First post, secure installation of outdoor ip cameras

C

cheezit73

Member
Hi guys, long time lurker here with my first post.
 
Can anyone point me in the right direction regarding security of the LAN with outdoor IP cameras?
 
I am sure that the scenario is extremely unlikely but my concern is that someone could physically remove the cat5 from the ip camera outside and then connect their laptop to it and attempt to access the LAN network.
 
I am running a pfsense router with MAC filtering, static ip's and denied access from unknown clients. Would that be sufficient?
 
I have more questions but lets start with this!
 
Thanks in advance
 
cheezit73 said:
Hi guys, long time lurker here with my first post.
 
Can anyone point me in the right direction regarding security of the LAN with outdoor IP cameras?
 
I am sure that the scenario is extremely unlikely but my concern is that someone could physically remove the cat5 from the ip camera outside and then connect their laptop to it and attempt to access the LAN network.
 
I am running a pfsense router with MAC filtering, static ip's and denied access from unknown clients. Would that be sufficient?
 
I have more questions but lets start with this!
 
Thanks in advance
Click to expand...
 
If they really wanted to hack into your [wired] network and went through the trouble of disconnecting your IP camera... you don't think they could determine the MAC and IP of the camera and spoof those to their laptop?
 
But, why bother doing that when it's just as easy to hack into a wireless connection and not deal with touching your camera and/or possibly having to use a ladder to get to it anyway?
 
Spending some time on YouTube watching network hacking videos can be pretty eye opening. You're just keeping the honest people out.
 
drvnbysound said:
If they really wanted to hack into your [wired] network and went through the trouble of disconnecting your IP camera... you don't think they could determine the MAC and IP of the camera and spoof those to their laptop?
 
But, why bother doing that when it's just as easy to hack into a wireless connection and not deal with touching your camera and/or possibly having to use a ladder to get to it anyway?
 
Spending some time on YouTube watching network hacking videos can be pretty eye opening. You're just keeping the honest people out.
Click to expand...
 
Yes your response is precisely what I am referring to i.e. mac address spoofing.  I have my wireless network secured as best I know how (WPA2) with a strong password.
 
It may just be an unnecessary exercise as someone is not likely that interested in hanging out with there laptop in front of my house on a ladder with a cable plugged in but does any one have any good suggestions of how to isolate your security cameras network from your main LAN while still being able to access the cameras from you main LAN?
 
how to isolate your security cameras network from your main LAN while still being able to access the cameras from you main LAN?
Click to expand...
 
 
You can layer your camera inside or next to your network using a firewall or vlans .....
 
Here I built a PFSense firewall for multiple WAN / LANs and just build specific rules between the physical interfaces.
 
PFSense also lets you do WAN failover or WAN load balancing....its a neato program.  This was a plug for PFSense.
 
It may just be an unnecessary exercise
Click to expand...
 
It can become a management nightmare and truely not sure whether you want to do this.
 
I'm running pfSense in a VM.... forget MAC filtering - it's just a waste of time.
I would suggest putting your IP cams in their own VLAN and securing as needed.
 
And if you want a reasonably priced managed switch; check out the TP-Link 24 port Easy switches. I have a couple of these running with no issues.
 
Let me ask a scenario question... suppose someone plugged in today and got on your home network. What are you afraid of them getting access to?
 
Personally, I don't care if you get pictures of my cat (I don't have one). I personally, just don't feel that I have data [stored] that is of any significant difference. Sure, I don't want you to get my bank account information and going on a shopping spree, but that's not all that uncommon today and it's fairly easy to resolve with your bank. It sucks when it happens, especially if you are on vacation (as I once was), but ultimately it had little effect. I'm trying to think of information that would be of severe detriment if stolen, and I can't come up with anything... you want a copy of the movies I have on my media server? Log into Facebook as me? While possibly easier, you don't have to be at my house to do those things.
 
First off thank you guys for replying so quickly with ideas!
 
pete_c said:
You can layer your camera inside or next to your network using a firewall or vlans .....
 
Here I built a PFSense firewall for multiple WAN / LANs and just build specific rules between the physical interfaces.
 
PFSense also lets you do WAN failover or WAN load balancing....its a neato program.  This was a plug for PFSense.
 

 
It can become a management nightmare and truely not sure whether you want to do this.
Click to expand...
 
 
video321 said:
I'm running pfSense in a VM.... forget MAC filtering - it's just a waste of time.
I would suggest putting your IP cams in their own VLAN and securing as needed.
Click to expand...
 
Thats great, I do have my network behind a pfsense box (dedicated mini itx PC)!  I am not a power user by any means.  I have everything setup with static IP's and deny unknown clients checked.  I have just started reading about Vlans and don't quite understand how to set one up yet other than that I will need managed switches. 
 
So are you fellas saying that if I put my IP cams on there own separate switch and network interface on Pfsense (Opt1) or just used VLANs to separate the IP cams from the rest of the traffic that I could create a rule that would prevent traffic coming from the camera end of the cable from accessing the other LAN or VLAN and if so then could I use a computer or other viewing devices on the non IP Camera LAN to access the cameras? So I guess what I am saying is that can devices on the two lans talk but only if the request is generated on the non camera LAN.?
 
drvnbysound said:
Let me ask a scenario question... suppose someone plugged in today and got on your home network. What are you afraid of them getting access to?
 
Personally, I don't care if you get pictures of my cat (I don't have one). I personally, just don't feel that I have data [stored] that is of any significant difference. Sure, I don't want you to get my bank account information and going on a shopping spree, but that's not all that uncommon today and it's fairly easy to resolve with your bank. It sucks when it happens, especially if you are on vacation (as I once was), but ultimately it had little effect. I'm trying to think of information that would be of severe detriment if stolen, and I can't come up with anything... you want a copy of the movies I have on my media server? Log into Facebook as me? While possibly easier, you don't have to be at my house to do those things.
Click to expand...
 
In reality I am not that worried about the scenario however if I am doing security I want it as secure as I can make it and also I enjoy the process of doing so and geeking out it, for example at my last home I had the electric meter contacted so if someone removed it to shut off the power (easy to do) the alarm would fault.
 
I have also thought that I could put tamper switches on the cameras so the alarm would fault if removed, but I would like to make the network level as secure as possible.
 
Thanks again guys!
 
Going the VLAN route you can create two VLANs.
 
1 - VLAN - called 25
2 - VLAN - called 35
 
Put the cameras in one VLAN 25 and the users on VLAN 35.
 
One thing about this is the traffic.  With one switch even though you have the cameras on one VLAN and users on another VLAN you can still traffic saturate the switch with the video streaming even though there are two VLANs.  You don't really notice this though on small networks much.  You can also configure the PFSense LAN/OPT1 interface with two VLANs.
 
Looking at PFSense you can physically separate the camera network from the users network.  Define that OPT1 network port with a different IP / subnet.  Connect a second switch to to OPT1 and put all of the cameras on that subnet.  Typically too you might be using a DVR for all of the cameras.  Put it on the same network.  Here you are creating a physicaly separate DMZ.  Create a set of rules from the OPT1 network to the WAN ideally going to one box on the camera network (say the DVR) and another set of rules which bridge the OPT1 (with rules) to the LAN network and one PC
 
All of the above is much easier and less granular if you utilize one DVR with multiple cameras.  This related to WAN / LAN / OPT1 interplay stuff.
 
You said you wanted to play with this.  You really cannot break anything doing this.  Experiment some.  Using PFSense you can create rules, save them enable or disable them.  Do the same with the VLAN stuff on the managed switch. 
 
Here unrelated / related I connected a GPS / PPS serial cable to the PFSense firewall for NTP time.  My internal networks only utilize the PFSense firewall for time sync.  I block external NTP access from the LAN. This also relates to all of the cameras / DVR stuff in time sync. 
 
Thanks Cocoonut.
 
So what if I had this scenario:
 
All IP Cams on there own switch and IP/Subnet plugged into the Opt1 interface.
 
All other devices on the main LAN on another switch plugged into the LAN interface.
 
A PC on the main LAN running DVR software (xprotect/blue iris etc..)
 
Ignoring right now any need to access the cameras from the WAN side.
 
Would I be able to write the rules so any device on the main LAN could access the cameras (DVR PC/iPads etc..) but a device plugged into the Cameras switch would not be able to access the main LAN?
 
Sorry if I am slow to grasp this!
 
Thanks again
 
Would I be able to write the rules so any device on the main LAN could access the cameras (DVR PC/iPads etc..) but a device plugged into the Cameras switch would not be able to access the main LAN?
Click to expand...
 
It would be better first to put the DVR on the camera LAN and configure all of the cameras to it.  Then just create a rule for accessing the DVR from the main LAN.  You can get granular with this.  With this rule a device just willy nilly plugged into the camera LAN will not be able to access the main LAN.
 
An IPad would be able to see all of the cameras via the DVR with the right rules.  Its gets to be a bit of a PITA to configure rules per camera and its much easier to configure the rules per DVR.
 
Create a tiny subnet say with no DHCP and a 28 bit mask.
 
This would give you 14 IPs (well assuming that you have up to 12 cameras and 1 DVR) - 13 devices plus 1 gateway IP. 
 
While you are playing with the camera subnet you might as well play with the main subnet.  Maybe creating a small DHCP scope, MAC addressed IPs and some static IPs.  Here I have mine arranged a bit in some order of switches, servers, NAS boxes, PCs et al.  PFSense if very versatile and once you get used to it you can do all kinds of stuff with it.
 
Here I have been testing the Almond + devices (3) plus I put the Ubuiquti AP on separate OPT interfaces on the PFSense firewall.
 
I skimmed the last couple posts - but a couple points to consider... if you need a rule for the LAN to access the Camera VLAN then you need a rule allowing that same traffic back to the normal LAN - otherwise it's one way and that doesn't work.  You can get granular here - make it so that only port 80 and 554 RTSP are allowed to pass and only from specific IP's and you now have some good security - similar concept to DMZ in the corporate world.
 
HOWEVER - as soon as you do this, you're now throwing out many benefits of a switch or at least creating a potential bottleneck both in the LAN ports and increasing the burden on the firewall because now instead of traffic from the camera going straight to the PC viewing it, ALL traffic between the VLANs must pass through the firewall on the same single wire through the same interface and be processed by the same processor.
 
In reality if you're a high value target it would be smart but otherwise it's like parking your honda accord in a bank vault... it's just a waste of time that'll cause more headaches than its worth.  As said above, what do you *really* have to worry about?  If someone plugged a computer into your network, what would happen?  If you're running windows machines with authentication then they won't get to your shares without a whole other level of hacking.  
 
If you really love overkill just for the sake of practice and making life more difficult for no good reason, you could implement 802.1x LAN authentication on the network and find cameras that support it.  That's a far better way of actually securing a LAN without causing the bottleneck issues.
 
Related story - at an old job, we had a super secure network, but it always bugged me that our trunk lines ran between the buildings - and had to have pull boxes mounted on the exterior of the buildings.  Granted, it'd be tough, but someone could've opened the access boxes with a flathead, terminated the wires and spliced their own tap in the middle.  Luckily nobody really knew this (just as most people don't know that you can disable a security alarm by cutting the phone line on the side of the house);  then again that same old company still doesn't realize that there's a phone number I can dial that bypasses all building security and opens the street-facing elevator so I can go anywhere in the building I want.  Smart people can do a lot of damage... luckily smart people don't burglarize joe blow - so unless you're a CIA target then most of this is overkill.
 
LOL
 
Thanks Cocconut for all this info. Yes I am not a high value target and mostly this would just be an exercise which would help increase my knowledge of things as a whole.  It will be a little while before I implement this as it will be in a new house that is being built now.  I am also researching about the ELK and home automation in general, but I have a little clearer picture of what I want do do with that! I expect to be around here in the mean time asking more questions probably in there own sub topic threads though.
 
Thanks again!
 
Hey guys so sorry, I just realized that coccoonut is a forum activity level designator and not a user name!! I guess newbie is definitely an appropriate level for me!
 
Thank you
 
drvnbysound, pete_c, video23, and Work2Play for all of your contributions to my thread!!!
 
You're not the first person (and won't be the last) to address someone as "Cocoonut"....
 
As for VLANs, I too was looking at a VLAN for my cameras and then I found this thread and it seemed like a lot more work and many more potential problems that didn't really provide much benefit in my limited home environment....  
 
You must log in or register to reply here.

Similar threads

StarTrekDoors
PC Access 3.17.0.843 Update Release Notes
Replies
0
Views
3K
StarTrekDoors
StarTrekDoors
electron
Chat Transcript - Securifi (Almond+) - 02/22/2013
Replies
0
Views
3K
electron
electron
Back
Top