **** *** cost *** **********:

***** ********* ** ********* *** ****** ** ********* ****** ******, this **** **** *** *********** ******* ************ ****** ** * network, ** ******* ***** *********** ****** * ****** (******, ***********, printer) **** * ********** ********** **** ** **** *** ****** its ****, ****** ******** **** ** *** ********* ** ***.** are ** *****.

Disabling ****** ******* *****

**** ******* **** **** ******** ******* ***** ****** **, **** as ******, ***, ***, ***., ** ** ***** ** ********** ** ******* ****. ***** ***** *** ******** ******* ** ******* (** *********** by ******* ****** *** ****** *************** ***** *********** *******).

* ***** ** ****** **** ** * ******* ** ****** reveals ******** **** ***** ***** **** ***** ******** *** *** access *** ***** ********* (**/***):

***** ***** ****** ** ******** ******** ******** ** ******* ********* attacks.

Disabling ****** ********

*********** ******** ** ******* ************ *** ******* ****** ** ****** off. ***** *** ******* ************-******** ****** *********, ******* ********* ****** services, *** ********, ***. ***** ******** ******** *** *** ** a ******** *** ******* ** *******, ******* ********** ********* *** memory, *** ******** ******* ****.

***** ******** ****** ** ******** ** *** ** ******* **** when ******** *******, ** **** **** ** *******:

OS *** ******** *******

** *********** ********** * ****** ** **** ******, **** **** ***** ********** ***** ********* ******* ******, *** example, ***** ****** ****** **** ***** ******* *** ***** *** software ** ****** ************.

*******, ***** ******* (********** ******* ******) ***** ******* ******* ** newly ********** ******** ***************, **** ** ************* *** *************, ***** ******** ******** ** ********* *********. ******* *** ***** significant ****** ****** ** *********.

*****, **** *******, ******* *** ** ********. ***** ********** ********* about ************* ****** ****** ******* ***** ******/********/*** ************* ** *** their *************** *** ******** ******* ** ***.

MAC ******* *********

*** ******* ********* ****** **** * ******** **** ** ******* to ******* ** *** ******. ***** ******* ******* **** *** switch *** *******, **** ** *** **** ********** *** **** by * ***** ******. *** ********* ** ******** **** ***** managed ********.

** ************ ********, *** ********* ** ********* **** ** **********. Once *** *******, *******, *** ******* *** *********, ** ** enabled, *** ********* *******' **** ***** ** *** *********. ***** these ******* ** * ************ ******* *** ****** ******* ***, little ***** *********** ** ********. ** ***** ******** ***** ******* may ********** ** ***** ** *******, ************** *** **** ********* more ********** ** **********.

**** ***** ***** *** ********* ******* ** * ******* ******* switch *********:

*** ********** ********** *** ***** ************ ******** **** ********** *** * ***** ******** ** *** *********.

***.**

***.** ******** ******* ****** ** ******* ** *** ******* ** have ****** *********** ** ** ******* **. **** ****** ****** devices ** ********* **** **** ******* ** * *******.

***** ***.**, * "**********" (****** **** * ******, **, ***.) attempts ** ******* ** ******* *** * ****** ** *** (called *** "*************"). *** ************* **** ****** *** *********** ** the ********** **** * ******, **** *** ************** ****** (********* using * ******** ************, *** ****** ** ****** ****** ***********.

***** ***.** ******** ****** ********, ******* ** * ******* ** support ** *** ** ********** *** ********. *** **** **** connected ******* (*******, ****, ****** ***, ****, ***.) ******* ***.** integration, *** ******** ****, ** ****. **** ** ***** ******* must ** ************ ********** *** ***.**, ****** ********** ************* **** to *** *******.

******* ** ***** *******, ***** ******** **** *** ************** ********, 802.1X ** ****** **** ** *** *** *** **** ******* enterprise ************ ********, **** ***** ****** *** ******* ******** ******** instead.

Locking *****

******* ***** ** ******** **** ********** ******** ********** ** ********* with ******* ******* ** ************ ******* *** **** ***** *** cable *****. ***** ******* ************ **** * ***** **** * switch, ***** *****, ** **** ****, ** **** ****** ****** ports, *** *** **** ** ******* **** * *********** ****.

***** ***** ***** ** ***** *** ********* ** ******** ****** tampering, **** *** *** ********** ** **************, *** * ********** intruder *** ****** ** **** ** ***** **** *** ** pry **** ***** ***** ****** ****. ** ****, ******* ***** should ** ********** **** ** * **** ******* ******** *******, but *** *** **** *******.

*** * ****** ****, **** ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** *** *********** ****** ** *** **** vulnerable ***** ** * *******, *** *****, *******, ** ***** where ************ ******* *** ******** *** ********* *******. ** ******** the ********* ************ ** ***** *****, **** ***** **** ********** or **** *********** ******* *** ** *******. ** ***** ****** be *******, ********** **** ***** ** ****** ********** ****** **. Most ****** ** ********* ******** ******** ********* ** ******** *******:

** * ******, **** ********** ****** ********** ****** ******* ** server ** ******* ********* *****. *******, **** ***-****** ********** **** and ***** *** ** * ***** *** ** ********** ********* areas **** ******** *******.

Managing ******* ******** *** ***** ************ *******

***** *** *** ***** ***** *** ******* ******** ** ***** own, **** *** **** ********* **** ********** ** **** ** a ******* (*** ********) ******** ******.

** ************, **** ****** ** ** ** *** ********** *******, but ********* ** ***** **** *** ** *** ******:

  • *** ****:**** *** ************ ******* ** **** ** * ****** *********/********** LAN (******* ******* ******** ** *********), *** ***** **** ****** control *** ******** ****** *** *** ******* *******, *** *** force ***** ************ **** *********** (*** ****** ** *****).
  • **********:** ** *** **** **** *** **** * ******** ****** in *****, *** ********** ********** *** ****** ** ****** *** as **** ** ***** *************, ********* ** ** ** ******** in ***** *** *** ******** ** ** ******** *** ***** liability ** **** ** * ******.

Test **** *********

**** ****** ******** *******.

Comments (16)

"As a result, many facilities employ electronic access control on server or network equipment rooms. However, even non-exotic mechanical keys and locks can do a great job of protecting sensitive areas when properly managed."

We advise our customers to always install an inexpesive camera within the server room to see who comes, goes, and perhaps takes stuff on their way out!

And under many information assurance programs it's a requirement (that the systems where data is stored be surveilled).

Ethan, great overview. I'm not sure why you don't mention software security updates to cameras/servers. Like passwords, it's an area that tends to fall behind and nothing's more embarrassing than the VMS system hanging off the network with glaring zero day exploit vulnerability. Somebody needs to address the policy of security patches, from how they are aquired from the manufaucturer to how they're applied on an ongoing basis.

Also, it's kind of a tired subject, but somebody always wants to know about protecting the digital video streams from that gang of uber celebs who are going to rob your casino, Ocean's Twelve-style.

Did you know? I was surprised by password policy of one very known brand:

One day I needed to log into my DVR, and psw I didn't have. There was no any chance to reset it. So, I called to distributor in my country, told them serial number of DVR, and there was no problem - they send me psw of administrator!

It turns out, that DVR 'knew' special administrator psw, which every day is different (then, I get email with psw list for two week :)).

DVR wasn't connected to internet.

Question.How many very known brand can do such tricks?! Especially in IP world...

Donatas, see: Dahua And Hikvision Master Password Backdoor.

Basically, many systems have backdoors. A common variant is the password of the day. There is an algorithm where you input the serial number and the current date and it generates a password. That same algorithm runs on the recorder and checks / accepts that password if it is the same date / serial number.

Thank you, for information.

Hi,

Another (very expensive) solution is a product by waterfall security.

I am not affiliated with them in any way. They create a switch for you that replicates the protocol of the cameras used. They will allow only packets that match this protocol to pass through.

We worked with hem a few times and the solution works great. The only problem is that in most cases its more expensive than the security system itself.

"The only problem is that in most cases its more expensive than the security system itself."

Yikes...

I recently read about an ethernet switch that is supposed to detect breaches in the system (exactly those breaches that are the result of not following the above rules). It is made by a company called Cyber-seal, the company itself was acquired by Magal Security Systems about 2 years ago.

I don't have any first hand experience with the product, it came up in a market research I did.

802.1X is a BAD IDEA. It's too complicated, it requires expensive switches, it's terrifying to implement even if you have a cushy Cisco budget. It requires changes at each end, and it only secures the cable from the device to the switch, not end to end.

Of anyone to offer an opinion or recommendation on this subject, I'll admit you have my attention. :)

Is there one comprehensive 'end-to-end' solution you recommend?

We recently discovered, and are now representing, a multi-layer security enforcement tool that has recently been introduced to the market. This solution is capable of securing IP devices at the edge of the network by identifying physical and logical anomalies. Senstar’s Tungsten – Cyber Security Ethernet Switch – was specifically designed to cyber-secure physical security networks, SCADA based systems and safe-city applications.

It automatically:

  • Detects and identifies every element and endpoint in the network
  • Offers real-time alerts and the ability to block any attempt to connect an unauthorized device to the network
  • Inspects incoming and outgoing traffic, at port level, to make sure that only known, safe, and identified traffic, from authorized entities, is allowed
  • Detects Layer2 and Layer3 cyber-attacks: CAM overflow, ARP spoofing or poisoning, IP address spoofing, streaming and video hijacking, Spanning-Tree Protocol manipulation and denial of services

Finally, and significantly, it is an economical solution that requires no additional devices or changes to the architectural design of a security system . Check it out http://www.senstarcyber.com/

With growing concerns about network security I hope the reader find this to be helpful.

Note that while traffic may not be intercepted across VLANs, bandwidth constraints still exist. Numerous large video streams may negatively impact VOIP and office application performance, while large file transfers may affect the surveillance network.

Even on non-blocking switches? Non-blocking meaning that all ports can operate at full bandwidth without impacting each other.

AFAIK, most switches made these days are non-blocking.

Agreed, most are non-blocking. Even a cheap 48 port unmanaged switch generally lists a 96 Gbps backplane.

So port-to-port, e.g., a camera to a VMS server on the same switch, is unlikely to be an issue. However, across trunk ports, where you're connecting an IDF switch to the MDF, with multiple VLANs in place, you can (and probably will) still see congestion. We'll clarify the text.

Just a quick not on MAX address filtering. This does indeed require some administration but the biggest issue, it's not fool proof either. You can easily change the MAC address of your PC to spoof the one of a network camera for instance using a tool like SMAC

Good. Thank you for the comprehensive explanation of Network Security which ranges from software (password..) to hardware.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Favorite Biometrics 2018 on Apr 23, 2018
Biometrics are on the rise, or at least integrator opposition to them is declining, according to new IPVM integrator statistics.   Almost half of...
Dedicated Vs Converged Access Control Networks (Statistics) on Apr 20, 2018
Running one's access control system on a converged network, with one's computers and phones, can save money. On the other hand, hand, doing so can...
April 2018 IP Networking Course on Apr 19, 2018
This is the last chance to register for our IP Networking course. Register now. NEW - 2 sessions per class, 'day' and 'night' to give you double...
'Best In Show' Fails on Apr 19, 2018
ISC West's "Best In Show" has failed. For more than a decade, it has become increasingly irrelevant as the selections exhibit a cartoon level...
Worst Access Control 2018 on Apr 18, 2018
Three access control providers stood out as providing the most problems for integrators. In this report, we analyze the answers to: "In the...
Axis VMD4 Analytics Tested on Apr 17, 2018
Axis is now on its 4th generation of video motion detection (VMD), which Axis calls "a free video analytics application." In this generation, Axis...
Key Control For Access Control Tutorial on Apr 16, 2018
End users spend thousands on advanced systems to keep themselves secure, but regularly neglect one of the lest expensive yet most important aspects...
Best and Worst ISC West 2018 on Apr 16, 2018
ISC West 2018 had strong attendance, modest overall new products, and a surge in Artificial Intelligence marketing. First, here are 20+...
Alarm.com Business Market Expansion on Apr 13, 2018
Alarm.com has millions of subscribers, but the company has traditionally been mostly a residential/home focused offering.  ADC's new Smart Business...
GDPR For Video Surveillance Guide on Apr 12, 2018
The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, but there is much confusion and no clear guidelines on...

Most Recent Industry Reports

The Yolo Bro And The Death of Journalism on Apr 24, 2018
There's an old quote: The job of the newspaper is to comfort the afflicted and afflict the comfortable Unfortunately, the opposite is more...
DMP Adds Ring Video Doorbell Integration on Apr 24, 2018
Video doorbells have become one of the hottest items for security systems. After several years with no doorbell, DMP has announced integration with...
Milestone 2017 Financials Examined on Apr 24, 2018
For ISC West 2018, Milestone released ... their financials, touting "strong revenue growth in 2017". However, there were discrepancies with the...
Chinese Manufacturer Kickstarter Campaign Huge Success (EverCam) on Apr 23, 2018
In a week, a Chinese manufacturer's expertly done Kickstarter campaign has received $1.4 million in pledges, an incredible amount for a video...
Favorite Biometrics 2018 on Apr 23, 2018
Biometrics are on the rise, or at least integrator opposition to them is declining, according to new IPVM integrator statistics.   Almost half of...
Dahua and Hikvision Win Over $1 Billion In Government-Backed Projects In Xinjiang on Apr 23, 2018
Dahua and Hikvision have won well over $1 billion worth of government-backed surveillance projects in China’s restive Xinjiang province since 2016,...
May 2018 Camera Course on Apr 20, 2018
Save $50 on early registration until this Thursday, the 26th. Register now (save $50) for the Spring 2018 Camera Course This is the only...
Global Real-Time Video Surveillance - EarthNow on Apr 20, 2018
A new company, EarthNow, with backing from Bill Gates, Airbus and more, is claiming that: Users will be able to see places on Earth with a delay...
Dedicated Vs Converged Access Control Networks (Statistics) on Apr 20, 2018
Running one's access control system on a converged network, with one's computers and phones, can save money. On the other hand, hand, doing so can...
April 2018 IP Networking Course on Apr 19, 2018
This is the last chance to register for our IP Networking course. Register now. NEW - 2 sessions per class, 'day' and 'night' to give you double...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact