Subscribe

Managed Video as a Service

The place to learn about and discuss Managed Video as a Service

26

Dec

Securing IP Cameras

Darren Loher  in Best Practices, Challenges, Technology
An underground entrance to the New York Subway
Image via Wikipedia

If you have a network (and who doesn’t these days?) IP cameras sure are a lot easier to access than analog cameras.  But this ease of access also makes it easier for un-authorized users to access IP cameras .  Imagine if someone in the back alley could stream video of your back office using your wireless network.

Most IP cameras I’ve worked with lack a number of enterprise grade security features.  They need to implement SSL for encryption and they need to integrate into a central authentication system such as RADIUS or LDAP.   However, even without those technologies, there are a couple of basic things one can do to secure your cameras.

The first thing to do is to change the factory default passwords.  The latest firmware revisions for some cameras force one to configure a password the first time a camera is accessed after being powered up.  That’s good.

The next level of security that might be worthwhile is to configure a VLAN just for video surveillance network.  Done correctly, this will help mitigate several risks when IP cameras don’t have good security features built-in.  This will add to administrative overhead and possibly additional equipment costs, but it’s not as high overhead as some of the next additional steps.

To additional key elements of security that are often missed are to:

- Perform logging on your network by having all devices log important events, scanning and alerting on these events.  (Especially logins, configuration changes, etc)

- Regularly audit your network infrastructure to make sure it’s configured correctly

Both of the above tasks can be large undertakings given the large number of IP networkable devices in an IP video network.

Additional layers of security that are possible, but have signficant overheard are MAC based access control takes you even further.  802.1X technology offers a strong way to control who can plug into your network.  802.1X offers perhaps the strongest layer of security for getting access to a network, it is also difficult to manage and operate.  So difficult that it’s not seen much deployment in networks. There are some companies like Cloudpath networks who offer a management tools for wireless networks.  Few cameras support this (Axis with firmware v4.4+ does however).

Reblog this post [with Zemanta]

This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.

2 Responsed To This Post

Subscribes to this post comment rss or trackback url
mygif_alt
John Honovich said, December 26th, 2008 at 10:03 pm

Hi Darren, Great post. As you are surveying and testing IP cameras for Envysion to support, do you see major differences between camera vendors? As in, do you think some vendors are significantly more secure than others? From a network/IT management perspective, would this be an important factor in deciding on cameras to recommend? Thanks, John

mygif
dloher said, December 29th, 2008 at 6:30 pm

Hi John, There are certainly differences in vendors, in part due to the methods they implement for getting video. I can say that securing an IP camera network is not at all automatic and the "threat profile" of an IP video capture network is significantly larger than analog video capture. That being said, I'd like to re-iterate that there are still ways make IP camera systems secure. It's a matter of how much security you need, how you're willing to restrict access and how much network expertise one has available to implement and maintain security. I'll give a few examples: Some vendors for example only implement HTTP and TFTP protocols for transmitting video which do not implement encryption. TFTP doesn't even implement userid's and passwords. Other vendors support FTP, which adds userid's and passwords, but still no encryption. RTSP is probably the best protocol to use for transmitting video between an NVR and an IP Camera. But it too does not support encryption. RTSPS (modeled after HTTPS, the standard for web based encryption) is a defined standard, but I don't know of anyone who implements it. HTTPS (for JPEG image push) is available, but I don't know of any camera manufacturers who implement it for video transmission. (Axis implements HTTP to secure administrative communication in newer firmware versions, but not for video as far as I know) Now, not everyone needs encryption between the NVR and IP Camera. By configuring VLAN's and port based access control, one can minimize the exposure due to unencrypted traffic. Like most IT security, how much security you need depends on your requirements. Note, in order to be PCI DSS compliant, to protect cardholder (ie: credit card) information one MUST encrypt any data which includes information that reveals credit card data and the card holder. I interpret this to mean if one can read a credit card number in a video stream, that video stream now contains cardholder data and needs to be encrypted and protected. While generally not an issue with analog cameras, this could become an issue with megapixel cameras. Envysion pretty much automates security up to an "enterprise level". We can do that because we know all the in's and outs of our IP enabled DVR (EnVR) and have comprehensive protection for the EnVR. It's easier to secure 400 IP DVR's with 8 analog cameras each than it is to secure 400 IP DVR's and 3200 IP cameras. Reducing the number of NVR's doesn't help much. It's all those IP cameras that become difficult to secure and monitor for security. The "threat profile" is so much larger with IP cameras that if one has significant security requirements, one has to work pretty hard to meet them.

Response To This Topic

Please Note: The comment moderation maybe active so there is no need to resubmit your comment