Trying to create Secure IP camera setup

bradyboyy88 · Mar 23, 2014

I currently installed 2 hikivision DS-2CD2132-I ip cameras on my home network which has a cisco e3000 router. I am trying to make the cameras accesible outside the network to a cell phone. From what I have read I need to forward ports 80, 554, 8200, and 8000. After more reading I have read about cameras being hacked which can threaten the entire network. So what I did was disable remote control capabilities and upnp. Now what I was hoping I could get help with is how to seperate my home network from my ip camera network without requiring additional hardware. Is there some way of doing this via NAT,different subnets, etc? If the cameras were every compromised I would want to make sure that that network cant compromise the one with all the computers on it.

Any helps would be awesome because despite I have heard of these ideas does not mean I am familiar and just simple googling doesnt seem to be helping me haha.

Thanks

bill001g · Mar 23, 2014

It is highly unlikely someone would break into the cameras in the first place. Then to use a bug in the camera software to attack other machines inside is even more rare.

The only simple solution would be to put in firewall rules that only allow certain ip addresses from the internet to access the cameras. This assumes you have some general idea what IP addresses you might access them from. This will greatly reduce the number of IP that could attack you.

The only truly secure solution is to load dd-wrt on your router and then setup a VPN so that you only access the cameras via a VPN connection. This may not work so well if you intend to use a phone to access.

You can if you like use dd-wrt to define 2 lan networks and keep them separate if that is your goal. Problem is if you prevent traffic from going between these lans you also loose your ability to access the cameras form inside your house as well as being able to store data on a file server.

bradyboyy88 · Mar 23, 2014

Billy thank you very much for the reply. Well whenever I read anything online with opening the ports to allow this camera accecss, it always seems to say this can create a security breach blah blah blah. That is the part that really scares me hence I am trying to take action haha. Okay , so if I were to set my subnet as 255.255.255.128 it wouldnt help even though that creates 2 subnets? Can subnets communicate with eachother to steal information?

Thanks again

bradyboyy88 · Mar 23, 2014

Also billy, dont mobile phones ip addresses change often so if I filters IP addresses on the camera then it might block the phone if it changes? Not sure how mobile devices work as I am just about to upgrade finally haha. Been living in the stone ages!

Also if you dont mind explaining something about port forwarding.
The ports I was told to forward are as I stated in my first post. Well if I set these ports to different numbers on the camera and then just give the permissions on the router for the portforward which correspond to the ones I set on the camera then it shoudl still work? Or are these assigned port numbers the standard ports that have to be used. For instance RTSP is 554, could I instead use 6690 if I made that it on the camera and router?

As for the vpn idea, is there any routers which can act as a vpn server? I would rather not have to have a computer running as a VPN server.

bill001g · Mar 23, 2014

You can use any ports you like on the router and you will likely need to use different ones if you have 2 cameras anyway. You could say 1554 goes to camera 1 554 and 2554 goes to camera 2 554. You can likely change the ports the actual camera users but I would not recommend it.

The ip would likely change on the phones quite often but they would likey be somewhat the same. For example the could be 47.112.x.x you would just allow all address 47.112.0.0 with a mask of 255.255.0.0. This is just a example you would need to run whatsmyip a number of times on the phone to see if there was any pattern to it. Likely there is since the ISP only have a fixed number of IP's.

You could use the 2 subnets like you say but you need a router that supports it. It is very rare for a consumer router to support more than a single lan subnet without loading dd-wrt on it. With dd-wrt it is a common thing many people do this to create a guest subnet both for wireless and wired.

Again your router can run as a vpn server if you load dd-wrt on it. dd-wrt tends to look complex because it supports so many routers. As long as you read and follow the directions to the letter for your router it is pretty much just a firmware upgrade. The vast majority of the features can be setup via a web page once you get it loaded. Many of the others there is pretty clear documentation if you need to edit files.

bradyboyy88 · Mar 23, 2014

you say its not recommended to change ports the actual camera uses but then hows would the camera differentate between a nonstandard rtsp port number request and a nonstandard http port number request since they wouldnt match the the standard ones the camera has in the settings? . also good idea about the cell phone ip address and just changing the subnet .

The cisco e3000 I have does let me change the last octet of the subnet which is whY i figured I could do the 255.255.255.128 to make 2 networks. If I did do this know it would cut off communications automatically between subnet right? Sorry to be vague but I am literally learning as I go. I just read 10 pages of subnetting and I think I have the binary rules down and the ranges but I cant seem to find anything on the rules between subnets just that they are good for security.

Can you recommend a cheap reliable router that supports dd-wrt so I could full around with and set up a vpn with just the router?

thanks again

bill001g · Mar 23, 2014

Your router does support dd-wrt but if you wanted another there are huge lists of supported routers on the dd-wrt site. Most tplink routers support it and are very cheap.

The camera itself thinks it is the only device that is using the port. From the outside you would connect to xx.xx.xx.xx port yy but the camera will think you are connecting to 192.168.0.55 port 80 ...assuming you mapped it that way in the router. It is only the outside software that knows you are using other ports and in most cases the software allows you to use any ports you like because of this exact issue.

abailey · Mar 23, 2014

Your cisco e3000 currently does not support 2 different internal subnets. Changing the subnet mask does not help you as that just determines how many client ip's you can have in the subnet. That does not create another subnet. If you want to create 2 subnets you would need a router that can support that. The dd-wrt load onto certain routers can do that or you can purchase a real router like the Ubiquity EdgeRouter Lite that can do that and almost anything else you can think for a router to do, but it takes a little work to get set up. The safest thing (and probably the easiest) is to use VPN. With it you don't need to change anything on your network. Once you attach to the VPN it is like you are on your local network.

bradyboyy88 · Mar 24, 2014

abailey :

So are you referring to using a the VPN built into DD WRT like bill referenced? Before this thread I did not know that a router could be an actual vpn server so now I am thinking you guys are right. Now the only problem is that I would need vpn client for android that supports the vpn built into dd wrt. Also, With the built in dd wrt do you have to open up the vpn ports that you would a regular vpn server running on a desktop or since its run through the router itself it does not need to. Seems like the same security openings as the other idea of just openiing ports for the ip camera itself.

bradyboyy88 · Mar 24, 2014

bill001g :

I tried this and it did not not work until I also changed what was in the camera to match what the router's ports were. Maybe your refering to a way for the router to associate an incoming port request and forwarding it using the regular port number (not sure if my cisco e3000 has that function)? If that is possible I really like that idea and seems like an extra layer of security to get around port scanners. Is there something in dd wrt that lets you do this?

bill001g · Mar 24, 2014

bradyboyy88 :

bill001g :

I tried this and it did not not work until I also changed what was in the camera to match what the router's ports were. Maybe your refering to a way for the router to associate an incoming port request and forwarding it using the regular port number (not sure if my cisco e3000 has that function)? If that is possible I really like that idea and seems like an extra layer of security to get around port scanners. Is there something in dd wrt that lets you do this?

Yes I did mean the router. Your router currently has that feature and dd-wrt also does.

Search

Trying to create Secure IP camera setup

bradyboyy88

Honorable

bill001g

bill001g

Titan

bradyboyy88

Honorable

bradyboyy88

Honorable

bill001g

Titan

bradyboyy88

Honorable

bill001g

Titan

abailey

Distinguished

bradyboyy88

Honorable

bradyboyy88

Honorable

bill001g

Titan

TRENDING THREADS

Latest posts

Moderators online

Share this page