VPNs for Video Surveillance Guide

By: IPVM Team, Published on Feb 07, 2017

Remote access in surveillance networks is a key cyber security and usability issue. With cyber attacks rising, how can users ensure their systems are secure without losing access from outside the network?

VPNs for Video Surveillance Guide

Virtual private networks (VPNs) have historically been used in complex / large systems to secure data but can also be used in smaller sites with relatively inexpensive. To better demonstrate this we purchased two Dell SonicWall SOHO routers and configured them to simulate a site to site VPN.

Inside, we look at VPN usage in video surveillance, including the following topics:

  • What is a VPN?
  • VPN protocols
  • VPN topologies
  • VPN price considerations
  • Benefits and drawbacks
  • Site to site VPN configuration
  • Remote access VPN configuration
  • Mobile device usage
  • Recommendations for VPN use

Virtual Private Networks

A VPN is a private network that creates a secure tunnel over the internet to connect two or more endpoints. These endpoints can be a VPN appliance, a workstation, or a mobile device. Encryption creates a secure connection from one endpoint to the other keeping data private, even while transmitted over the internet. For example, looking at a Wireshark trace of a secure tunnel, once the TLS connection is set up, only "Application Data" is shown, as packet contents are encrypted.

Wireshark Trace of Secure Tunnel

There are several VPN protocol options, which mainly vary in level of encryption and device compatibility. These include:

In this tutorial, our VPN setup used IKEv2 over IPSEC on SonicWALL devices.

VPN Topology

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

There are two commonly used VPN topologies, which have different use cases:

  • Site to site: A site to site VPN requires an appliance at both locations, which essentially routes the two remote networks together into a single virtual network. In security, this may be used to connect two facilities' camera LANs together so they may be managed and viewed as one, from either location.
  • Remote access: In a remote access VPN there is one VPN appliance (also known as a concentrator) and a workstation which connects via client software. This type of VPN may be used to connect remote users to a security network for viewing, or for configuration/troubleshooting tasks for integrators.

We discuss these topologies in more detail below.

VPN Pricing

VPNs are most often run on dedicated hardware, typically included on a router or firewall. Pricing for hardware VPN varies depending on capabilities (typically number of VPN tunnels) and throughput handling. Some may be found for <$100 USD online, while large capacity VPN concentrators sell for more than $10,000.

In addition to hardware VPN appliances, users may install software to turn a server/PC into a VPN concentrator. The most popular option for this is OpenVPN, which is priced at $15/year per client.

VPN Benefits/Drawbacks

There are three key benefits to VPNs:

  • Security: Because all traffic between VPN endpoints is encrypted and surveillance/security devices are not exposed directly to the internet, VPNs provide improved cyber security compared to port forwarding/DDNS. Note that cloud services such as Hik-Connect, Nest, etc., also encrypt this traffic.
  • Reliability: Because they use dedicated hardware, VPNs are typically more reliable than using cloud services or DDNS, which are outside of users' control.
  • Accountability: Unlike other remote access methods, VPNs keep full log information, allowing users to determine who access which device at a given time, etc., for better auditing.

However, there are two drawbacks which have kept VPNs from being more commonly used:

  • Cost: VPN hardware adds cost to a project, where manufacturer cloud services and port forwarding/UPnP are generally free. Dynamic DNS is most often not free, typically a few dollars per month to $100+/year.
  • Complexity: VPN setup requires IT expertise which many/most surveillance installers do not possess. Even among those in the IT field, many have never set up VPN policies.

Site to Site VPN Example

As an example of a site to site VPN, the diagram below illustrates a headquarters location with a VMS server and viewing station, along with a satellite office with multiple cameras and a viewing station. Using a site to site VPN, the entire security network functions as one.

Site to Site VPN

To better demonstrate this we purchased two SonicWall SOHO routers and configured them to simulate a site to site VPN.

Configuration Steps

In this section we outline the steps taken to configure our routers for site to site VPN use. The exact steps required by specific manufacturers vary, but basically VPN creation is a three step process:

Create VPN policy → Define networks → Select networks to connect

Create Policy

In this step, we select the type of VPN (site to site), protocol used, and give it a name and shared secret (similar to a password, used by both devices to connect).

Define VPN Policy

Define Local and Remote Networks

Next, we must define networks for both the local and remote site in order to create routing rules. There are two key notes in this step:

  1. This must be performed on both devices. In other words, in our example, we must define the satellite office network (192.168.2.x) on not only the HQ router, but the satellite as well. The same must be done for the HQ network (192.168.1.x) on both devices.
  2. These networks must not use the same subnet in order to route properly. This is why we used 192.168.1.x for the HQ and 192.168.2.x for satellite.

Note that counterintuitively, both these networks are assigned to the "LAN" zone in this example. Despite one logically being the "WAN", SonicWALL reserves that terminology for other uses, so both are LAN.

Select Networks To Connect

With them defined, we can now select the two networks to be connected via the VPN. On the HQ appliance, we select the HQ network defined above as "local", and choose "Satellite Office" as the destination network. On the Satellite Office appliance, we would do the reverse.

Select Networks to Connect

Enable Policy To Connect

Once we configure both VPN appliances with the above, we can enable the policy to connect the two sites. In the video below, we show that the sites are unable to communicate with each other until the VPN tunnel is established. When the VPN is active devices start responding to ping requests and the camera can be remotely viewed / administered.

Remote Access VPN

In many situations we do not require an entire site to connect to our network, and often our users connect from networks that we do not control. We can provide individual users with VPN access. The configuration starts the same as a point to point solution, create VPN policy. After that we walk through creating a VPN user, and configuring the client software.

Remote Access VPN

Define Policy

The configuration starts with creating a VPN policy on the appliance located at the site that requires access. This simply requires the connection type, a name, and shared secret. Note that this shared secret is similar to, but separate from, individual user passwords.

VPN Policy For Remote Access

Create Account(s)

After the policy is built on the VPN appliance, we create user accounts. These credentials are used on client devices when connecting to the VPN.

User Settings

Define Access

Finally, users are assigned one or more network which they may access via the VPN. These networks are defined above in the Define Local/Remote Networks section.

Assign LAN Access to Users

Accessing VPN Via Client

With the above user created, we may now use the software client to access the VPN, shown below:

Remote VPN Example: VMS Client to Server

The animation below demonstrates a common use case for remote VPN, connecting a client machine to remote server(s). In the example below, servers are unreachable when the VPN is disconnected, but come online once the connection is established, with live video loading in only a few seconds.

Remote VPN Example: Mobile Device to Server

Many/most VPNs may be used on mobile devices in addition to hardware/software clients. For example, the image below shows Exacq Mobile running on an iPhone, connected to a remote server via the SonicWALL Mobile Connect app. VPN status is indicated in the top bar, next to the mobile carrier status.

Exacq Mobile Client Via VPN over LTE

Conclusions

Given the increase in cyber attacks (both severity and frequency) along with the falling costs of VPN hardware, we expect VPN usage to become more common in 2017 and beyond, as it provides better security and accountability than other remote access methods. These issues are likely to only increase in importance as cyber security issues continue to increase.

8 reports cite this report:

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Help Security End Users Facing Coronavirus Improve Remote Access on Mar 24, 2020
Many end-users and integrators are struggling with the impact of coronavirus...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not...
IP Network Hardware for Surveillance Guide on May 02, 2018
Video surveillance systems depend on IP networking equipment. In this guide,...
Favorite Software For Remotely Supporting Video Surveillance Systems on Feb 07, 2018
Being able to remotely support video surveillance systems is important both...
Hacked Hikvision IP Camera Map USA And Europe on Jan 22, 2018
The interactive map below shows a sample of hacked and vulnerable Hikvision...
Comments (23) : Members only. Login. or Join.

Related Reports

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Dedicated Vs Converged IP Video Networks Statistics 2020 on Sep 10, 2020
Running one's video system on a converged network with other devices can save...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Help Security End Users Facing Coronavirus Improve Remote Access on Mar 24, 2020
Many end-users and integrators are struggling with the impact of coronavirus...
Avigilon ACC Cloud Tested on Jul 08, 2020
Avigilon merged Blue and ACC, adding VSaaS features to its on-premise VMS,...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
The Future of H.266 For Video Surveillance Examined on Aug 17, 2020
First H.264, now H.265, is H.266 next? H.266 was recently announced amid...
FLIR A Series Temperature Screening Cameras Tested on Jun 04, 2020
FLIR is one of the biggest names in thermal and one of the most conservative....
Network Cable Usage Statistics 2020 (Cat 5e vs Cat 6 vs Cat 6a) on Sep 02, 2020
Integrators are split between using Cat 5e, 6, and 6a but 2 of them have...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Hikvision Fever Screening Thermal Solutions Examined on Apr 13, 2020
Hikvision is marketing "safer, faster, smarter" with their Fever Screening...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19...
Quantum Dots Potential for Surveillance Cameras Explained on Sep 08, 2020
Quantum dots are starting to be used in TVs for better images, but how will...

Recent Reports

Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
New Products Show Fall 2020 Announced - Register Now on Sep 14, 2020
IPVM's sixth online show will feature New Products from over 25...
Hanwha 8K / 33MP Camera Tested on Sep 14, 2020
Hanwha Techwin has released an 8K / 33MP resolution camera, the TNB-9000 with...