Beware of IP Cams running an out of date version of embedded linux as their NTP client may be a security risk, I have also come across at least one such device that also changed back the IP address of the NTP server so that it stayed pointed at a PLA controlled server in mainland China. Yep, it would let you change the value, but when you checked it later it was reset to the original value! Can you see how that backdoor works? Seriously if you can afford it don't touch anything coming out of China.

0:52 1:02

Good to hear you got it working.

Statistically unlikely but these rules work for that as well. And while they would have access to the Synology, they would also have knowledge of some flaw to get into the Synology and exploit that flaw before someone noticed the camera being off.

they have to record the footage somewhere so they need some form of access to the NAS or the recording server.

@@LAWRENCESYSTEMS I know we are going up high on the "statistically unlikely" ladder but ethernet (and fiber) taps exist (and you can DYI one with a small managed switch) so they would not need to disconnect the camera for long to get semi-permanent access to the network

@@marcogenovesi8570 on the NVR, you log in at the cameras. The cameras don't log in at the NVR.

@@marcogenovesi8570 You could setup Port Security and only allow access to specific MAC addresses for your cameras and other devices.

Do a network scan to gather inventory then move to different VLAN/LAN/WLAN and scan the networks to confirm migrated network inventory and check off what's been moved.

@@benargee Great tip, thanks!

@@ShaneL295 yeah for sure. Definitely also helps to catalogue MAC addresses and hostnames.

Ugh, same here. Boo, hiss 👎🏻

Yes it does :)

or any firewall really for that matter.

You're welcome

It blocks any RFC1918 matching address destinations requested from the Synology.

@@LAWRENCESYSTEMS That's not how I understand it though. An allow rule with a inverted alias is going to ALLOW everything OTHER than the alias, it's not blocking anything it's allowing something. It's why I use this exact rule to allow internet access on my subnets. But the default deny in pfSense is what is BLOCKING RFC1918 since there are no allow rules for RFC1918. Basically, if the rule wasn't there, it'd still be blocked anyway. Or am I misunderstanding something? According to Netgates documents, an inverted match will match all traffic EXCEPT what is in the value to trigger the rule, so this I guess IMO this shouldn't be stated as a rule to block RFC1918 because the rule is NOT doing that, this rule wouldn't be triggered by RFC1918 traffic.

I am inverting the destination to make sure it's not going to a local network

@@LAWRENCESYSTEMS right but it's the default deny rule that would actually deny anything going to an internal network. Since this rule is a pass rule with inverted RFC1918. What I'm getting at is this rule isn't the rule that prevents local destinations. This rule just allows external destinations. The rule wouldn't be matched in pfsense for a local destination since this rule ONLY matches for the inverse of that which would be external. Point is creating this rule allows the default deny rule to block internal networks it it's not the rule actually doing it since a given packet wouldn't be matched to it. Point being if, for example purposes, a allow any destination rule was below this, then local networks would still be accessible by the synology since the above rule isn't matched with a packet that has an internal (RFC1918) destination. I guess it's all just wording that's bugging me since the description of the rule is block local access but this rule doesn't actually do that. I personally use the same rule but just label it "allow internet access" since the default deny is what prevents local access to other subnets.

I have an "Allow ALL" rule on my trusted network.

This particular model only has one, but for most of our business installs we use larger units that have more than one and set it up that way.

I would not recommend exposing camera ports no they're not encrypted most of the time

@@LAWRENCESYSTEMS brilliant thanks for the response! Much appreciated have a good day Tom

it works

Thanks!

Glad to help!

There are other brands such as Bosch, Axis, etc.., but they are all substantially more expensive.

@@LAWRENCESYSTEMS I agree and perhaps I should have expanded on my comment - as they have the level of security and redundancy that satisfies the government stipulations. It has for me (at least) worth knowing about them to aid in pre-sales as well as support of IT installations that have them as we have had service calls to get office PCs running the client app where the knowledge of the Controllers, Storage & Cameras were very helpful. The clients we came across using bosch were shopping centers and sporting clubs & stadiums so it's not all government and correctional facilities. What I found interesting however is the last two types of installations would use transparent conduit so the cables could be visually inspected for interference.

One for the cameras one for the internet access. kzbin.info/www/bejne/d2KsYp5vg8inY6M

I have never used frigate, but yes that sounds like it would be the way to go.

Yes. Your BlueIris computer should be on a dedicated PC without internet or LAN access. Running it on the same computer as your Plex machine is not very secure because you have to grant access to both the internet and the rest of your LAN network for the Plex related functions.

These are good kit.co/lawrencesystems/nvr-surveillance-systems/5592146-amcrest-ultrahd-4k-8

The Chinese company Dahua owns Lorex.

@@LAWRENCESYSTEMS Wow! Whatever happened to manufacturing in America! As it stands, there's not a single, decent Network CCTV system made in America???

I would not use a Reolink or Amcrest branded NVR.

Network traffic can be separated, but both networks have physical access to the DS itself. So that is the week point.

The bigger issues is that if you had the system publiclly expose and a flaw was found in the software that flaw might compromise the entire system.

I have the DS920 and pfSense as well and vlaned them out. Anytime there is a commonality there is an not well understood risk. I only view one camera through OpenVPN which was slow but usable. It appears that the internet has been upgraded and speed have been much better.

Depending on what model Cisco you have you could create the rules there to block the cameras.

@@LAWRENCESYSTEMS I was kinda hopeful I could. It's a Cisco 2960 POE I believe. A bit older but I got it for free. The "NEW" tp-link unit came and POE didn't work. Got to send it back.

So how do u remote check your camera's?

You could also just run your own ntp server...

Or create a firewall rule specifically allowing access to your public ntp server of choice

@@jonneymendoza i have no need to , but if i needed too then i would just switch my switch on and leave it , but 99% of the time i dont need to remotely use it

@@firefon326 true true but i like the idea that my switch is hardwired and not hackable

I don't really know what is for sale in the EU market.

Without a gateway set, they won't know where to send packets when you connect to them...which you will undoubtedly need to do.

Removing the gateway breaks the ability to manage them from other networks.

Someone took a routing 101 course Tom! In all seriousness A.G. gateway/router is needed as devices are 2-way communicators. If it was just a sensor and you pointed the reader at it directly that would work.

Yes

Correct, and we don't use cameras on the ban list for gov jobs and neither should anyone else.

diagrams . net kzbin.info/www/bejne/o6GpYpxvqMt4gJI

Agree on the NTP part, having date & time correct on all the devices is crucial to proper security setups as it makes it easier to track a security event that involves multiple cameras. My camera network actually allows DNS because it does not use a local (in the same subnet) NTP server, but traffic other than NTP and DNS is blocked.

My reply and then I read yours. Basically we agree. "The question is why bother with these Chinese cameras??? The only way I would even remotely trust them is to air gap them. At that point there is no point. Listen. I barely trust the couple camera companies that are US company owned. Cameras are a 100% two-way street for security and non-security."

@@DJaquithFL I think it mostly comes down to cost. Companies don't care if their cameras are sending data back to china or the vendor is possibly involved in human rights violations, because they're exceptionally cheap and high performance. Why consider us-owned-but-chinese-manufactured cameras when you can go right to the ODM and save money, and then make it the security team's problem to deal with.

This isn't a discussion. Clear it is a know-it-all leaving a perceived "pro-tip"... no sense in replying and wasting your time friends

Yes on all points. Lock it down.

You can get traffic out inside DNS and NTP requests

@@dfgdfg_ the DNS and NTP run on the pfSense-box, so no. The cameras do not have access to internet at all, so there is no way for them to get anything out.

@@WereCatf Is it possible to have them with zero internet access but still view via mobile app?

@@Fryn_Hayn Depends. If the mobile app uses a direct RTSP-connection to the cameras' feeds, then yes, and if you need to access the feeds from outside your LAN, you'd need to be using a VPN into your home or you'd need a proper NVR-solution.

@@WereCatf Is there a way I could message you regarding a couple more questions I have? If not its all good you just sound like a helpful source.

I'm pretty sure Tom knows what he's doing 😂😂😂😂 incel

Simply not port forwarding a NVR in itself provides a lot of security, it stops random bots on the internet from probing your NVR. When Lawrence is saying "Use a different subnet" he means a different VLAN, VLANs are by default completely isolated to each other. You can open up ports between VLANs as needed but in general attack surface is dramatically reduced when you use a seperate VLAN and not port forward the NVR to the internet.

I had the same thought. On my home network I have a PC running Blue Iris on one VLAN. It is port forwarded for remote access (not the most secure but I accept the risk). The Blue Iris network cannot access the internet besides NTP as the PC does not need internet access outside of routine maintenance and patching. The cameras are on another VLAN that has no rules (deny all). The setup works just fine and I have the peace of mind that the cameras, if one does somehow go rogue, can't get anywhere.

"Simply sniff the network to find what other subnets are around" that is not going to work when you have a proper setup with the rules setup as I did in the video and a separate VLAN or physical network setup.

He didn't show it but imho it's implied (as it's industry standard) that the subnets are on different vlans, set on a VLAN-aware managed switch, not on the untrusted devices so they can't just reconfigure their network to escape the sandbox. Decent managed switches allow you to limit the interfaces or VLANs they show the management interface on, so the cameras are unable to talk to the switch either.

why does it need to be connected to wifi

@@marcogenovesi8570 it only has one button but about 100 features, you need the app to control it

Comes down to price and most people don't want to buy the more expensive ones. I don't trust them and locking them down as I did in this video means I don't have to.

Because the "US designed" expensive ones aren't better as far as security goes so why paying more if you have to sandbox them anyway. I've seen enough presentations from hacking experts in yearly hacking events (available also on youtube), all IOT is an absolute dumpster fire and cannot be trusted

@@marcogenovesi8570 .. Meanwhile, by Chinese law, all of your data gets routed right back to China regardless of your laughable settings. So the question is would you rather deal with somebody that has some laws that are available to protect you .. or would you rather be 100% SOL with China and the Chinese legal system?

@@DJaquithFL Pfft yeah because US law doesn't allow thre-letters to tap whatever they want. The only laws that can protect me from spying are the laws of networking.

@@marcogenovesi8570 .. The mere fact that you believe that any networking protects you is humorous.