IP CCTV and network security
Discussion
I've a few IP cameras but it's occurred to me that also means I've a few CAT5 cables protruding through exterior walls which if someone was minded to, they could simply unplug a camera and plug in a laptop and get into my home network. Chances are small, but how am I meant to protect against it? The hub they're plugged into is an unmanaged one, but even if it was, that manufacturer suggests mac filtering but that appears universal and I'd need to constantly register new kit. Ideally I'd like to tie specific ports to specific mac addresses and the kit I have nosy not be adequate, but I'm curious to know what the options are.
If you're worried about network security I wouldn't rely solely on MAC filtering.
What would stop an attacker from plugging your camera into their switch and reading the cameras mac address and then cloning it to get past your MAC filter?
Maybe you need protocol/port filtering too, can your IP camera be configured for SSH tunnelling or something like that ?
What would stop an attacker from plugging your camera into their switch and reading the cameras mac address and then cloning it to get past your MAC filter?
Maybe you need protocol/port filtering too, can your IP camera be configured for SSH tunnelling or something like that ?
I'd stick the CCTV stuff on a seperate vlan, and have the NAS on the same vlan.
If your NAS must be on the same LAN as everything else, I'd stick a firewall (pfsense) in the way with a static route only to the NAS from you CCTV (granted this will still allow folk to access the NAS, but if you can restrict the ports available it is more secure).
If your NAS must be on the same LAN as everything else, I'd stick a firewall (pfsense) in the way with a static route only to the NAS from you CCTV (granted this will still allow folk to access the NAS, but if you can restrict the ports available it is more secure).
Does seem massive overkill and for the life of me I really can't think of anyone who would go to the effort.
Certainly easier to go through your discarded post and/or sniff out your wifi traffic.
Disable DHCP, have everything set to static addresses and pick a range that's not easy to guess.
Certainly easier to go through your discarded post and/or sniff out your wifi traffic.
Disable DHCP, have everything set to static addresses and pick a range that's not easy to guess.
VLAN it off and port-based authentication
http://www.mcmcse.com/cisco/guides/port_based_auth...
You will not be able to do that with a hub though. In fact, you won't be able to set up VLANs with a hub. You will need to replace the hub itself with a switch.
Low tech solutions: glue the cat5 cable into the camera. Or house camera in a lockable case, where cat5 cannot be removed.
As an aside, that's some nice vulnerability thinking. Presume you've secured the admin interface for the cameras from the internet?
http://www.mcmcse.com/cisco/guides/port_based_auth...
You will not be able to do that with a hub though. In fact, you won't be able to set up VLANs with a hub. You will need to replace the hub itself with a switch.
Low tech solutions: glue the cat5 cable into the camera. Or house camera in a lockable case, where cat5 cannot be removed.
As an aside, that's some nice vulnerability thinking. Presume you've secured the admin interface for the cameras from the internet?
Edited by Tonsko on Tuesday 21st March 16:11
Thanks - agree the risk is small but where I live and where the cameras are you could sit in my open garage and help yourself as it currently standards. I've just spent too many days with CLAS consultants in my past
All default passwords have been changed and I've now dropped the ddns so I can't access the cameras remotely. I think I'm going to opt for the mechanical locking route. The cameras are hikvision and they all have short tails with a socket on the end so plenty of options to secure. Sometimes the simplest ideas are the best
All default passwords have been changed and I've now dropped the ddns so I can't access the cameras remotely. I think I'm going to opt for the mechanical locking route. The cameras are hikvision and they all have short tails with a socket on the end so plenty of options to secure. Sometimes the simplest ideas are the best
TheAngryDog said:
How bad an area do you live in to need to go to this level? Or are you really James Bond? 
Its actually really quiet, middle of the countryside, we get very little crime and the original question was as much a curiosity, but I'm worried about my sordid collection of Pam Ewing and Wonder Woman pictures from my childhood being held to ransom Heres Johnny said:
Its actually really quiet, middle of the countryside, we get very little crime and the original question was as much a curiosity, but I'm worried about my sordid collection of Pam Ewing and Wonder Woman pictures from my childhood being held to ransom
I wouldn't bother worrying at all to be honest.Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff