7 Steps to Secure an IP Video Surveillance Network
It might seem like a daunting task, but security integrators should reference this list to lessen the risk for their customers.
Keeping video surveillance networks secure can be a daunting task, but there are several methods that systems integrators can use to greatly reduce the risk for their customers.
Below are seven tips integrators can follow in order to keep their customers’ IP video surveillance network secure.
1. Assess existing and future remote access risks.
Remote network access can be a great way for network administrators and integrators to save on truck rolls and costly onsite visits, and be prepared when needed with the right tools and equipment.
Remote network access can be accomplished a number of ways. VPN access is generally the best option, as it can run 24/7 and does not require any user intervention.
Often remote access can be granted on-demand using remote desktop tools to a workstation on the network. Systems like VNC and GoToMyPC are great alternatives for on-demand access, but they do require user intervention to launch. It is generally not a good idea to leave these tools running all the time.
If a device must be exposed to a public Internet, there will need to be port forwarding. If there is an option, use an obscure port instead of the standard ones (22, 23, 25, 80, 554, etc.).
2. Take security to the next level with VLAN and QoS.
Virtual LANs (VLANs) improve security by segmenting traffic into multiple virtual networks. IP-based video surveillance equipment or general office LAN traffic may exist on the same physical switch, but the VLAN ensures the networks are invisible to each other and unreachable.
VLANs are often deployed with Quality of Service (QoS), which prioritizes network traffic so video quality is not impacted.
3. Prevent unauthorized remote access with firewalls.
Many surveillance systems are purposefully not connected to the Internet; instead they are connected to a separate LAN. This reduces risk but may make service more difficult as updates to software and firmware — otherwise downloaded — must be loaded over USB or other means.
The connected systems are typically behind a firewall, which limits traffic to specific IP addresses and ports that have been authorized.
4. Maintain regular backups.
Having timely, complete backups will assure that any outage from hacking is minimal.
Malware such as ransomware is on the rise. Ransomware encrypts the files on a system and then asks for payment before a key is sent to unlock the data. Without regular backups your customers may have to pay up.
5. Disable unused switch and network ports, and any other unused services.
Another easy, but typically overlooked step is to disable all unused ports. This mitigates the risk of someone trying to access a security subnet by simply plugging a patch cable into a switch or unused network jack.
Unnecessary services on viewing workstations and servers should be turned off. These may include manufacturer-specific update utilities, Microsoft update services, Web services, etc. These may act as a backdoor for hackers or viruses, consume additional processor and memory, and increase startup time. They should be disabled or set to operate only when manually started.
Note that this does not necessarily prevent unauthorized access, as someone could unplug a device (camera, workstation, printer) from a previously authorized port or jack and access its port, unless measures such as MAC filtering or 802.1X are in place.
6. Break out control from data networks.
If the network design allows it, breaking out the control plane from the data plane is a good idea. This is especially true if your customer is running keyboard and mouse controls for remote systems.
Customers can keep their local control network off the public Internet, making it difficult for hackers, while allowing for more flexibility in video routing. This generally will require end devices to have two network interfaces or the use of dongle devices that send keyboard and mouse control over a separate Ethernet network.
7. Create and enforce a security policy.
All the steps above are even more effective when documented as part of a written and strictly enforced security policy. If an end user does not have a security policy in place, you as the integrator may choose to create one as part of your documentation. You would then require it to be followed in order for the warranty to be enforced and to limit liability in case of a breach.
Bio: Bob Ehlers is Vice President of Business Development for RGB Spectrum.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.
A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!