http://managedvideoblog.com/2008/12/26/securing-ip-cameras/ The place to learn about and discuss Managed Video as a Service Fri, 26 Feb 2010 21:51:22 -0800 http://wordpress.org/?v=2.9.2 hourly 1 http://managedvideoblog.com/2008/12/26/securing-ip-cameras/comment-page-1/#comment-281 dloher Mon, 29 Dec 2008 18:30:18 +0000 http://managedvideoblog.com/?p=1228#comment-281 Hi John, There are certainly differences in vendors, in part due to the methods they implement for getting video. I can say that securing an IP camera network is not at all automatic and the "threat profile" of an IP video capture network is significantly larger than analog video capture. That being said, I'd like to re-iterate that there are still ways make IP camera systems secure. It's a matter of how much security you need, how you're willing to restrict access and how much network expertise one has available to implement and maintain security. I'll give a few examples: Some vendors for example only implement HTTP and TFTP protocols for transmitting video which do not implement encryption. TFTP doesn't even implement userid's and passwords. Other vendors support FTP, which adds userid's and passwords, but still no encryption. RTSP is probably the best protocol to use for transmitting video between an NVR and an IP Camera. But it too does not support encryption. RTSPS (modeled after HTTPS, the standard for web based encryption) is a defined standard, but I don't know of anyone who implements it. HTTPS (for JPEG image push) is available, but I don't know of any camera manufacturers who implement it for video transmission. (Axis implements HTTP to secure administrative communication in newer firmware versions, but not for video as far as I know) Now, not everyone needs encryption between the NVR and IP Camera. By configuring VLAN's and port based access control, one can minimize the exposure due to unencrypted traffic. Like most IT security, how much security you need depends on your requirements. Note, in order to be PCI DSS compliant, to protect cardholder (ie: credit card) information one MUST encrypt any data which includes information that reveals credit card data and the card holder. I interpret this to mean if one can read a credit card number in a video stream, that video stream now contains cardholder data and needs to be encrypted and protected. While generally not an issue with analog cameras, this could become an issue with megapixel cameras. Envysion pretty much automates security up to an "enterprise level". We can do that because we know all the in's and outs of our IP enabled DVR (EnVR) and have comprehensive protection for the EnVR. It's easier to secure 400 IP DVR's with 8 analog cameras each than it is to secure 400 IP DVR's and 3200 IP cameras. Reducing the number of NVR's doesn't help much. It's all those IP cameras that become difficult to secure and monitor for security. The "threat profile" is so much larger with IP cameras that if one has significant security requirements, one has to work pretty hard to meet them. Hi John, There are certainly differences in vendors, in part due to the methods they implement for getting video. I can say that securing an IP camera network is not at all automatic and the "threat profile" of an IP video capture network is significantly larger than analog video capture. That being said, I'd like to re-iterate that there are still ways make IP camera systems secure. It's a matter of how much security you need, how you're willing to restrict access and how much network expertise one has available to implement and maintain security. I'll give a few examples: Some vendors for example only implement HTTP and TFTP protocols for transmitting video which do not implement encryption. TFTP doesn't even implement userid's and passwords. Other vendors support FTP, which adds userid's and passwords, but still no encryption. RTSP is probably the best protocol to use for transmitting video between an NVR and an IP Camera. But it too does not support encryption. RTSPS (modeled after HTTPS, the standard for web based encryption) is a defined standard, but I don't know of anyone who implements it. HTTPS (for JPEG image push) is available, but I don't know of any camera manufacturers who implement it for video transmission. (Axis implements HTTP to secure administrative communication in newer firmware versions, but not for video as far as I know) Now, not everyone needs encryption between the NVR and IP Camera. By configuring VLAN's and port based access control, one can minimize the exposure due to unencrypted traffic. Like most IT security, how much security you need depends on your requirements. Note, in order to be PCI DSS compliant, to protect cardholder (ie: credit card) information one MUST encrypt any data which includes information that reveals credit card data and the card holder. I interpret this to mean if one can read a credit card number in a video stream, that video stream now contains cardholder data and needs to be encrypted and protected. While generally not an issue with analog cameras, this could become an issue with megapixel cameras. Envysion pretty much automates security up to an "enterprise level". We can do that because we know all the in's and outs of our IP enabled DVR (EnVR) and have comprehensive protection for the EnVR. It's easier to secure 400 IP DVR's with 8 analog cameras each than it is to secure 400 IP DVR's and 3200 IP cameras. Reducing the number of NVR's doesn't help much. It's all those IP cameras that become difficult to secure and monitor for security. The "threat profile" is so much larger with IP cameras that if one has significant security requirements, one has to work pretty hard to meet them.

]]> http://managedvideoblog.com/2008/12/26/securing-ip-cameras/comment-page-1/#comment-280 John Honovich Fri, 26 Dec 2008 22:03:09 +0000 http://managedvideoblog.com/?p=1228#comment-280 Hi Darren, Great post. As you are surveying and testing IP cameras for Envysion to support, do you see major differences between camera vendors? As in, do you think some vendors are significantly more secure than others? From a network/IT management perspective, would this be an important factor in deciding on cameras to recommend? Thanks, John Hi Darren, Great post. As you are surveying and testing IP cameras for Envysion to support, do you see major differences between camera vendors? As in, do you think some vendors are significantly more secure than others? From a network/IT management perspective, would this be an important factor in deciding on cameras to recommend? Thanks, John

]]>