Steve Wilber
Training Manager
In part 1 of “How to secure your Network Video Security system”, we covered Peer-to-Peer (P2P) and Geolocation restrictions. In addition to those important methods, there are more features to take advantage of that can improve overall security.
Disabling Unneeded Services
IP devices as well as online PC servers support many services and protocols. Most of these are designed to simplify access, enable different configurations, or enhance interoperability with 3rd party devices and remote applications. For example, CGI and ONVIF are protocols that allow IP cameras to be easily added to a recorder. The “Device discovery” feature allows the NVR to be detectable on the network, which simplifies set-up procedures when using the Dahua Config tool software. All of these services offer increased convenience — but if you are not planning to use those features, it is best practice to turn them off and reduce your online exposure. For example, if you are using the same brand IP camera as your NVR, there’s no need to support the ONVIF protocol and you can switch it off with no loss in convenience. The logic here is simple: don’t leave doors and ports open that you don’t need to.
Enable Secure Communication Features
SSH is the most widely used protocol for encrypted connection to most network services. Enabling Digest Authentication allows the host web service to negotiate credentials with a user’s web browser. This is used to confirm the identity of a user before replying back. Unlike basic authentication, digest authentication does not require the password to be transmitted as open text and thus minimizes exposure of the user’s credentials.
However, Digest authentication only protects the authentication credentials. SSL goes one step further and encrypts everything in the page. SSL will be somewhat less efficient as a result, but has the advantage that it can allow parties to verify one another’s identities, if they use trusted certificates. Think of this as two-way verification, so that both parties know that both are who they say they are.
Most Dahua NVRs support use of CA or Certificate Authority certificates, which verifies to the client user that indeed you are connected to the host that you wish to be connected to.
Advanced Firewall Options
Common ways an attacker can bring down website (or any device with a web host) is to launch a DOS attack. A Denial of Service attack can flood the host device with SYN messages or ICMP packets, which could render it unresponsive to legitimate connections. The common phrase DDOS represents a ‘distributed’ denial of service attack, where the flood of (illegitimate) calls usually comes from a network of hijacked computers (botnet) remotely controlled by a hacker.
Some NVRs have protection from SYN or ICMP Flood attacks. Enabling this protection will use special filtering to mitigate that attack technique.
Stream Encryption
A/V Encryption enables the NVR to accept encrypted audio and video streams from a compatible IP camera. Alternatively, you can enable RTSP over TLS if available. Real time streaming is a protocol used to deliver A/V streams to most devices. Enabling RTSP over TLS allow encrypting the stream before transmission.
Both of these methods help prevent eavesdropping on the video feed, if other methods of denying unauthorized access have somehow been circumvented.
In conclusion, there are many advanced security methods that were once exclusive to advanced firewall devices. By investing a little extra time during setup and making the choices that are best suited to your particular situation, you can better protect against unauthorized access while ensuring reliable availability for the uses you intend to support.
The best defense is a layered, adaptive defense, that is at the same time nearly invisible to legitimate users. Dahua technology helps you customize your devices and software to that end.