How to Protect IP Camera Network - Separate VLAN/Isolated LAN?

Hi there,

I am looking to setup a basic surveillance system for my home. I am gonna be running two Imou 'Bullet Lites' Wi-Fi IP cameras in this configuration: IP Cam -> TP-Link PoE Splitter -> TP-Link PoE switch -> ASUS DSL-AC68R. I also plan to use a spare PC I have lying around for it to be a dedicated 'NVR' PC running Blue Iris.

I already understand how to securely access the cameras remotely via OpenVPN which my router natively supports but what I want to find out is how can I secure the surveillance network at home. Do I simply block all the IP cameras from accessing the internet and only use the Blue Iris server? Is there a way I can make an isolated VLAN network for these cameras? (router does not support VLAN it seems).

If I somehow restrict the internet access to these cameras, is it possible for them to still use NTP so the timestamps can still be synced?

I appreciate any answers as you can tell I am quite confused.

TIA!

Comments

  • +4

    Wouldn't Step 1 be not buying Chinese cameras made by a partially state owned company?

    https://en.wikipedia.org/wiki/Dahua_Technology

    Particularly one that specialises in being a "cloud video capability provider and service provider".

    Edit: Not to mention previous cybersecurity breaches…

    In September 2016 … Nearly one million Dahua devices were infected with the BASHLITE malware. A vulnerability in most of Dahua's cameras allowed "anyone to take full control of the devices' underlying Linux operating system just by typing a random username with too many characters."

    In March 2017 a backdoor into many Dahua cameras and DVRs was discovered by security researchers working for a Fortune 500 company. The vulnerability had been activated on cameras within the Fortune 500 company's network, and the data trafficked to China through the company's firewall.

    It gets even worse…

    Dahua has played a role in the mass surveillance of Uyghurs in Xinjiang. In October 2019, the U.S. government placed Dahua on the Bureau of Industry and Security's Entity List for its role in surveillance of Uyghurs in Xinjiang and of other ethnic and religious minorities in China.
    In November 2020, after security researchers identified facial identification software code with designations by ethnicity, Dahua removed the code in question from GitHub.

    • +1

      In November 2020, after security researchers identified facial identification software code with designations by ethnicity, Dahua removed the code in question from GitHub.

      I must admit the facial recognition in their cameras is excellent.

    • +4

      Particularly one that specialises in being a "cloud video capability provider and service provider".

      OP is not interested in anything cloud. OP is setting up a local CCTV server.

      Edit: Not to mention previous cybersecurity breaches…

      If we were to avoid any company that has experienced a security breach, we wouldn't be able to do much online.
      We'd have to avoid Netgear, Ubiquiti, Cisco, D-Link, Axis, and really, a huge number of other companies.

      In September 2016 … Nearly one million Dahua devices were infected with the BASHLITE malware.

      Is that a mistaken quote? If you read the original disclosure article, it says a majority of the 1 million devices they observed were generic DVRs, and DVRs by Dahua. They said more than one million of these two types of devices are accessible on the internet - not "one million Dahua DVRs were infected with the malware".

      Bashlite and its variants also infected Belkin WeMo, Netgear routers, D-Link routers, Grandstream and DrayTek devices, SonicWall, amongst others. Going by your reasoning, we should avoid all those brands too.

      In March 2017 a backdoor into many Dahua cameras and DVRs was discovered by security researchers working for a Fortune 500 company. The vulnerability had been activated on cameras within the Fortune 500 company's network, and the data trafficked to China through the company's firewall.

      There isn't enough detail on this to confirm that. You can read the original report here.

      Refirm does not think it's a result of an error or poor programming practice, but to me the "backdoor" does look like really sloppy coding practices - it's a hardcoded password (username dahua, password dahua) that allows for the firmware to be upgraded without the admin password. It looks like a programmer finished the firmware at 4am the day before the device is meant to ship and forgot to remove a test routine. The main point is that camera did not ship with firmware that sent data through the company's firewall. But when people (or Wikipedia) report on it, it's more exciting to claim that Dahua cameras were sending "data" to unknown addresses in China. :)

      I'd be more concerned about the poor network management in that Fortune 500 company. Why would a CCTV camera on their network be accessible from the internet for any unauthorised firmware to be installed in the first place? And why did their firewall allow data from the CCTV VLAN to be sent out to the internet?

      Dahua has played a role in the mass surveillance of Uyghurs in Xinjiang.

      That has nothing to do with security, but is a legit reason to avoid Dahua if that matters to OP.

  • Not massively clued up on surveillance systems and networking, but can't you just set up a firewall on your network?

  • +3

    Separate VLAN for cameras would probably be the most painfree setup. Could get a cheap managed switch to do the job.

    Basically the spare PC you have would sit on two VLANs - the 'internet' VLAN (or a separate port) and the camera VLAN, and act as the middleman for NTP, camera feeds etc.

  • +1

    Replace the DSL-AC68R's firmware with Merlin's WRT build - based on the ASUS core firmware. Merlin updates his builds regularly. I have used his builds for over a decade on an old RT-N66U, and most recently on an AC-RT3200 for the past five years.

    Merlin's firmware will give you very granular control of your router that you just don't get with the default factory firmware. For your needs it will let you create VLANs, and it also has OpenVPN built right in.

    https://www.asuswrt-merlin.net/

    Have fun!

    • +1

      If you are using the DSL- part of the DSL-AC68R then please double-check compatibility with 3rd party firmware. When I last looked into it last year, you can technically flash the firmware but the DSL componentry is completely disabled. You would need to use another device for internet access.

      • +1

        Very true, although he's already confirmed he has FTTP, so not using the ADSL modem :)

  • Just don't put any Cameras inside of your house.

    • it's not about some chinese amateur sneeking into your bedroom and livestream your romantic Saturday night to the world but the issue of using the camera as the gateway to get into your computer and data within your network.

      • Well where do you draw the line. I probably have 30+ wifi devices in my house.
        90% of them are from some doggy brands.
        And my phone is huawei.

        Out of the all the devices I got, I found out my Australian own/made device send my wifi password to their server unencrypted?

        camera as the gateway to get into your computer and data within your network

        Sure, chinese gov. I'm sure they have much easier methods of doing dodgy things.

  • +4

    Also in support of Hybroid's comments, I would keep the cameras on a separate VLAN, with your old PC NVR, and do not let the VLAN communicate with your primary LAN.

    Depending on the config of your old PC, you could look to a multi-port NIC, put XCP-NG (open source version hypervisor based on the Citrix Xen hypervisor core) on it, create a VM to run pfSense, so you can firewall all your traffic, and a VM for your NVR.

    The just use your DSL-ACAC68R for DSL connectivity to the internet - assuming that's why you have a DSL modem/router, and also run it in bridge mode so it just serves WiFi, and your pfSense VM can handle all your routing, VLANs and firewall settings.

    • Thanks for the advise. I have FFTP so I'm just using the AC68R as a router. As you mentioned above, I think using the Merlin firmware would be the easiest way to setup an isolated VLAN? As for NTP requests for the cameras, do I make an exception in the networks firewall to still allow the cameras to sync their times?

      I eventually plan to buy a PoE NVR so I believe going with the multi-port NIC route wouldn't be needed? It does seem like a more complex method too, which I am happy to pursue but if there's an easier way I'll take it.

      • +2

        You can just allow the cameras outbound access to TCP and UDP ports 123. Outbound only. Don't allow any inbound to any ports.

        • Cheers

        • Or set up your server as an ntp server, so the cameras can sync off that. Therefore, no camera will have direct internet access.

  • +1

    I have similar setup (DSL-68U, Blue Iris etc) and use the excellent Gnut0n version of Merlin which works great and fully supports DSL, then I use their Skynet script to configure the cameras as IOT devices and blacklist their internet access. Everything has worked flawlessly for years including external access via Openvpn, which I think may get broken if you switch to Vlans. Big initial leaning curve, with very little ongoing maintenance afterwards, and recently added a new camera which was a snap.

    • Sounds good, I was just going to flash the normal RT-AC68u build which i just realise would probably brick it. Could you tell me you how I would go about configuring the Skynet scripts?

  • In the ASUS firmware isnt there an option to block internet access per device?

    I use the Merlin firmware and do this for my cameras but I think its in the ASUS firmware as well.

  • +2

    If you don't want to deal with VLANs, you can plug in another network card into your Blue Iris server and configure it with a different IP range, and plug it into a dedicated switch just for your cameras. That way the cameras are totally on their own network with no internet access in or out as they only have to talk to Blue Iris. You then access Blue Iris the usual way through the other network card, which can even just be a USB NIC.

    You can run an NTP (and/or DHCP server) on the Blue Iris server if you need those. Wouldn't it be better to let BlueIris handle the timestamps though?

    • I think this is the best and simplest way if you can run additional ethernet.

      I couldn't do it this way because I had to get cameras and trusted devices bridged over one CAT6 wire, so had to use VLAN. There was also only one CAT6 to my Blue Iris PC, but luckily my motherboard had an Intel NIC which supports multiple VLANs via virtual NICs.

    • +1

      Thanks to you and M8y I've decided just to go with the dual NIC route which seems the most easiest way to setup. I've researched everything required to set it up so hopefully once the cameras come the process should be relatively straight forward.

      The only real problem I can forsee is the fact that I dont think there is a web GUI for the cameras so I'll have to change settings via the app which connects to the cameras via Wi-Fi.

      • +1

        Decided it would be easiest to just return the Imou cameras and the splitters and just get a Poe Relink RLC-410.

  • +1

    Wi-Fi IP cameras in this configuration: IP Cam -> TP-Link PoE Splitter -> TP-Link PoE switch -> ASUS DSL-AC68R

    I don't get why you need POE for Wi-Fi IP cameras.

    • +1

      Still need to power them to work hence PoE.

      • Oh right, I do the same for my Wi-Fi doorbell, but only because no one has released a decent/affordable POE doorbell.

        As you already have the wiring I would strongly encourage you to use POE cameras as they are rock solid compared to Wi-Fi cameras. If you're lucky you might be OK with 2 Wi-Fi cameras indoors, but if you want to expand it or mount the cameras outside, where they have to get a signal through bricks, flashing and/or roof tiles you will most likely have reliability problems, and end up spending more money on Wi-Fi meshes/extenders/repeaters.

    • I was confused by the PoE splitter, since the switch was PoE…

      wait, NVM. PoE splitter is probably pulling the PoE out to wire separately.

      • Yep, they're non PoE cams so had to use a splitter.

  • -3

    First off. Ditch TP-Link and Dahua. Don't buy anything from the CCP. There's a reason why the US bans their equipment (Dahua) and why the Australian government won't use their gear. Buy something proper from Ubiquiti, Samsung or Bosch. Last thing you want is some creep spying on you via web crawlers or having a backdoor to your network.

Login or Join to leave a comment