search
top


Network Security for IP Camera’s

Network Security for IP Camera’s & Video Surveillance Systems

These days many devices have some form of interaction with our networking devices and the internet itself! What people forget is much like our desktops, laptops and mobile devices. All of these other types of devices need to be secured. The average person is going to assume no security is needed and that the product itself is already fairly secure by default. In my personally opinion, I’d say the default security settings are usually not sufficient enough to keep the device and your network safe.

I’ve created a guide below of procedures that can be followed to enhance the security measures for your IP Camera’s and systems.

IP Camera Hardening Guide

I’ve created a hardening guide below that will look at a few key components that administrators will want to make use of in their network.

  • Passwords
  • LDAP/AD Authentication
  • VLAN’s
  • 802.1X Authentication
  • Disabling Network Ports
  • Disabling Unused Services
  • MAC Address Filtering
  • Physical Access Control

Passwords

The number one thing you should be doing is creating a strong password. Create 35+ character passwords if you are not using AD or LDAP authentication. You can also store the passwords safely in password managers such as KeePass. Also be sure to CHANGE the DEFAULT vendor/manufacturer password. Many users forget to do this or don’t at all due to laziness. This creates and leaves a huge security risk for your IP camera’s and systems. You can find my previous article here –> Default IP Camera Passwords 

This listed article shows how easy it is to find and use a default password for various types and brands of cameras. Once you have the username and password you can take full administrative control over the device. So be sure the admin account has a strong password and is stored some where safe! (no that does not mean using an excel spreadsheet on your desktop).

LDAP / Active Directory Integration

An important feature that many users overlook is integration of tools with a company Active Directory or LDAP server. Most business that are larger in size will adopt some form of a user access management system. Most businesses make use of Microsoft’s Active Directory to manage user access and user management. And, I’ve seen a huge push for many new tools out there providing features to make use of AD or LDAP authentication. It makes user access much more easy and efficient.

You can simple create an AD group called “IP Camera Managers”, and assign the role to authorized users. And, this will help keep track of who is allowed to access the IP camera’s and system. But, also will allow you to manage 100+ devices all at once with a single user group. I have heard of businesses that have 100 cameras and they maintain credentials for all 100 devices. It’s very difficult to do so and not very secure at all so keep it simple with AD or LDAP integration.

VLANs

Another great option to use not just for IP camera’s, but in general for all sensitive types of systems is network segregation. If you have a virtual architecture setup within your environment, then you know VLAN’s make it very easy to segment off networks. In the case of IP Camera’s it’s best to segment them off on their own VLAN. That way you can monitor traffic more easily on this VLAN and can allow only certain machines and/or users to access the specific VLAN. You can also put in other security tools in the VLAN to monitor abnormal traffic. Now with a VLAN it adds another layer someone has to break through to get into the appropriate VLAN for these cameras.

802.1X Authentication

Most of this guide is assuming all of the IP Camera’s and systems are connecting via a hardwired WAN and LAN. However, many wireless IP camera’s are being sold these days and they bring a convenience factor of not needing a network port connection located near the camera. That means someone can place the camera just about anywhere provided there is a electrical power source. You can simply wirelessly connect to the network and connect your IP camera’s to the system.

What many people tend to forget is making sure the wireless network and connection is secure. The last thing you want is for someone to intercept the connection and gain access to the IP camera or the entire network. By using a 802.1X type of wireless connection you can ensure your wireless connection is encrypted, and that the appropriate credentials are provided to gain access to the network. All wireless IP camera’s have this option and should be used to enhance your wireless security.

Disabling Network Ports

Many networking administrators open up ports all the time for certain devices or odd situations. In my experience people forget to close off opened ports, which unfortunately may happen from time to time. This is why an ongoing audit’s are so important and should be conducted on network ports. If you know the IP Camera’s are in a specific network be sure to disable ports that are not need at the firewall level. But, don’t also forget to check the IP Camera device out itself as it may have open unused ports. I’ve seen it over and over again where ports such as telnet are open, and there is no need for it when the port for SSH is already opened. Therefore, be sure to question all opened ports and if they really need to be open on the device.

Disabling Unused Services

Similar to disabling network ports the IP Camera devices may have certain services running that may not be needed. Some users may not want SNMP running though some camera’s have SNMP running by default. So it’s important to limit what you need on and running on these devices. Close off services that you know for sure will not be needed or used for the current time being.

MAC Address Filtering

Another option that can be used is MAC address filtering. Now, I’m not hugely sold on this option, but! it is a extra option that can be used with everything else that has been mentioned. You can restrict the IP cameras and system to only make network connections based of a machines MAC address. I could restrict the IP Camera to only allow my desktop (desktops MAC address) to have authorised administrative privileges. The downside to this option is that MAC addresses can be spoofed pretty easily with free open source tools. It’s a good mechanism to use on top of others, but in no way should anyone solely rely on MAC address filtering for security.

Physical Access Control

The last one goes without saying that you should physically secure your IP camera’s and systems. Keep the systems themselves in a safe room such as a locked down communications room. Make sure only authorised employees have access to this room. And, keep a track record of who has gone in and out of the room to maintain integrity of all systems. Also, be sure the IP camera’s are placed in a spot where it is not accessible to someone at a human height level. The last thing you want is for someone to steal the video system or an expensive IP camera.

Well that’s all you get from me for today!

I hope this guide helps people out there when planning and configuring IP Camera’s and Surveillance systems.

Questions? Leave them in the comment box below.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

top