Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2017

By John Honovich, Published Mar 30, 2017, 08:52am EDT

Cyber security concerns are escalating, even in the video surveillance industry which has historically lagged in its attention here.

A key element of cyber security is what remote access technologies is used. In particular, DDNS has come into particular attention given Hikvision's discontinuing of its insecure DDNS service and Dahua's backdoor discovery, as DDNS exposing devices to the public Internet increases risk to cyber attacks.

160 integrators told IPVM what remote access technologies they most commonly used and the big three were VPNs, DDNS and P2P. Inside this note, we break down the statistics and share detailed commentary from integrators.

Key ********

***** *** *** *** most ******** ***** ****** access ********** **** (**** ~50% ** *********), **** was ***** *******, ****** in ** ~**% ** the ***** ***** *****:

***

**** **** ********* *** their ********* ******** **** DDNS *** ******* ** larger ************:

  • "*** *** *** ************ prefer."
  • "***... **** ****** *** reliable"
  • "***, **** ******... *** more ******."
  • "*** ******* - **** has **** **** ******. We've *** ********** ***** DDNS."
  • "*** - ******** *** ability ** ****** ***** resources ** *** *******."
  • "***. ***** *** ******** control ** *** ****** on ***** *** ** they ***** *** ** connect *** ****** ** our *******. *** ****** also *** * ******** ON/OFF ***** **** ****** the ******** ** ********** disable *** ******."
  • "********* ** *** ** access *** ***, ** this ** * **** that **** ******* *** for ***** *******. ** are ****** ********* ** existing **************."
  • "** ******* ******** ***** VPNs ********* *** *** Networks ********. **** *** easy ** *** **, and ***** ****** ****** management ***** *** **** cost *** *** ******** well ***** ** (**** service **** ****** *** VPN)."
  • "** **** **** *** for ********* *** ***'* have ******* **** ******* VPN. ******** *** ****."
  • "***. **** ****** ****** and **** ****** *** remote ****** ** ***** work *********. **** ********* who **** ** **** cameras ******** **** ********** having ****** ****** ** work *********, ** **** justifies *** ******** ****** expense *** ********** ** a *** ******."
  • "*** ** ******** (************ Tosibox, *******). ******, **** solution."
  • "*** ** ******. *** customer *** ******** *** end *** *******. ***** liability *** ** **."
  • "***. **** ** ** customers *** ****** ***** business **** ***** **** may *** **** ********* IT *****, **** *** at ***** ******** ** staff."
  • "*** **** ****** *** customer ** ******* *** aware ** *** ***** otherwise. ******** ****** *** not ***** *** **** app."

****

** ********, **** **** widely ****** ******* **** were **** ** *** and *** *** ******* much ***** ** ******* client **** ********:

  • "**** - ******* *** faster *** ** *******."
  • "**** - ******* ** configure."
  • "**-** **** **** **** forwarding."
  • "****, ******* ** ** the ******* ****** *** totally *********** ** *** user. **** ** ********** software ** ******** ** added *****."
  • "****. ** *** *** No-IP *** ******* ** as * ***** *** for *** *********. ** also *** *** ****** name ** ***** **** they *** ** ***** is * ***** *** noticeable ******** **** ** are *** **** *** know ***** ******."
  • "****. ****** ** ** a ********** ******** ** regulated ******** (*******, **********, utilities, ***.) **** ****** consumers ****** ****** ** work ** ** *** or *******. *** ** sort ** **** ** this *****."
  • "**** ** ****** **. I ***** *** *** built ** **** ** any ** *** ***** "Easy" ***** ** *******. I **** ** ******* who ** **** ** see ****** ** *** network."
  • "******* *** *******. * usually *** *** ** mine *** ****** *** customer."
  • "****, ******* * **** trust ** ******* ***** servers. * ***** **** can ****** ** ***** devices. * ****** ******** for ***** *** ***** in * ******* ***** with ******* ******."
  • "****, ******* **** ****** are **** ****** & can ***** ******* ****** access."
  • "**** ******* *** *** easiest *** ******** ***."
  • "********* ** *** *********** ports *** **** **** through *** ********."
  • "**** - **** ** our ********* **** ** contract ** (** **** even **** ** *******) and **** ************* *** not ******** ********."

Mix - *** *** ****

* ****** ********** ******** was **** **** **** a ******* ** **** for ****** ********* *** DDNS *** ******* *********:

  • "****** **** *** ***. We *** **** *** small ****** *** *** for ****** *******. *** we ***'* ***** **."
  • "*** ** ********. **** if ****** ******** *** option."
  • "*** ***** ********* ********* schools, ********, ***., ** insist **** **** *** their ******** *** **************, or ** *** *** up *** ****. *** smaller *************, *****, ** will ******* *****. *'** suggested **** ** **** a ****** **** ********* sign ** **** *********, but **** ***** ****'* happened. *** **** *****."
  • "** ****** ******* ** the ******** *** ****** use. ** ** ** a *********** *********** ******* it *** **** ****. Commercial ** ********* ******** by *** ** **********. I ***** *** * VPN ** *** ****** setup *** **********."
  • "**** *** ***...**** ** our ************ *** ** secure ******** ******** *** they **** * ****** need *** ******** ** their ******** *** **** are *** ****** ** our **********...** *** **** for ****** ****** ***** of **** *** ***** commercial *******..."
  • "**** ********* *** ********* over ***. ********* ********** more ******. ***** ********* only **** ****** ** a ****** ***, *** at * ****, *** DDNS ** **** *** supports ***** ********-********* *********."
  • "****** **** ***** ** has **** ***, *** usually **** ** *** customer's ** *****. *** smaller *********, ****** *********** using **** ********** *** worked ****."

***

*** *** * *** third ******, **** **** ~10% ** *********** ****** it:

  • "*** ** **** **** a ****** ****** ** address."
  • "***. * ** ***** business"
  • "* *** *** ******** in *** ***** *************. It ** ** ****** that * *** ** it **** *** ***** with *** ********."
  • "******* ******* ** *** P2P *** **** ** access *** ******* ** involvement."
  • "**** ** *** ********* are *********** ** ***, as **** **** ** the **** * *** up ****** ****** *** P2P"

*******, *** *** ** growing **

  • "**** ********* ** ***"
  • "**** ************, *** ************* towards *** ** *** providers **** ********* ***********."
  • "*** *** ******** ** releasing * *** *** their *** ** *** next ******* **** **** not ******* **** ********** and ***** **** ****, we **** ******* ****** it. ** **** **** be *** ****** *** us."

******* ** ********* *** allowing *** **** **** on ***** ******* *** their ******* ***** ** remove ******* **** ***** DDNS, **** **** **** push *********** ** ***, which ********* ** *** advocating (*** ******* / Ezviz). ************, ** ****** Dahua ** ********* ******** P2P ** **** *** to ******* **** *** backdoor.

** *** ***** ****, P2P ******** ***** *** the ******** ** *** P2P ********, ***** **** be * ******** *** all *** ********* *** especially ** *** ***** and ********* ***** ***** track ******.

Cloud / ******

** *** *********, **** cited ***** / ****** video. ***** ********* ** some ***** / ****** video ***** **** *** it ******* ******* * niche *********** (*.*., **** use ** **** / residential **** ****, *****.***, etc.) *** *** ***** quite ******** ** *** commercial / ********** ******.

Comments (12)

Avatar

John Bazyk

Command Corporation
IPVMU Certified | 03/30/17 01:20pm

Of 161 responses, none cited cloud / hosted video. There certainly is some cloud / hosted video being used but it clearly remains a niche application (e.g., some use in home / residential with Nest, Alarm.com, etc.) but not still quite uncommon in the commercial / enterprise market.

What I see the cloud being used for the most in the near future is for remote connections rather than storing video. You connect to the cloud, the cloud connects you to your system (P2P). The cloud should create a secure VPN from your device to your system. No port forwarding and no VPN appliance on-site. While small systems might store video in the cloud, I think we're still pretty far from being able to do that reliably. Some cities that have Google Fiber could probably do it. However, the rest of the world is stuck on minimal bandwidth.

John Honovich

IPVM | In reply to John Bazyk | 03/30/17 01:22pm

Agreed. That's why we differentiated 'P2P' from 'Cloud'. While 'P2P uses the 'cloud', its an add on rather than the main function of the system (by contrast, Eagle Eye cloud managed video or Nest cloud hosted video).

Avatar

Carter Maslan

Camio | In reply to John Bazyk | 03/30/17 02:51pm

FD I'm CEO of Camio. This hybrid approach came from the same observation that you describe @John Bazyk. We noticed that 91% of user sessions were happy with search result thumbnail summaries without even playing the video:

91% happy with search results alone

So rather than continuously streaming to cloud storage, the best-of-both-worlds combo is locally stored hi-res video and cloud-indexed metadata. And per your point, rather than relying on VPN, DDNS, or P2P, the cloud can orchestrate the connections via SSL.

Avatar

Sean Nelson

Nelly's Security
03/30/17 01:28pm

I think P2P is fantastic. We just need full control of all the settings just as if we did port forwarding. As of right now, its somewhat limited as to what you can control through P2P.

The advantages of P2P are:
- incredibly easy to setup, most end users can do it on their own. Can all be done from a cell phone.
- No need to worry about dynamic IP addresses changing, so no need for DDNS
- If your router resets or if you change your router, you dont have to worry about re-configuring the clients router again. (Less Call Backs)

Disadvantages:
- Security Concerns
- Less Control over Unit settings as compared to traditional port forwarding
- Performance is based on cloud server. I will say that performance was slow when P2P first arrived, but lately, i see no issues at all.

Most users only care about live view and simple playback when it comes to remote viewing, for this reason, we have switched to primarily using P2P on tech support calls, which results in less call backs and issues.

John Honovich

IPVM | In reply to Sean Nelson | 03/30/17 01:36pm

Sean, good comparison.

On security concerns, it can be segmented into 2 fundamental categories:

(1) The security of the P2P from external threats. These P2P infrastructure will become very appealing targets for hackers since they will eventually have hundred of thousands or millions of devices connected to them.

(2) The security of the P2P from internal misuse. These P2Ps enable the provider to have direct access inside of customer's networks (both in terms of video and as well network connectivity to other local computers / devices). The provider will need to be trusted not to take advantage of this.

Avatar

Sean Nelson

Nelly's Security
In reply to Sean Nelson | 03/30/17 01:49pm

Another thing, and this speaks in regards to Hikvision specifically, is the web interface of the P2P site needs to be more professional looking. Right now it looks more like a "fun happy" site than a professional security platform. Go to ezvizlife or guardingvision.com and it looks like a website made by a really cheap CCTV manufacturer. It lacks the professional looking user interface that the rest of the HIkvision software interfaces have. Hoping they get this resolved as P2P becomes more widely used.

Marty Calhoun

IPVMU Certified | In reply to Sean Nelson | 03/31/17 10:03am
Sean- Take a look at the Hik-Central Platform, I know this is unlike Ezviz but they have greatly improved the professional appearance from iVMS-4200 as well
Avatar

Sean Nelson

Nelly's Security
In reply to Marty Calhoun | 04/03/17 03:44pm

Marty -  Just downloaded the App. Agree, better looking than ezviz app, but I still prefer the ivms4500 cell phone app.

My complaint was on the cheezy ezviz web interface. Is their a web interface for hik-central?

Undisclosed Integrator #1

03/30/17 02:57pm

Maybe I'm missing something, but VPN and DDNS aren't really interchangeable. Some sites can use VPN as they would probably have a fixed IP endpoint (hence no need for Dynamic DNS) and required VPN ports already forwarded (443/500/1723 etc).

All DDNS does is update an internet name (e.g. Client001.thruhere.net) with an IP address that changes intermittently. Even with VPN, you still need a fixed endpoint, whether IP or DNS name, to connect to. If you don't have that fixed IP, then you need DDNS, whether or not you use VPN.

The benefit of VPN is that it gives tighter control over users using things like RADIUS authentication and it gives the user access to any number of devices on the secured network. To do this with DDNS (assuming a single public IP) you need many port forwards which increases your attack surface area. You're also relying on the devices resistance to attack (brute force or otherwise) which can vary greatly.

Avatar

Carter Maslan

Camio | In reply to Undisclosed Integrator #1 | 03/30/17 03:08pm

@#1 there's really interesting research published about Google's elimination of VPNs at BeyondCorp and described in their no-vpn-security approach. That commitment to eliminate VPNs is a pillar of Google's security.

Undisclosed Integrator #1

In reply to Carter Maslan | 03/30/17 03:50pm

Interesting indeed. And it makes sense as typically VPNs give access to any device on that LAN segment. It sounds like Google are creating a trusted link from the client device to the hosting device so sounds much more secure.

Avatar

Michael Archer

06/19/17 06:07am

Perhaps all those VPN users like to be sure they are up to date with versions.

Open VPN is what's uses in DD-WRT routers, as it's open source.

https://www.exploit-db.com/exploits/41993/

Naturally vendor specific VPNs may not be effected.

Better safe than sorry.

Read this IPVM report for free.

This article is part of IPVM's 6,727 reports, 907 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports