System Security and Remote Access

[madmandare 0]

Hi,

I have an 8 channel 1080p Hikvision system, that is currently connected to my network and the internet.

The DVR has it's own password and the stream is encrypted with an encryption key, so effectively 2 passwords are required to remote view using an App or another computer. My router also has a firewall/password and my computer has a good quality firewall and long password. 

However, i am still paranoid that other people might be able to remote view my feeds etc.

Is there anything else that i can do to make my network / system secure?

OR is what i have enough and i'm just being silly?

Cheers

[Cortian 9]

Any time you allow Internet access to anything the threat level goes from "very little" to "a lot," regardless of what you try to do to mitigate it.

For starters: Login access to your router from the Internet should be entirely prohibited.  Period.

Incoming connections should be on a "that which is not explicitly allowed is denied" basis.  Proper, explicit port-forwarding rules should see to that.

Default accounts should be disabled.  Or at least have passwords or pass phrases so incredibly long and complicated they might as well be.

If login access has any "break in attempt" detection, that can temporarily blacklist source addresses that get an account i.d. and/or password wrong "X number of times in time T," that will tend to slow attackers down so badly the likelihood of success is vanishingly low.

Regarding LAN security: It's wise, when possible, to use VLANs and isolate IoT devices to their own VLANs.  Also: If IoT devices do not need access to the Internet (e.g.: cameras talking to a local NVR have no need to swap spit with anything on the Internet, other than to occasionally check for firmware updates), they should be prohibited from doing so, either by putting them on their own network segments, using VLANs that don't have access to the Internet gateway, or by blocking them at the gateway.  (VLANs enforced by managed Ethernet switches are more secure than border-router blocking.  Separate LANs, isolated with internal routers are even more secure.)

Lastly: You have to put it in perspective.  Unless you're a bank, government entity or some other high-value target: Odds are anybody taking a shot at you is just what we call "knob-twisting" in the I.T. security field.  They'll get in if they can, but it's unlikely anybody will mount a concerted attack against you.

You're probably at greater risk from what you receive in email and what you browse with your web browser than you are with your NVR and cameras.

[tomcctv 187]

That’s ok if access is from outside 

hikvision units have been found to have a backdoor.... outbound only. hidden in its software.

we don’t use hikvision recorders or anything by ezviz which is also hikvision and used to control hikvision cloud. 

 

But 99% of people only need to use there cctv over the internet when not at home so no point having it connected 24/7

 

other save practice is to set the timer on your router to switch off your recorders network when your home 

even without cctv a timer on your router to switch off while you sleep is something basic...... but good save thing.

 

we sell boxes now so as customers can switch off pars of there network remotely from phone. And they only switch on there recorder network when they want