Announcement

Collapse
No announcement yet.

Any Networking Experts Around ??? OT a little

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by JoeLee View Post
    If I check the box in both the settings and advanced settings page does that give me better security????
    Can you confirm that it's using HTTPS? Can you view the connection information while connected to the camera to see if HTTPS/SSL/Encryption are on? It might fall back to HTTP if a HTTPS connection fails, in which case you are back to where you started. Ideally, there would be a setting like "Require HTTPS" so that unencrypted connections would be rejected. It doesn't sound like you have that option though.

    If you use HTTP, then anyone who is watching the traffic between your phone and your home could capture your username/password and the video stream. With HTTPS, your connection is encrypted so they cannot see your username/password and video stream as it whizzes past. But your cameras are still exposed to the internet, so they are still vulnerable to attack. If someone hacks into a camera, they can do all sorts of things with it, and possibly use it to mount an attack against other devices on your network.

    If you can live without remote viewing, just take them off the internet. Remove the port forwards and let them record activity. If you want them to be secure for remote viewing, then setup a VPN.

    Another option is to have them email you a photo when they detect movement. This is better than having them online because they are still hidden behind your router. This may be a reasonable compromise that wouldn't be difficult to set up if your cameras support the feature. You have to remove the port forwards though, otherwise they won't be hidden from the internet.

    Comment


    • #32
      I asked the camera tech people about this encryption and security stuff, below is their reply. Pretty much sums it up.

      JL...............

      ط Are these cameras being encrypted through my router???

      No, not unless you have pairs of VPN firewall routers like Netgear FVS318N or Cisco RVS4000

      ط Does the port have something to do with it???

      No

      ط Shouldn't the address be HTTPS rather than HTTP ??

      HTTPS would encrypt everything.

      In our consumer cameras, the password is already encrypted by default unless you disable it


      In our commercial grade cameras , you can optionally use HTTPS for settings


      But for full HD live video at 15 fps or higher, this would need a lot more computing power and memory than what the cameras have, and it would put a huge load on the device that’s viewing the video.

      So overall this means that random people on the internet can’t initiate video or change settings unless they know your password.

      But employees of your internet provider could definitely snoop on all your internet activity as it goes through their routers.

      If that is a concern, the solution is to use pairs of VPN routers like the Netgear FVS318N or Cisco RVS4000 or similar, where one of these routers would be at the camera location and the other one would be at the remote viewing location. The Netgear router can encrypt up to 5 mb per second, so that would be a maximum of 1 full HD 1920 x 1080 camera running at 30 fps / 4096K bit rate plus audio.

      ط In the advanced settings there is HTTPS again, also unchecked. Should they be checked???

      No, it would not be compatible

      In summary, if you are concerned about employees of internet providers snooping on you, it is possible to guard against that but it is expensive.

      If you’re concerned about random people on the internet, simply use a password that cannot be easily guessed, while making sure that you stay within the restrictions of the camera which means no more than 22 characters and no punctuation or spaces.

      We calculated that even if someone was continuously trying to guess the password as fast as the camera could possibly respond, it would take centuries to guess.

      Comment


      • #33
        Best bang for the buck for Prosumer equipment. It is a learning curve. But you can basically do what ever you want.
        Router
        https://www.ubnt.com/edgemax/edgerouter-lite/

        Wireless access point
        https://www.ubnt.com/unifi/unifi-ap-ac-lite/

        Comment


        • #34
          Originally posted by JoeLee View Post
          We calculated that even if someone was continuously trying to guess the password as fast as the camera could possibly respond, it would take centuries to guess.

          Yeah, the flaw in that logic is that they may guess it in minutes. The hackers use lists of known and common passwords, and that works for a vast majority of the instances within hours or days.


          Dan
          At the end of the project, there is a profound difference between spare parts and left over parts.

          Location: SF East Bay.

          Comment


          • #35
            Originally posted by JoeLee View Post
            But employees of your internet provider could definitely snoop on all your internet activity as it goes through their routers.
            It's not quite as simple as that. Any router along the way could capture the information. If you're connected to a public Wi-Fi hotspot, then someone in the vicinity could capture the information. A router along the way may be compromised. It's not just the ISP that can capture unencrypted data.


            Originally posted by JoeLee View Post
            If you’re concerned about random people on the internet, simply use a password that cannot be easily guessed, while making sure that you stay within the restrictions of the camera which means no more than 22 characters and no punctuation or spaces.
            No punctuation weakens the password. They do that as a basic form of protection against some types of attacks. A better method is to allow punctuation characters and parse the input. Harder for them, but more secure. Watch the video I linked to earlier, and you will see how unparsed input can be used to feed commands to the camera.


            Originally posted by JoeLee View Post
            We calculated that even if someone was continuously trying to guess the password as fast as the camera could possibly respond, it would take centuries to guess.
            Not relevant. Have a look at that video. I know it's a bit tech-heavy at times, but you will see that he hacked all the cameras without a password. In some cases, he was able to ask the camera to send him the password! I can guarantee you that those cameras have security vulnerabilities. Even if none of them are known today, they will be known in future. As he says, these are "consumer" cameras, so the company isn't going to spend money updating their software every month for the next five years. The older they get, the more insecure they become due to the identification of new vulnerabilities. The guys and girls that work this stuff out are very talented, but once an attack is known, any kid with the right software can exploit it.

            You need to weigh up the convenience vs. the risk. If there is nothing important/confidential on this network and the cameras are pointed at your chook pens and koi ponds, then it may be a reasonable risk to take. If the cameras are in your house and this network contains your confidential information, then I would consider the risk too great if it were my network.

            Another option you might want to consider is a second network. You would leave everything as it is, and your current network would become the DMZ https://en.wikipedia.org/wiki/DMZ_(computing)

            A second wireless router would route traffic through the internet connection on the DMZ. Your other computers would connect to the new wireless network and be somewhat protected from anything happening in the DMZ. Not as secure as a VPN, but it might suit your needs better.

            Comment


            • #36
              Does it confer any added security to have your own router behind the one the ISP provides as someone suggested above?

              Since we did not want to change our system, when the ISP provided a router, we put our existing Cisco wireless behind it, and do not use the ISP wireless (it is not even turned on).
              CNC machines only go through the motions

              Comment


              • #37
                Originally posted by J Tiers View Post
                Does it confer any added security to have your own router behind the one the ISP provides as someone suggested above?
                It can, but not the way you are using it. Think of it as three networks. The internet, the DMZ and your internal network. Your internal network is for all your private information. Computers share files with each other, printers print your documents, etc. They don't publish any information into the DMZ or internet, but they may request information from those two networks. Any attempts to connect "in" from outside should be denied by the internal network firewall because there is never a need for anyone to connect in to the private network. Connections out are allowed.

                The DMZ sits in the middle. It should contain whatever you want to publish onto the internet. Maybe you have a web site, or a camera you want to view from outside. The DMZ is between two firewalls. One to the internal network, and one to the internet. I covered the internal firewall above, it only allows connections in one direction. The firewall facing the internet should allow connections in to the DMZ, but the rules should be very specific to only expose the services that you want to publish from the DMZ. So let's say you had a web server that queried a database server in the DMZ. You would allow HTTP and HTTPS connections to the web server in the DMZ, but you wouldn't allow any connections to the database server. This will protect the database server to some extent.

                Now if an attacker can compromise the web server, they will be "in" your DMZ and will still get stuff off the database server. The damage is limited though because they can't connect in to your internal network (remember that firewall rejects all attempts to connect in). There are ways for them to go further, but it's much harder. They would need to compromise the firewall (not likely if properly set up), or somehow trick someone in the internal network to initiate an outbound connection (more likely). They might send a phishing email that executes an application on your computer which sends data out to them for example.

                The two firewalls do not have to be physically separate devices. Good firewalls allow you to create a DMZ with separate rules for each network interface. Consumer-level firewalls sometimes allow you to create a virtual DMZ (don't know if that's what they call it). They don't have a physically separate network, it's just firewall rules for a computer on the internal network. I don't like that idea at all.


                Originally posted by J Tiers View Post
                Since we did not want to change our system, when the ISP provided a router, we put our existing Cisco wireless behind it, and do not use the ISP wireless (it is not even turned on).
                It sounds like you have the phone line running into your Cisco router, in which case your ISP router is not really part of the network.

                Comment


                • #38
                  Originally posted by J Tiers View Post
                  Does it confer any added security to have your own router behind the one the ISP provides as someone suggested above?

                  Since we did not want to change our system, when the ISP provided a router, we put our existing Cisco wireless behind it, and do not use the ISP wireless (it is not even turned on).
                  Using two routers does add some security, but it also can cause problems with any service that connects back from "the internet" to your computer or other devices in your home.

                  Over the years, a number of ISP-provided modems/routers have been compromised, in particular because the ISP programmed them to use an easy to determine password, as well as a number of basic vulnerabilities.

                  I always disable the ISP router and use my own. You may have to phone the ISP to get them to completely disable it.

                  Comment


                  • #39
                    I use the multiple firewall technique too. The extra security comes from the idea that it will take multiple exploits to get to the internal network. This helps when the ISP's modem is mis-configured.

                    Unfortunately, many modems, cameras, etc use a software base that can be exploited to make the device a source of attack against the internal firewall.

                    Dan
                    At the end of the project, there is a profound difference between spare parts and left over parts.

                    Location: SF East Bay.

                    Comment

                    Working...
                    X