Looking for Security camera options
- 
 @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.It is remote access to a NVR never a specific camera. Cameras never need to be open to the internet. 
- 
 @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.As Jared said, separating the cameras onto a separate VLAN doesn't stop people from viewing them out of the office. Let me rephrase that, it doesnt stop the people you want to view it who are out of the office. It does stop the cameras from tunneling out of your network or allowing backdoor viewers. 
- 
 @jaredbusch said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.It is remote access to a NVR never a specific camera. Cameras never need to be open to the internet. yeah, cause an NVR's are always super hardened to be on the internet  
- 
 @dashrender said in Looking for Security camera options: @jaredbusch said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.It is remote access to a NVR never a specific camera. Cameras never need to be open to the internet. yeah, cause an NVR's are always super hardened to be on the internet  I'm confused. The NVR doesn't have to be directly exposed to the internet? And even if it was, you're saying that since an NVR might not be "hardened" you might as well expose every camera? I don't get the argument. 
- 
 @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @jaredbusch said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.It is remote access to a NVR never a specific camera. Cameras never need to be open to the internet. yeah, cause an NVR's are always super hardened to be on the internet  I'm confused. The NVR doesn't have to be directly exposed to the internet? And even if it was, you're saying that since an NVR might not be "hardened" you might as well expose every camera? I don't get the argument. I think he's saying that the NVR is not better than any camera - from a security point of view. So don't expose the NVR directly to the internet. 
- 
 @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @jaredbusch said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.It is remote access to a NVR never a specific camera. Cameras never need to be open to the internet. yeah, cause an NVR's are always super hardened to be on the internet  I'm confused. The NVR doesn't have to be directly exposed to the internet? And even if it was, you're saying that since an NVR might not be "hardened" you might as well expose every camera? I don't get the argument. Yep.. that's exactly what I was thinking.. just expose everything - (please for the love of god see that I am being sarcastic  ) )
- 
 VLANs, firewall, and internal access only through VPN/bastion. It's not difficult, it's not expensive when you consider the amount of value you get in many aspects of IT infrastructure(not just cameras). Come on guys, these are basic concepts. 
- 
 @pete-s said in Looking for Security camera options: I would guess though, that you could use a reverse proxy and still put most of these things directly online - especially if you put your own logon page in front of the proxy's redirect to the camera system. Yes, the cameras or NVR would be accessible through the reverse proxy only. When you authenticate with SAML, the users are authenticated against a third party "login" service (called Identity Provider). So you are basically outsourcing 2FA and the login process to someone who has the resources to secure it. It's how enterprises do it. Kind of... Any resource as important as camera system would certainly not be exposed directly. There is no reason for it. You're never gonna say "Customer please login and check the camera system." So why publicly expose at all. Require VPN and make it internal only resource. You're right about using SAML for authentication and using groups to maintain. 
- 
 @pete-s said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @jaredbusch said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @stacksofplates said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @pete-s said in Looking for Security camera options: @jasgot said in Looking for Security camera options: @travisdh1 said in Looking for Security camera options: @voip_n00b said in Looking for Security camera options: I have no experience with them but I keep seeing hikvision everywhere. I see those everywhere as well. I think because they're cheap. I was very annoyed by the only system I ever worked with (required IE, 8 years ago now, but still, yuck.) Hikvision was very popular because of price until it was discovered they had a backdoor to monitor every camera that had a route to the internet. Good to know. 
 But on the other hand it's not wise to open your security cameras to the internet - ever. All devices are filled with backdoors and vulnerabilities. Some are known, most are not.so the only way you'd ever have cameras is with local access, or VPN access to that local network? A common way is with VLANs, like mentioned in another thread. I don't think this really gets to the heart of what most people want. I'm guessing JB's client wants to view these cameras while they are at home, etc. 
 It's more about the remote access than the LAN based protection... but yeah, sure - Using a VLAN and ACLs is probably a good idea to help keep things separated.It is remote access to a NVR never a specific camera. Cameras never need to be open to the internet. yeah, cause an NVR's are always super hardened to be on the internet  I'm confused. The NVR doesn't have to be directly exposed to the internet? And even if it was, you're saying that since an NVR might not be "hardened" you might as well expose every camera? I don't get the argument. I think he's saying that the NVR is not better than any camera - from a security point of view. So don't expose the NVR directly to the internet. Yeah I think that depends on a lot though. If it's just software you control it's a different story than a black box nvr. However, all of it should be on a VLAN with no internet access and only access to the NVR from specific networks and only from established connections. I wasn't trying to argue about cameras/nvr when initially posting. Just that another thread flat networks was a recommendation ignoring the security issues that were mentioned in this thread. 
- 
 @irj said in Looking for Security camera options: @pete-s said in Looking for Security camera options: I would guess though, that you could use a reverse proxy and still put most of these things directly online - especially if you put your own logon page in front of the proxy's redirect to the camera system. Yes, the cameras or NVR would be accessible through the reverse proxy only. When you authenticate with SAML, the users are authenticated against a third party "login" service (called Identity Provider). So you are basically outsourcing 2FA and the login process to someone who has the resources to secure it. It's how enterprises do it. Kind of... Any resource as important as camera system would certainly not be exposed directly. There is no reason for it. You're never gonna say "Customer please login and check the camera system." So why publicly expose at all. Require VPN and make it internal only resource. You're right about using SAML for authentication and using groups to maintain. wow - I don't know what customers you're talking about - but the two I had that have cameras absolutely demanded an app on their phone to watch their cameras from anywhere. 
- 
 @dashrender said in Looking for Security camera options: @irj said in Looking for Security camera options: @pete-s said in Looking for Security camera options: I would guess though, that you could use a reverse proxy and still put most of these things directly online - especially if you put your own logon page in front of the proxy's redirect to the camera system. Yes, the cameras or NVR would be accessible through the reverse proxy only. When you authenticate with SAML, the users are authenticated against a third party "login" service (called Identity Provider). So you are basically outsourcing 2FA and the login process to someone who has the resources to secure it. It's how enterprises do it. Kind of... Any resource as important as camera system would certainly not be exposed directly. There is no reason for it. You're never gonna say "Customer please login and check the camera system." So why publicly expose at all. Require VPN and make it internal only resource. You're right about using SAML for authentication and using groups to maintain. wow - I don't know what customers you're talking about - but the two I had that have cameras absolutely demanded an app on their phone to watch their cameras from anywhere. Where they enterprises or hobby businesses? @Pete-S stated specifically enterprises and that is what I am answering. Nobody in an enterprise needs to check a camera while out to dinner. In real businesses CEOs don't have access to cameras nor do they care. @Dashrender you've misinterpreted nearly every reply on this thread and frankly everyone else is not understanding your replies like your sarcasm. 
- 
 @irj said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @irj said in Looking for Security camera options: @pete-s said in Looking for Security camera options: I would guess though, that you could use a reverse proxy and still put most of these things directly online - especially if you put your own logon page in front of the proxy's redirect to the camera system. Yes, the cameras or NVR would be accessible through the reverse proxy only. When you authenticate with SAML, the users are authenticated against a third party "login" service (called Identity Provider). So you are basically outsourcing 2FA and the login process to someone who has the resources to secure it. It's how enterprises do it. Kind of... Any resource as important as camera system would certainly not be exposed directly. There is no reason for it. You're never gonna say "Customer please login and check the camera system." So why publicly expose at all. Require VPN and make it internal only resource. You're right about using SAML for authentication and using groups to maintain. wow - I don't know what customers you're talking about - but the two I had that have cameras absolutely demanded an app on their phone to watch their cameras from anywhere. Where they enterprises or hobby businesses? @Pete-S stated specifically enterprises and that is what I am answering. Nobody in an enterprise needs to check a camera while out to dinner. In real businesses CEOs don't have access to cameras nor do they care. @Dashrender you've misinterpreted nearly every reply on this thread and frankly everyone else is not understanding your replies like your sarcasm. You know, not many on this forum have the luxury of working for enterprise customers, not even Scott. Most of our clients are going to those hobby businesses as we call them around here. So that is the context I generally live in. Since you're fortunate to be in that enterprise space, you generally come from that context, so I get it.... 
- 
 @dashrender said in Looking for Security camera options: You know, not many on this forum have the luxury of working for enterprise customers, not even Scott. Most of our clients are going to those hobby businesses as we call them around here. So that is the context I generally live in. Since you're fortunate to be in that enterprise space, you generally come from that context, so I get it.... Saying I'm fortunate or it's a luxury would imply that it fell into my lap. I worked very hard to get where I'm at today. Scott runs NTG and certainly makes bank working off SMB and has the ability to expand his income by adding clients and employees. When you're 1 man show there's not much room to grow. That being said, one man IT guys make great security or enterprise IT people because they have an understanding of nearly everything it takes to run a network. We kept interviewing security employees with degrees and only security experience. They were not good. I recommended that we ask our recruiter to reach out to one man SMB guys. We found a very knowledgeable person that could be trained on how to do various security functions very easily. 
- 
 @dashrender said in Looking for Security camera options: @irj said in Looking for Security camera options: @dashrender said in Looking for Security camera options: @irj said in Looking for Security camera options: @pete-s said in Looking for Security camera options: I would guess though, that you could use a reverse proxy and still put most of these things directly online - especially if you put your own logon page in front of the proxy's redirect to the camera system. Yes, the cameras or NVR would be accessible through the reverse proxy only. When you authenticate with SAML, the users are authenticated against a third party "login" service (called Identity Provider). So you are basically outsourcing 2FA and the login process to someone who has the resources to secure it. It's how enterprises do it. Kind of... Any resource as important as camera system would certainly not be exposed directly. There is no reason for it. You're never gonna say "Customer please login and check the camera system." So why publicly expose at all. Require VPN and make it internal only resource. You're right about using SAML for authentication and using groups to maintain. wow - I don't know what customers you're talking about - but the two I had that have cameras absolutely demanded an app on their phone to watch their cameras from anywhere. Where they enterprises or hobby businesses? @Pete-S stated specifically enterprises and that is what I am answering. Nobody in an enterprise needs to check a camera while out to dinner. In real businesses CEOs don't have access to cameras nor do they care. @Dashrender you've misinterpreted nearly every reply on this thread and frankly everyone else is not understanding your replies like your sarcasm. You know, not many on this forum have the luxury of working for enterprise customers, not even Scott. Most of our clients are going to those hobby businesses as we call them around here. So that is the context I generally live in. Since you're fortunate to be in that enterprise space, you generally come from that context, so I get it.... I don't work for an enterprise. We have around 45 employees. Also enterprise or not has nothing to do with securing correctly. It takes a small amount of time to segment correctly. You can still give them app access to cams without exposing directly to the internet. 
- 
 @dashrender said in Looking for Security camera options: Since you're fortunate to be in that enterprise space, you generally come from that context, so I get it.... The grass is always greener on the other side. Enterprises have lots of red tapes and things takes ages to get approved and involves lots of people, meetings and communication. Sane people have gone mad for less. I think a medium size company, where management wants what's best for the company and are large enough to have the budget for it, is the sweet spot. 
- 
 Still looking for recommendations beyond the two above. 
- 
 @stacksofplates said in Looking for Security camera options: Also enterprise or not has nothing to do with securing correctly. It takes a small amount of time to segment correctly. I agree but there is always risk (cost) versus benefit. So "securing correctly" would mean looking at that and then picking a solution that fits the criteria. Sometimes that might be exposing directly to the internet, sometimes it might be cameras in an air-gapped network but often it would be something in between. 
- 
 @jaredbusch said in Looking for Security camera options: Still looking for recommendations beyond the two above. I keep forgetting to look at what our new rollouts are using. I'll try to grab the manufacturer and a model or two for you. 
- 
 When considering security cameras, it is best to opt for cable (with PoE, Ideal), you can look for: 
 Avigilon
 NVR: PRO 16-PORT (Includes switch with 16 PoE ports)
 Cameras: H5A or H4ES
 If you are looking for something cheap
 Hikvision / Epcom
 NVR: XR416 (US) (Includes switch with 16 PoE ports)
 Cameras: XB-26ZH-US or XT-26ZH-US
- 
 @travisdh1 said in Looking for Security camera options: @jaredbusch said in Looking for Security camera options: Still looking for recommendations beyond the two above. I keep forgetting to look at what our new rollouts are using. I'll try to grab the manufacturer and a model or two for you. The systems we've been rolling out lately use Axis cameras. - M3116-LVE
- M3066-V
 The only downside I see is it requires Windows if you use the Axis Camera Station for the server, which they decided to go with in this case. Besides that, the overall system works great. 




