Isolated LAN for Cameras and Security Spy
  • I finally got around to moving all my 16 cameras and SecuritySpy Mac to their own, isolated LAN (local area network). The cameras are only allowed NTP and DNS access, no DHCP, nothing inbound or outbound from the WAN. The SecuritySpy Mac was allowed special access to the outside wold and be accessed via the security spy server port. The SS Mac is also accessible from my main LAN.

    Took three days programming an Ubiquity Edgerouter X (under $60). It is not a project for the feint of heart, but worthwhile to gain more granular control of my devices. . Now I have a main LAN that can see everything, 2 restricted LAN, 1 super restricted camera LAN, and an isolated Guest VLAN. Each could be setup up with firewall rules to enact isolation and desired access. I specify which LAN's get WAN access and forward only the desired ports. Special access for the SS Mac was easy to create.

    With this setup, a fair amount of unidentified camera traffic with the outside world is blocked. I can see the firewall blocking camera attempts to reach the outside world every few seconds. No more leaks. The cameras also can't touch any of my other LANs, call home, nor participate in a botnet.

    Nice to finally get this done.
  • Thanks for taking the time to post this, it sounds like a great setup that will minimise security risks. As you have discovered, many cameras will make frequent Internet connections for various things - most are benign (NTP etc.) but you have never be sure, and there have been cases of cameras being hacked for botnets.

    My advice to other users who don't want to invest in such a complicated setup is to use strong passwords for your cameras and turn off their UPnP options so that they can't accept incoming connections from the Internet.
  • 60,000 outbound packets blocked in 24 hours from my cameras. None of them have ever been exposed directly to the internet nor had PNP enabled. I doubt they have been hacked, but their firmwares include calls that are not controllable from the user interface.

    All network services are turned off in their setups except those needed to stream video and synchronize clocks.

    Despite those precautions, some are still trying to access things on the internet.
    The packets payloads are small. Not like they are sending video streams,
    I'm really happy to be blocking all those communication attempts.

    My eventual router setup implemented….

    eth0 - WAN 0 - connects to cable modem with DHCP
    eth1 - - LAN1 Main full access to the internet. Hands out DHCP leases. CAN reach all other LAN's
    eth2 - - LAN2 Security Spy - no access to internet. No DHCP. Allows NTP and DNS. Cannot reach other LAN's
    eth3 - - LAN3 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's
    eth4 - - LAN4 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's

    eth1.1003 - - Guest WiFi VLAN Apple Guest WiFI with internet access. Cannot reach other LAN's

    Took about 15 rules to implement proper isolation and desired, special accesses.

    Security Spy Macintosh and cameras live on subnet and physically connected via POE switches to LAN2 eth2
    All their addresses, netmasks and router addresses are set manually.
    Router has total control over LAN2 reaching the rest of the world.
    Potential malware on cameras cannot reach the internet to get commands nor call home.
    Even plugging into LAN2 network via ethernet cable will NOT get DHCP address, internet access, nor reach other LAN's

    Guest WiFi cannot see rest of network.

    Security Spy server Macintosh granted special permission to access the internet despite being on LAN2. This allows browsing from SS Mac, but no other LAN2 machines can browse or reach the internet.

    Exception made for NTP access to keep camera clocks in sync.

    Port forwarding from WAN into SS Macintosh (with hairpin NAT) allows SS server access from WAN and LAN1.

    Took me three days doing it from scratch. If someone wants to do similar to protect their SS setup, post here to let me know.

    I could put together a generic config file that could be uploaded to get most of the configuration done quickly. One would only need to edit a few things in the EdgeMax GUI and turn on hardware acceleration via the CLI.

    Because such a config file will take a few hours work. I will create one only if someone is actually going to use an Edgerouter X with their SS setup.
  • Thanks a lot! Very useful advice. This is useful information
  • guykuo, Ben and joebell.
    Cameras are compliant with all National Security Laws, that means they phone home whether you approve of it or not. If its imported and sold as retail in your country, it 'phones home' under several methods, hint. check your DNS activity in Console and your local Wifi sniffer software, even if you have all the wifi in your cameras and routers off.
    The newer OSX Systems are also fully compliant, ie. you can't turn off IPV6, and the functions of the 'Firewall' rules in the Security System Preferences will not allow them to be completely blocked.
    That being said... there are some things you can do to get better service levels from your network and reduce the factors that cause concern.
    On little units like the Edgerouter, their log traffic tells you they are busy, but not with what.
    Culprits include running poor or mediocre Cat5e cabling for POE support over more than 60 meters per subnet, high powered external towers and EM devices you can't control, running the high FPS channels to multiple receiving devices, ect. Even recompression in SecuritySpy for added controls like Masking and TimeStamp cause additional 2 way traffic.
    Narrowing down physical causes can reduce some of the packet throughput which can look like unauthorized traffic. Download the X11 package and Wireshark, and teach yourself the basics of 'packet sniffing' from their excellent online tutorials.
    If its out of your league for a setup like guykuo has done, you can hire specialists online who can do this from outside, but you control the ball. Teamviewer gets the basics done, but at all times have the outsiders work with generic passwords which you change for a strong one later...(hint, NEVER type an admin password live while in Teamviewer, the authorities monitor this traffic also).
    If you do have real suspicions about outside hitters, or curious teenagers inside your local ISP, contact them to have a firmware change on your router, or to cycle the IP address from their DHCP table, or to flush your DNS cache, all legally allowed and most ISP' are happy to comply as they don't want to answer to authorities for unauthorized packets on their network.
    The manufacturing of most basic IP cameras points to only 3 or 4 trusted board makers and their respective firmware. That means scriptkiddies and the real troublemakers know their weak points. But having VERY strong passwords (ie. 40+ Hexidecimal on a USB stick in a note file) slows down their bots attempts to guess correctly.

    So, lastly, Ben, as a long time user (more than 8 years) I would like a feature added to SecuritySpy. A logging tracker that watches the ports that goes further than the logging that occurs now. Wireshark can be used as an alternative, but we require some script writing from your end to set proper filters on what is moving.

    Many thanks for your dedication to this platform.

  • Looking at my Edgerouter stats for the last 3 months there is little doubt in my mind that isolating the cameras from "calling home" is a good thing.

    My rule for preventing the camera/Security Spy subnet blocked in that period...
    88,042,381 packets headed to the outside world.
  • I would very much like to see your ER setup since I think I have blocked my Sunba and Wyze cameras from phoning home but would very much like to see your setup.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!