Home
Join

10 Replies

  • The workaround would highly depends on what IP cans you are using and what are you trying to prevent, taking that "VLAN" is not a solution as "VLAN" is actually a complicated way of saying "splitting a 24 port switch" into 2 or more switches (eg 2x12 or 3x8 or 10+14 etc),....then there is almost no "security" if there is no firewall between the "VLANs".

    One method some smaller organizations used is the honey-pot method....
    - You have 2 DHCP range using different subnets and  subnet masks (10.1.1.xxx/24 & 20.2.2.xxx/24).
    - Since you have only a few machines & appliances, use MAC reservation and issue 10.1.1.xxx to your known hardware, all other unknown use 20.2.2.xxx

    But if you do not have a firewall, access to physical ports will be least of your problems.....access via wifi or Internet would be the headache.

    Was this post helpful? thumb_up thumb_down
  • Thank you for the reply. I was thinking to setup 802.1x authendication as it is supported by the cisco switch, but i dont know how to setup radius server. Is it enough to secure specific devices/ports?
    Also if i turn dhcp off and make ip and mac binding is it possible for a new device ex laptop to get into lan from ethernet cable of the outside camera? If he guess the right ip range ex 192.168.1.x and make e static entry on laptop?

    Was this post helpful? thumb_up thumb_down
  • kostas6896 wrote:

    Thank you for the reply. I was thinking to setup 802.1x authendication as it is supported by the cisco switch, but i dont know how to setup radius server. Is it enough to secure specific devices/ports?
    Also if i turn dhcp off and make ip and mac binding is it possible for a new device ex laptop to get into lan from ethernet cable of the outside camera? If he guess the right ip range ex 192.168.1.x and make e static entry on laptop?

    Need your kind understanding that you are trying to make a simple network into a very complex one as you do not have certain appliances or tools. Just trying to work within what you have.io

    Then obviously to deter guessing is not to use "default IP addresses" but to advertise a fake IP address range (this is only for unauthorized access via NIC sockets)

    - DHCP issues 10.1.1.xxx/24 (number of addresses depends on number of MAC addresses, can be changed) to those with listed MAC address
    - DHCP issues 20.2.2.xxx/24 (10 addresses) to those with unlisted MAC address. The people accessing this subnet cannot "see" other machines.
    This is better than using a single IP address range and let the unauthorized machine start scanning for IP addresses in use ??

    Then if your DHCP appliance allows
    - Set verbose logs
    - Set alerts or notification if 20.2.2.xxx/24 IP addresses are issued

    What a honey-pot is like carrying a fake wallet in back pocket while real wallet is somewhere else (eg front pocket or in shirt). What you want is the pick pocket to steal the fake wallet and not start searching for your real wallet (if you do not have a fake wallet).



    Was this post helpful? thumb_up thumb_down
  • 802.1x is a good solution to limit connections to authorized devices only.

    An intermediate solution for the camera would be to limit the port to 1 mac address, to stop a new device being connected, and to apply an ACL. The acl could limit the port to only communicate with what ever is required for the camera - e.g. to the NVR etc.

    Was this post helpful? thumb_up thumb_down
  • ***update****

    I realise that even if I turn dhcp off and adding ip's and mac addreses on arp table, a new device can connect to LAN if just insert a static ip and  gateway to its NIC settings.

    So,  ip and mac binding and dhcp turning off doesn't helps...

    I dont know if the cbs250 have port limitation. I will look for it.
    Can i make access list with permitting only one mac address? I think this is excellent for me .
    Also do you know how set up radius server for 802.1x?

    Thank you

    --------------------------------------

    Was this post helpful? thumb_up thumb_down
  • Radius server is the least problem. You can take Freeradius and set it up.

    But if the cameras don't support 802.1x, than this won't help you at all.

    I would make one step backward and first look at the big picture.
    I suppose, cameras (if it is only about cameras) are usually on their own switches, often PoE switches and not mixed with computers from the rest of the network.
    In addition NVR's often come with one connection to 'the rest of the network' and a separate connection(s) (and network) to the camera side. So it already isolates the cameras from the rest of the network and the NVR becomes the common nominator to both networks.

    So you actually don't have to deal with tons of ports and cameras, that might potentially present a danger as entry point to your main network - it's one single connection to the NVR. And even when you don't have a NVR of this kind, you still can keep the NVR on the switch(es) with cameras and it would be only one connection from these switch(es) to the main network, that you have to secure.

    Next you need, is a proper firewall, that can filter traffic, so nothing will be able to communicate out of the NVR network and allow selected computers on selected ports to connect to the NVR.

    This way, you actually didn't even have to mess with VLANs.

    And in many cases, one could even run the camera network completely disconnected from the rest of the networks.

    Otherwise, I don't believe in MAC binding and access lists - it's to simple to get the MAC of a device and clone it. Yesterday MAC x was a cameras, tomorrow it can be a PC that has it cloned.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Thank you for the reply. I am thinking what you said and I really agree that firewall is the best security practice.
    About mac cloning as I mention, even if I turn dhcp off and create arp table, someone can guess the network range, put an ip, make a network scan etc ...I thought that he could not enter with dhcp off and mac binding on...

    Was this post helpful? thumb_up thumb_down
  • kostas6896 wrote:

    Thank you for the reply. I am thinking what you said and I really agree that firewall is the best security practice.
    About mac cloning as I mention, even if I turn dhcp off and create arp table, someone can guess the network range, put an ip, make a network scan etc ...I thought that he could not enter with dhcp off and mac binding on...

    As soon as someone can get physical access to a LAN cable that connects a camera, he will be on the camera network.
    802.1x is the only thing that can help with that, but do your cameras support it?

    AND don't underestimate physical security! No matter what we talk about in terms of networks, servers and workstations - if physical protection is not provided, you are as good as unprotected from anyone who can lay his hands on any of the devices or cables. It's than just the question, how skilled the intruder is. A janitor probably won't be able to do much harm....but a skilled hacker would have an easy job.

    When talking about cameras, physical protection is even more important - but I wouldn't be so much afraid that someone could 'get in' - I'd be more worrying that someone would want to disable your cameras.
    Imagine, that you are securing a warehouse with cameras and someone wants to break in. Give him a ladder, so he can get to a camera that is not well secured, than takes a stun gun and hits the switch that the cameras are connected to, with a couple 10kV. If it's enough to fry not only the port, but the whole switch, all the cameras will be dead and he could bring a big truck to the main entrance, without getting recorded (no idea, if that would actually work, but it's about the principle anyways). Also you don't want someone to steal your security cameras.....
    Was this post helpful? thumb_up thumb_down
  • thank you Bojan for the reply. Interestinf everything you mention.

    I'll try to figure out a way to secure cameras physicaly. Do you know a way to setup 802.1x radius? Is it complicated?

     The cameras support that protocol.

    Was this post helpful? thumb_up thumb_down
  • kostas6896 wrote:

    thank you Bojan for the reply. Interestinf everything you mention.

    I'll try to figure out a way to secure cameras physicaly. Do you know a way to setup 802.1x radius? Is it complicated?

     The cameras support that protocol.

    On a Windows AD Domain, Radius comes with the NPS server role. So you only have to create a domain user and configure the NPS Server to work with your switch.

    That would mean, you need to add the switch as a Radius client and define a shared secret. Than you need to configure the switch side with the info / shared secret for the NPS server.

    If you don't have a Windows Server, than Freereadius is an option. I have never set it up, but I've seen it being recommended as an option for Eduroam WiFi deployments, that don't have a Windows server.

    Otherwise, the first question here is the network layout you have - are all cameras in a separate camera network 'on the other side' of the NVR (connections would go switch-NVR.PoE switch-Cameras)? If all the cameras are 'behind' than NVR, than it is a question, if this will allow the switch to communicate with anything (including Radius Server) that is 'in front' of the NVR.
    In such a case, IF the switch is a managed switch and supports VLANs, one could separate a port for a management VLAN and allow this one to connect to the Radius server, if it's the Domain server with the NPS role.

    All in all it's not so simple, that one could 'solve' it in 3 posts on a forum, specially when you don't know anything about the network, it's components and it's requirements and restrictions.

    Specially it's not something you should jump in and start playing with - you could end up not being able to do any surveillance for multiple days. Start in small steps. Figure out what kind of Radius server you will have and where it will be placed. Figure out, how it will communicate with the switch. Configure the server, add a user. Set up Radius on the switch - but turn it on just for a test port and test camera. Than try to get the camera into the game.

    Once it works, you can start deploying it to other cameras and ports.

    But be also aware, that if the Radius server breaks because of any reason, you might have a problem to connect anything to the switch. So test also this scenario, before you deploy it to all ports. Check if the switch can cache the credentials or will it try to communicate with the Radius server every time you reconnect a camera (or reboot). Possibly in the end, you might even figure out that it isn't worth it all, when the cameras are behind a NVR and don't have any access to the main network trough the NVR.

    1 found this helpful thumb_up thumb_down

Read these next...