Cybersecurity for IP Video Surveillance Guide

By IPVM Team, Published May 18, 2018, 08:44am EDT

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in conjunction with each other.

IPVM Image

In this guide, we look at several security techniques, both physical and logical, used to secure surveillance networks, including:

  • Network Hardening Guides
  • Password Security
  • LDAP / Active Directory Integration
  • VLANs (Virtual LANs)
  • 802.1X Authentication
  • Disabling Switch Ports
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Locking Plugs
  • Physical Access Control
  • Managing Network Security For Video Surveillance Systems

Cybersecurity ********

**** **** ****, ************* has ****** * *** issue, **** ********* ***************, hacks, *** ******* ** the ****.

** **** *** **** 2 *****, ***** *************** (and ***** *******) **** reported ** ******** *************, including:

******* ** *** ******** of ***** ********* *** their ********** *********, ** is ******** **** ***** understand *** ****** ** cyber ******** *** ************ systems, *** *** ** protect ******* ****** ******* at *** **** *****.

Network ********* ******

** *** ** ******** at *****, ******* ********* guides *** ******, ********* recommendations (** ** *******, see ********* ********* *****) ** **** *** network **** ******. ****/**** of ***** *************** ***** to ************ ********, ** well, ********* *********** ******** and ***** *******, ******** passwords, ********* *****, ***.

*******, **** *************** *** be ***** *** ****** what **** ** ***** integrators *** ******* **, or **** ** ********* for * ***** ******. Complex ************** ******* **** as ***.**, **** ***********, SNMP **********, ***., *** simply *** ***** *** time/cost ** ********* *** many *******, ***** *** limited ****.

Surveillance ********* ****** ************ ******

****** **, ************ ******** hardening ****** **** ************ been ****. *******, **** number *** ******* ** the **** * *****

*** ***** *************** ** each ** ***** ****** vary, *** **** *** divided **** ***** *** advanced ******, ********* ** the *********** ** *** installation.

*** **** *****, *** instance, ****** **** **** only (*** ********** ***) to ****** ****** ********** networks, *** ******* ***** best *********, **** ** strong *********, ******** ********, and ********* ********* ******, through **** ******* *********, such ** ***.** **************, SNMP **********, *** ****** servers.

***** ***** ****** *** manufacturer-specific, ********* ************ ********* to *** ****** ** VMS, **** *************** *** useful ****** *** *************, and **** ** **** with ** ******** **** practices, *** *** ********* discussed *****.

Strong *********

****** ********* *** *** most ***** ******** *******, but *************, ******* ** many *****. **** ************ systems *** ******** ** the ***** **** ******* passwords ** *** *********, including *******, ********, *********, and **** (*** ***** ******* ******* ********* List). ***** ** *** make ** ****** *** techs ** ****** ******* but **** **** ** simple *** ****** ** log **** ***'* ******* (see:****** ****** *** ******* IP *******).

** *** **** *****, all ************ ******* *******, including *******, *******, *** servers, ****** ** ******* from *** ******** **** strong *********, ********** ** a ****** ********. **** prevents ****** ** *** network ***** ****** ******** guessing, ********* * **** skilled ******** *** **** complex *******.

**** ************* ******* ******** the ******* ******** **** connecting *** *** ***** time (*** *********** ** *** ****, Dahua *** ******* *** passwords). ******, ** ************* ******* (*)***** **** ******** ******* passwords *********, ****** *** well **** ** ******* remains ** ** ****.

LDAP/AD ***********

***** ****/****** ********* (**) integration, *** *********** *** assigned ** ******* ***** managed ** * ******* server (**** ****** ****** sign-on). ***** ***** **** accounts ***** ********* ******** strength *** ********** *****, this *********** *** ******* security **** ***** *** accounts ***** ** *** have ***** ************. **** reduces ************** ********, ***** individual ******** ** *** to ** ******* *** maintained.

*********, **** *** ** restricted ** ******, ********** systems, ***** **** ***** installations ** *** **** an **** ****** ***********. Some ***** ** ******* systems ***** *** ********* in ****** ********, ********** education *** ********* **********, may *** **** ** these ************* *** ****** to *** ** *** their ******* ****** *******.

**** / ** ***** theoretically ** **** *** IP *******, ***, ** practice ** ***. ***************, as * ********* ********, is *** ********* ** almost *** ** ******, which ********* *** ** Linux. ********** ** ****** ******* to ** **, *** ** *** not ****** *** ********** market *****.

Firewalls/Remote ******

** ******* ************ ****** access, **** ************ ******* are *** ********* ** the ******** ** ***, instead ** * ******* separate ***. **** ******* risk, *** *** **** service **** *********, ** updates ** ************ ******** and ********, ******* ****** downloaded, **** ** ****** from *** ** ***** means.

***** ******* ***** *** connected *** ********* ****** a ********, ***** ****** inbound/outbound ******* ** **** specific ** ********* *** ports ***** **** **** authorized. ***** ******* ** rejected. ******** ***********, **** may ******* *** **** majority ** *******. **** cameras *** ***** ************ equipment ** ** ********* to **** ******* ******** up ** ****. ***** have **** *** ***** security *************** ******* ** insecure *******. *** ***** is ************** ** ***** ********, *** *** ***** is ********** ********** ********* **************** **** ** ********* insecure **** / *** routers.

Remote ****** *****

*** ******* ***** ************* ******, ***** *** ******* may ******* *** ** more ***** ** ** open. *******, **** **** port ******** * ******** opportunity *** ** ********. Exactly *** **** *** which ****** ** *** VMS. ***** ****** ***** to ************ ************* *** which ***** **** ** open ** ****** ****** is ******** (*** *********** or ****** *******), *** we **** **** ******** in ********** ***** *** ** Video ************ ********.

P2P/Cloud ******

*************, **** ************* ***** for "***** ****" ****** access, ***** **** ** a ****** ****** *** an ******** ********** ******* requiring **** *****, ******** risks. **** ******* *** recorders *** ***** *********** for ****** ******, **** as********* *****,***** *** ***** ***, ********** *****. ************, **** ****** desktop ******** *** ******* technology, **** ** *******, TeamViewer, *********, ***.

** ******* ***** ******* in ********* ******* ****** *** Video ********************.

*****

******* **** (********* ** VLANs)******* ******** ** ********** traffic **** ******** ******* networks. ** ***** ***** services, **** ** ** based ************ ********* ** general ****** *** *******, may ***** ** *** same ******** ******, *** practical ******** *** ******** are ********* ** **** other, *** ***********.

*** *******, ** *** image *****, *** ************ equipment ** **** * may *** ** ******* by *** ****** ** on **** *, *** could * **** ** the ****** (**** *)"***" traffic ** *** **** VLAN (**** *).

IPVM Image

***** *** **** ******** set ** ********.** *******, ***** **** * header ** **** ***** containing **** ***********. **** header ** *********** ** the ****** *** ******* forwarded **** ** ***** devices ** *** **** VLAN.

**** **** ***** ******* may *** ** *********** across *****, ********* *********** still *****. ******** ***** video ******* *** ********** impact **** *** ****** application ***********, ***** ***** file ********* *** ****** the ************ *******. ******* of ****, ***** *** also **** ***** ******** in *********** *********** ** ******* (***), ***** *********** ******* traffic, ******* ***** ******* ahead ** **** *********, for *******, ** ***** quality ** *** ********.

*** ******** *** ***************** *** ******* ***********.

Disabling ****** ****** *****

******* **** *** ********* overlooked ****** ** ******* unauthorized ******* **** ********* a ****** ** ** disable *** ****** *****. This **** ********* *** risk ** ******* ****** to ****** * ******** subnet ** ******** * patch ***** **** * switch ** ****** ******* jack. *** ****** ** disable ******** ***** ** a ****** ****** ** managed ********, **** *** cost *** **********:

IPVM Image

***** ********* ** ********* the ****** ** ********* access ******, **** **** does *** *********** ******* unauthorized ****** ** * network, ** ******* ***** potentially ****** * ****** (camera, ***********, *******) **** a ********** ********** **** or **** *** ****** its ****, ****** ******** such ** *** ********* or ***.** *** ** place.

Disabling ****** ******* *****

**** ******* **** **** unneeded ******* ***** ****** on, **** ** ******, SSH, ***, ***., ** we ***** ** ********** ** ******* ****. ***** ***** *** favorite ******* ** ******* (as *********** ** ******* miners *** ****** *************** found *********** *******).

* ***** ** ****** scan ** * ******* IP ****** ******* ******** open ***** ***** **** those ******** *** *** access *** ***** ********* (80/554):

IPVM Image

***** ***** ****** ** disabled ******** ******** ** prevent ********* *******.

Disabling ****** ********

*********** ******** ** ******* workstations *** ******* ****** be ****** ***. ***** may ******* ************-******** ****** utilities, ******* ********* ****** services, *** ********, ***. These ******** ******** *** act ** * ******** for ******* ** *******, consume ********** ********* *** memory, *** ******** ******* time.

***** ******** ****** ** disabled ** *** ** operate **** **** ******** started, ** **** **** in *******:

IPVM Image

OS *** ******** *******

** *********** ********** * ****** ** some ******, **** **** ***** installing ***** ********* ******* Update, *** *******, ***** others ****** **** ***** updates *** ***** *** software ** ****** ************.

*******, ***** ******* (********** Windows ******) ***** ******* patches ** ***** ********** security ***************, **** ** the********** *** *************, ***** ******** ******** of ********* *********. ******* for ***** *********** ****** should ** *********.

*****, **** *******, ******* may ** ********. ***** especially ********* ***** ************* issues ****** ******* ***** camera/recorder/VMS ************* ** *** their *************** *** ******** updates ** ***.

MAC ******* *********

*** ******* ********* ****** only * ******** **** of ******* ** ******* to *** ******. ***** devices ******* **** *** switch *** *******, **** if *** **** ********** was **** ** * valid ******. *** ********* is ******** **** ***** managed ********.

** ************ ********, *** filtering ** ********* **** to **********. **** *** cameras, *******, *** ******* are *********, ** ** enabled, *** ********* *******' MACs ***** ** *** whitelist. ***** ***** ******* in * ************ ******* are ****** ******* ***, little ***** *********** ** required. ** ***** ******** where ******* *** ********** be ***** ** *******, administrators *** **** ********* more ********** ** **********.

**** ***** ***** *** filtering ******* ** * typical ******* ****** *********:

IPVM Image

*** ********** ********** *** ***** Surveillance ******** **** ********** *** a ***** ******** ** MAC *********.

***.**

***.** ******** ******* ****** to ******* ** *** network ** **** ****** credentials ** ** ******* on. **** ****** ****** devices ** ********* **** just ******* ** * network.

***** ***.**, * "**********" (client **** * ******, PC, ***.) ******** ** connect ** ******* *** a ****** ** *** (called *** "*************"). *** authenticator **** ****** *** credentials ** *** ********** with * ******, **** the ************** ****** (********* using * ******** ************, *** ****** ** denies ****** ***********.

***** ***.** ******** ****** security, ******* ** * network ** ******* ** can ** ********** *** involved. *** **** **** connected ******* (*******, ****, client ***, ****, ***.) support ***.** ***********, *** switches ****, ** ****. Each ** ***** ******* must ** ************ ********** for ***.**, ****** ********** configuration **** ** *** install.

******* ** ***** *******, which ******** **** *** administration ********, ***.** ** rarely **** ** *** but *** **** ******* enterprise ************ ********, **** users ****** *** ******* security ******** *******.

Locking *****

******* ***** ** ******** that ********** ******** ********** or ********* **** ******* cabling ** ************ ******* are **** ***** *** cable *****. ***** ******* mechanically **** * ***** into * ******, ***** panel, ** **** ****, or **** ****** ****** ports, *** *** **** be ******* **** * proprietary ****.

IPVM Image

***** ***** ***** ** locks *** ********* ** stopping ****** *********, **** are *** ********** ** indestructible, *** * ********** intruder *** ****** ** able ** ***** **** out ** *** **** loose ***** ****** ****. As ****, ******* ***** should ** ********** **** of * **** ******* security *******, *** *** the **** *******.

*** * ****** ****, read ********** **** ******* *****************.

Door ***** *** ******** ******

*******, **** ********* **** for *********** ****** ** the **** ********** ***** of * *******, *** rooms, *******, ** ***** where ************ ******* *** switches *** ********* *******. By ******** *** ********* availability ** ***** *****, many ***** **** ********** or **** *********** ******* can ** *******. ** doors ****** ** *******, individual **** ***** ** switch ********** ****** **. Most ****** ** ********* includes ******** ********* ** standard *******:

IPVM Image

** * ******, **** facilities ****** ********** ****** control ** ****** ** network ********* *****. *******, even ***-****** ********** **** and ***** *** ** a ***** *** ** protecting ********* ***** **** properly *******.

Managing ************* *** ***** ************ *******

***** *** *** ***** below *** ******* ******** on ***** ***, **** are **** ********* **** documented ** **** ** a ******* (*** ********) security ******.

** ************, **** ****** is ** ** *** individual *******, *** ********* it ***** **** *** of *** ******:

  • *** ****:**** *** ************ ******* is **** ** * larger *********/********** *** (******* sharing ******** ** *********), end ***** **** ****** control *** ******** ****** for *** ******* *******, and *** ***** ***** requirements **** *********** (*** better ** *****).
  • **********:** ** *** **** does *** **** * security ****** ** *****, the ********** ********** *** choose ** ****** *** as **** ** ***** documentation, ********* ** ** be ******** ** ***** for *** ******** ** be ******** *** ***** liability ** **** ** a ******.

Test **** *********

**** ****** ******** *******.

[****: **** ***** *** originally ********* ** **** but ************* ******* ** 2018 **** ********** ******* exploit/vulnerability ***********, ********* ******, image ********, *** ****]

Comments (14)

Excellent overview. Thank you.

Vivotek Security Hardening guide is listed twice, once under the Hanwha hyper link and also under the Vivotek Security Hardening guide. Great subject matter however thank you for the information.

U2 - Thank you, this has been updated.

(Milestone employee posting)

The current Milestone link looks like it's from 2016.

Milestone does update their Hardening Guide for each one of their three releases per year - search for "hardening guide" at their Content Portal at https://content.milestonesys.com

bit.ly link for current one: https://bit.ly/2Li7BXq

This is why I pay money to IPVM. Very well done. Do you think there will ever be a Cybersecurity for Access Control Guide? We're actually working a lot of these things into our security specifications.

 

Hello Brian:

We are not opposed to doing an access guide at all, but releasing one is not imminent.

However, the good news is that many of the recommendations here apply to IP access as well.  Disabling unused switch ports, turning off Telnet/ SSH/ FTP, using VLANs, and using strong (non-default!) passwords is good practice for access too.

Excellent, thanks!

I am surprised to see UPnP and Bonjour comes on by default even on non-consumer cameras.  

Wow..mind blown..

A lot of useful information, great job putting this together, guys. 

In hardening a new network what is your priority of work?

FYI:

The "Dahua Best Practices" link returns a 404 error, "Page Not Found" message. Go To Homepage>Support>Cybersecurity will get one to the desired destination. I do highly recommend those who want a decent chuckle to click the link above in this article as Dahua's typed message above the search box should do the trick. Enjoy!

Thanks for the heads up U5. I have updated the report their new link.

i like the idea of locking network plugs, how might i go about finding them?

Read this IPVM report for free.

This article is part of IPVM's 6,803 reports, 913 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports