Securing IP Cameras!

I currently installed 2 hikivision DS-2CD2132-I ip cameras on my home network which has a cisco e3000 router. I am trying to make the cameras accesible outside the network to a cell phone. From what I have read I need to forward ports 80, 554, 8200, and 8000. After more reading I have read about cameras being hacked which can threaten the entire network. So what I did was disable remote control capabilities and upnp. Now what I was hoping I could get help with is how to seperate my home network from my ip camera network without requiring additional hardware. Is there some way of doing this via NAT,different subnets, etc? If the cameras were every compromised I would want to make sure that that network cant compromise the one with all the computers on it.

Any helps would be awesome because despite I have heard of these ideas does not mean I am familiar and just simple googling doesnt seem to be helping me haha.

Thanks as usual!

Not much you can do with the equipment you have.

With a managed switch/business class router you could create a VLAN for the cams and control access between the 'cam vlan' and your main network. I prefer ZyXEL switches and the ZyWALL routers are great, but you need some networking knowledge or it will be very frustrating to use any 'business class' equip.

probably the best thing you could do with what you have is to use non-standard ports on the outside. Port 80 for example is a common port that script kiddies would be scanning for. At minimum I would set up port forwarding in your router to forward(for example) external port 21080 to internal port 80. Then you would connect to the cam using(example) from the outside.

Thanks for both of the replies. Yea I definately need to change the outside port. I couldnt find a setting to for external and internal port. The only thing I saw was forwarding port xxxx to whatever LAN ip address, hence I had set the port forward to as 8080 for sdk so I had to change the cameras to 8080 on the camera sdk , instead of the usual 8000. I will have to check again for this because someone else mentioned that to me. If you do it the way you say gb5102 can the ports on the camera themselves be the same as the factory settings? such as both cameras still have port 80,554,8000, 443 but the ports on the outside will just be assigned differently for each camera hence the router knows which device it goes to despite they have same internal port? Sorry If thats worded funny but let me know if you get what I am saying haha

As for the vlan I was thinking about loading dd wrt on to the router (which supposively can turn a cheasy 50 dollar router into a business class due to its interface) and going from there but my network knowledge is not as good as it should be so hopefully it will go smoothly lol.

No experience with those cams, but looking at the camera manual it sounds like if you set the Protocol to HTTP under Local Configuration>Live View Parameters menu then you will only need to forward the single HTTP port(default is port 80).

if the above does in fact work, then you can leave the cams set to default port 80, and use different outside port which directs to the correct 'inside' port and 'inside' ip address. So you would then connect by opening a web browser and navigating to or whatever...

According to manual the e3000 router has configuration options for external port and internal port, so this should work. Page 34:

http://downloads.linksys.com/downloads/userguide/Linksys_E3000_UG_USA_V10_NC-WEB.pdf

No experience with those cams, but looking at the camera manual it sounds like if you set the Protocol to HTTP under Local Configuration>Live View Parameters menu then you will only need to forward the single HTTP port(default is port 80).

 

if the above does in fact work, then you can leave the cams set to default port 80, and use different outside port which directs to the correct 'inside' port and 'inside' ip address. So you would then connect by opening a web browser and navigating to or whatever...

 

According to manual the e3000 router has configuration options for external port and internal port, so this should work. Page 34:

http://downloads.linksys.com/downloads/userguide/Linksys_E3000_UG_USA_V10_NC-WEB.pdf

Sorry for never responding. Thank you and you were right! I have set up the external ports as non standard and kept the internal as the usual!

Great to hear you got it figured out! Thanks for posting back.

bradyboyy88,

Your initial post asked,

"Now what I was hoping I could get help with is how to separate my home network from my ip camera network without requiring additional hardware."

Did you actually wish to isolate the cameras from your home network? Because while your solution makes the cameras accessible over the net it does not provide any isolation of the cameras from your local network. I ask because many people seemed to be concerned by the recent disclosure of bad actors such as the LG "smart TVs" which have been caught shipping local network data overseas.

To actually isolate them you would want them on there own switch and put a cheap firewall router between them and your net (the cameras network switch would be plugged into the routers WAN port). Effectively you would be masquerading all local network requests out to the cameras so your local access to them would be unaffected. It will make it a two step process to route from the internet into them. So it is a more complicated setup.

Steve

P.S. Many people have old WIFI firewall routers setting around that are slow but can be re-purposed to do the job. Just turn off the wifi so that it does not interfere with your current rig and just use the firewall/router part. These can also be had on ebay for cheap.

For the phone you actually don't need the http port opened, just do the server and rtsp port.

Changing ports and passwords helps alot and opening as least ports as possible.

If you use the software that came with the CD of the camera on the PC to connect then you also don't need the http port, not allowing browser access will secure it even more.

There's three different ways I'd approach the problem of isolating the cameras, all with different price points.

Most expensive:

Get a router that does vlans and more complicated routing. You can find used business-class equipment like the netgear fvs318n on craigslist pretty cheap, but otherwise, you're looking at ~$150

Second-most expensive (and maybe not less by much)

Get a router that has a DMZ that does NOT allow DMZ traffic onto the local lan. Then your cameras are fully exposed, but your LAN is completely safe. Unfortunately, these routers are typically in the same class as those that can do vlans, so the cost will be nearly the same.

Cheapie route:

Use a second cheap router to create a 'double-nat'. The second router would be behind the first (wan of second into lan of first, cameras in first). This will allow your cameras to be accessed from outside, but that's it (unless you add additional forwarding to your lan which sits on the second router). Your lan will have access to the cameras because they will be treated like 'wan' addresses. This is probably the cheapest and easiest. Cheap second router ~$20-25 at walmart, and nothing new to learn about vlans, dmz, etc.

probably the best thing you could do with what you have is to use non-standard ports on the outside. Port 80 for example is a common port that script kiddies would be scanning for. At minimum I would set up port forwarding in your router to forward(for example) external port 21080 to internal port 80.

Doesn't help. Script kiddies doing port scans will usually scan more than just port 80. My web server ports are up in the high end of the range, and I still see script-kiddie probes every night in my logwatch reports.

A better option would be to enable as much security on incoming connections as possible. Digest authentication is a good start; requiring all connections to use https and validating the client-side certiicates is even better.