Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2017

JH
John Honovich
Published Mar 30, 2017 12:52 PM

Cyber security concerns are escalating, even in the video surveillance industry which has historically lagged in its attention here.

A key element of cyber security is what remote access technologies is used. In particular, DDNS has come into particular attention given Hikvision's discontinuing of its insecure DDNS service and Dahua's backdoor discovery, as DDNS exposing devices to the public Internet increases risk to cyber attacks.

160 integrators told IPVM what remote access technologies they most commonly used and the big three were VPNs, DDNS and P2P. Inside this note, we break down the statistics and share detailed commentary from integrators.

Key ********

***** *** *** *** **** ******** cited ****** ****** ********** **** (**** ~50% ** *********), **** *** ***** closing, ****** ** ** ~**% ** the ***** ***** *****:

***

**** **** ********* *** ***** ********* security **** **** *** ******* ** larger ************:

  • "*** *** *** ************ ******."
  • "***... **** ****** *** ********"
  • "***, **** ******... *** **** ******."
  • "*** ******* - **** *** **** more ******. **'** *** ********** ***** DDNS."
  • "*** - ******** *** ******* ** access ***** ********* ** *** *******."
  • "***. ***** *** ******** ******* ** the ****** ** ***** *** ** they ***** *** ** ******* *** device ** *** *******. *** ****** also *** * ******** **/*** ***** that ****** *** ******** ** ********** disable *** ******."
  • "********* ** *** ** ****** *** VPN, ** **** ** * **** that **** ******* *** *** ***** systems. ** *** ****** ********* ** existing **************."
  • "** ******* ******** ***** **** ********* the *** ******** ********. **** *** easy ** *** **, *** ***** active ****** ********** ***** *** **** cost *** *** ******** **** ***** it (**** ******* **** ****** *** VPN)."
  • "** **** **** *** *** ********* who ***'* **** ******* **** ******* VPN. ******** *** ****."
  • "***. **** ****** ****** *** **** allows *** ****** ****** ** ***** work *********. **** ********* *** **** to **** ******* ******** **** ********** having ****** ****** ** **** *********, so **** ********* *** ******** ****** expense *** ********** ** * *** router."
  • "*** ** ******** (************ *******, *******). Simple, **** ********."
  • "*** ** ******. *** ******** *** initiate *** *** *** *******. ***** liability *** ** **."
  • "***. **** ** ** ********* *** medium ***** ******** **** ***** **** may *** **** ********* ** *****, they *** ** ***** ******** ** staff."
  • "*** **** ****** *** ******** ** adamant *** ***** ** *** ***** otherwise. ******** ****** *** *** ***** the **** ***."

****

** ********, **** **** ****** ****** because **** **** **** ** *** and *** *** ******* **** ***** or ******* ****** **** ********:

  • "**** - ******* *** ****** *** to *******."
  • "**** - ******* ** *********."
  • "**-** **** **** **** **********."
  • "****, ******* ** ** *** ******* method *** ******* *********** ** *** user. **** ** ********** ******** ** required ** ***** *****."
  • "****. ** *** *** **-** *** include ** ** * ***** *** for *** *********. ** **** *** our ****** **** ** ***** **** they *** ** ***** ** * small *** ********** ******** **** ** are *** **** *** **** ***** system."
  • "****. ****** ** ** * ********** customer ** ********* ******** (*******, **********, utilities, ***.) **** ****** ********* ****** things ** **** ** ** *** or *******. *** ** **** ** dead ** **** *****."
  • "**** ** ****** **. * ***** use *** ***** ** **** ** any ** *** ***** "****" ***** in *******. * **** ** ******* who ** **** ** *** ****** of *** *******."
  • "******* *** *******. * ******* *** one ** **** *** ****** *** customer."
  • "****, ******* * **** ***** ** Chinese ***** *******. * ***** **** can ****** ** ***** *******. * worked ******** *** ***** *** ***** in * ******* ***** **** ******* people."
  • "****, ******* **** ****** *** **** naming & *** ***** ******* ****** access."
  • "**** ******* *** *** ******* *** cheapest ***."
  • "********* ** *** *********** ***** *** port **** ******* *** ********."
  • "**** - **** ** *** ********* rely ** ******** ** (** **** even **** ** *******) *** **** installations *** *** ******** ********."

Mix - *** *** ****

* ****** ********** ******** *** **** they **** * ******* ** **** for ****** ********* *** **** *** smaller *********:

  • "****** **** *** ***. ** *** DDNS *** ***** ****** *** *** for ****** *******. *** ** ***'* trust **."
  • "*** ** ********. **** ** ****** declines *** ******."
  • "*** ***** ********* ********* *******, ********, etc., ** ****** **** **** *** their ******** *** **************, ** ** set *** ** *** ****. *** smaller *************, *****, ** **** ******* ports. *'** ********* **** ** **** a ****** **** ********* **** ** such *********, *** **** ***** ****'* happened. *** **** *****."
  • "** ****** ******* ** *** ******** and ****** ***. ** ** ** a *********** *********** ******* ** *** been ****. ********** ** ********* ******** by *** ** **********. * ***** say * *** ** *** ****** setup *** **********."
  • "**** *** ***...**** ** *** ************ are ** ****** ******** ******** *** they **** * ****** **** *** security ** ***** ******** *** **** are *** ****** ** *** **********...** use **** *** ****** ****** ***** of **** *** ***** ********** *******..."
  • "**** ********* *** ********* **** ***. Typically ********** **** ******. ***** ********* only **** ****** ** * ****** NVR, *** ** * ****, *** DDNS ** **** *** ******** ***** internet-connected *********."
  • "****** **** ***** ** *** **** VPN, *** ******* **** ** *** customer's ** *****. *** ******* *********, direct *********** ***** **** ********** *** worked ****."

***

*** *** * *** ***** ******, with **** ~**% ** *********** ****** it:

  • "*** ** **** **** * ****** public ** *******."
  • "***. * ** ***** ********"
  • "* *** *** ******** ** *** Dahua *************. ** ** ** ****** that * *** ** ** **** the ***** **** *** ********."
  • "******* ******* ** *** *** *** ease ** ****** *** ******* ** involvement."
  • "**** ** *** ********* *** *********** or ***, ** **** **** ** the **** * *** ** ****** access *** ***"

*******, *** *** ** ******* **

  • "**** ********* ** ***"
  • "**** ************, *** ************* ******* *** as *** ********* **** ********* ***********."
  • "*** *** ******** ** ********* * P2P *** ***** *** ** *** next ******* **** **** *** ******* port ********** *** ***** **** ****, we **** ******* ****** **. ** that **** ** *** ****** *** us."

******* ** ********* *** ******** *** more **** ** ***** ******* *** their ******* ***** ** ****** ******* from ***** ****, **** **** **** push *********** ** ***, ***** ********* is *** ********** (*** ******* / Ezviz). ************, ** ****** ***** ** similarly ******** *** ** **** *** to ******* **** *** ********.

** *** ***** ****, *** ******** trust *** *** ******** ** *** P2P ********, ***** **** ** * question *** *** *** ********* *** especially ** *** ***** *** ********* given ***** ***** ******.

Cloud / ******

** *** *********, **** ***** ***** / ****** *****. ***** ********* ** some ***** / ****** ***** ***** used *** ** ******* ******* * niche *********** (*.*., **** *** ** home / *********** **** ****, *****.***, etc.) *** *** ***** ***** ******** in *** ********** / ********** ******.

Comments (12)
Avatar
John Bazyk
Mar 30, 2017
Command Corporation • IPVMU Certified

Of 161 responses, none cited cloud / hosted video. There certainly is some cloud / hosted video being used but it clearly remains a niche application (e.g., some use in home / residential with Nest, Alarm.com, etc.) but not still quite uncommon in the commercial / enterprise market.

What I see the cloud being used for the most in the near future is for remote connections rather than storing video. You connect to the cloud, the cloud connects you to your system (P2P). The cloud should create a secure VPN from your device to your system. No port forwarding and no VPN appliance on-site. While small systems might store video in the cloud, I think we're still pretty far from being able to do that reliably. Some cities that have Google Fiber could probably do it. However, the rest of the world is stuck on minimal bandwidth.

(4)
JH
John Honovich
Mar 30, 2017
IPVM
In reply to John Bazyk

Agreed. That's why we differentiated 'P2P' from 'Cloud'. While 'P2P uses the 'cloud', its an add on rather than the main function of the system (by contrast, Eagle Eye cloud managed video or Nest cloud hosted video).

(1)
Avatar
Carter Maslan
Mar 30, 2017
Camio
In reply to John Bazyk

FD I'm CEO of Camio. This hybrid approach came from the same observation that you describe @John Bazyk. We noticed that 91% of user sessions were happy with search result thumbnail summaries without even playing the video:

91% happy with search results alone

So rather than continuously streaming to cloud storage, the best-of-both-worlds combo is locally stored hi-res video and cloud-indexed metadata. And per your point, rather than relying on VPN, DDNS, or P2P, the cloud can orchestrate the connections via SSL.

(1)
Avatar
Sean Nelson
Mar 30, 2017
Nelly's Security

I think P2P is fantastic. We just need full control of all the settings just as if we did port forwarding. As of right now, its somewhat limited as to what you can control through P2P.

The advantages of P2P are:
- incredibly easy to setup, most end users can do it on their own. Can all be done from a cell phone.
- No need to worry about dynamic IP addresses changing, so no need for DDNS
- If your router resets or if you change your router, you dont have to worry about re-configuring the clients router again. (Less Call Backs)

Disadvantages:
- Security Concerns
- Less Control over Unit settings as compared to traditional port forwarding
- Performance is based on cloud server. I will say that performance was slow when P2P first arrived, but lately, i see no issues at all.

Most users only care about live view and simple playback when it comes to remote viewing, for this reason, we have switched to primarily using P2P on tech support calls, which results in less call backs and issues.

(2)
JH
John Honovich
Mar 30, 2017
IPVM
In reply to Sean Nelson

Sean, good comparison.

On security concerns, it can be segmented into 2 fundamental categories:

(1) The security of the P2P from external threats. These P2P infrastructure will become very appealing targets for hackers since they will eventually have hundred of thousands or millions of devices connected to them.

(2) The security of the P2P from internal misuse. These P2Ps enable the provider to have direct access inside of customer's networks (both in terms of video and as well network connectivity to other local computers / devices). The provider will need to be trusted not to take advantage of this.

(1)
Avatar
Sean Nelson
Mar 30, 2017
Nelly's Security
In reply to Sean Nelson

Another thing, and this speaks in regards to Hikvision specifically, is the web interface of the P2P site needs to be more professional looking. Right now it looks more like a "fun happy" site than a professional security platform. Go to ezvizlife or guardingvision.com and it looks like a website made by a really cheap CCTV manufacturer. It lacks the professional looking user interface that the rest of the HIkvision software interfaces have. Hoping they get this resolved as P2P becomes more widely used.

(1)
MC
Marty Calhoun
Mar 31, 2017
IPVMU Certified
In reply to Sean Nelson
Sean- Take a look at the Hik-Central Platform, I know this is unlike Ezviz but they have greatly improved the professional appearance from iVMS-4200 as well
Avatar
Sean Nelson
Apr 03, 2017
Nelly's Security
In reply to Marty Calhoun

Marty -  Just downloaded the App. Agree, better looking than ezviz app, but I still prefer the ivms4500 cell phone app.

My complaint was on the cheezy ezviz web interface. Is their a web interface for hik-central?

UI
Undisclosed Integrator #1
Mar 30, 2017

Maybe I'm missing something, but VPN and DDNS aren't really interchangeable. Some sites can use VPN as they would probably have a fixed IP endpoint (hence no need for Dynamic DNS) and required VPN ports already forwarded (443/500/1723 etc).

All DDNS does is update an internet name (e.g. Client001.thruhere.net) with an IP address that changes intermittently. Even with VPN, you still need a fixed endpoint, whether IP or DNS name, to connect to. If you don't have that fixed IP, then you need DDNS, whether or not you use VPN.

The benefit of VPN is that it gives tighter control over users using things like RADIUS authentication and it gives the user access to any number of devices on the secured network. To do this with DDNS (assuming a single public IP) you need many port forwards which increases your attack surface area. You're also relying on the devices resistance to attack (brute force or otherwise) which can vary greatly.

(2)
(1)
Avatar
Carter Maslan
Mar 30, 2017
Camio
In reply to Undisclosed Integrator #1

@#1 there's really interesting research published about Google's elimination of VPNs at BeyondCorp and described in their no-vpn-security approach. That commitment to eliminate VPNs is a pillar of Google's security.

(6)
UI
Undisclosed Integrator #1
Mar 30, 2017
In reply to Carter Maslan

Interesting indeed. And it makes sense as typically VPNs give access to any device on that LAN segment. It sounds like Google are creating a trusted link from the client device to the hosting device so sounds much more secure.

Avatar
Michael Archer
Jun 19, 2017

Perhaps all those VPN users like to be sure they are up to date with versions.

Open VPN is what's uses in DD-WRT routers, as it's open source.

https://www.exploit-db.com/exploits/41993/

Naturally vendor specific VPNs may not be effected.

Better safe than sorry.