Isolated LAN for Cameras and Security Spy
  • I finally got around to moving all my 16 cameras and SecuritySpy Mac to their own, isolated LAN (local area network). The cameras are only allowed NTP and DNS access, no DHCP, nothing inbound or outbound from the WAN. The SecuritySpy Mac was allowed special access to the outside wold and be accessed via the security spy server port. The SS Mac is also accessible from my main LAN.

    Took three days programming an Ubiquity Edgerouter X (under $60). It is not a project for the feint of heart, but worthwhile to gain more granular control of my devices. . Now I have a main LAN that can see everything, 2 restricted LAN, 1 super restricted camera LAN, and an isolated Guest VLAN. Each could be setup up with firewall rules to enact isolation and desired access. I specify which LAN's get WAN access and forward only the desired ports. Special access for the SS Mac was easy to create.

    With this setup, a fair amount of unidentified camera traffic with the outside world is blocked. I can see the firewall blocking camera attempts to reach the outside world every few seconds. No more leaks. The cameras also can't touch any of my other LANs, call home, nor participate in a botnet.

    Nice to finally get this done.
  • Thanks for taking the time to post this, it sounds like a great setup that will minimise security risks. As you have discovered, many cameras will make frequent Internet connections for various things - most are benign (NTP etc.) but you have never be sure, and there have been cases of cameras being hacked for botnets.

    My advice to other users who don't want to invest in such a complicated setup is to use strong passwords for your cameras and turn off their UPnP options so that they can't accept incoming connections from the Internet.
  • 60,000 outbound packets blocked in 24 hours from my cameras. None of them have ever been exposed directly to the internet nor had PNP enabled. I doubt they have been hacked, but their firmwares include calls that are not controllable from the user interface.

    All network services are turned off in their setups except those needed to stream video and synchronize clocks.

    Despite those precautions, some are still trying to access things on the internet.
    The packets payloads are small. Not like they are sending video streams,
    I'm really happy to be blocking all those communication attempts.

    My eventual router setup implemented….

    eth0 - WAN 0 - connects to cable modem with DHCP
    eth1 - - LAN1 Main full access to the internet. Hands out DHCP leases. CAN reach all other LAN's
    eth2 - - LAN2 Security Spy - no access to internet. No DHCP. Allows NTP and DNS. Cannot reach other LAN's
    eth3 - - LAN3 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's
    eth4 - - LAN4 - full access to internet. Hands out DHCP leases. Cannot reach other LAN's

    eth1.1003 - - Guest WiFi VLAN Apple Guest WiFI with internet access. Cannot reach other LAN's

    Took about 15 rules to implement proper isolation and desired, special accesses.

    Security Spy Macintosh and cameras live on subnet and physically connected via POE switches to LAN2 eth2
    All their addresses, netmasks and router addresses are set manually.
    Router has total control over LAN2 reaching the rest of the world.
    Potential malware on cameras cannot reach the internet to get commands nor call home.
    Even plugging into LAN2 network via ethernet cable will NOT get DHCP address, internet access, nor reach other LAN's

    Guest WiFi cannot see rest of network.

    Security Spy server Macintosh granted special permission to access the internet despite being on LAN2. This allows browsing from SS Mac, but no other LAN2 machines can browse or reach the internet.

    Exception made for NTP access to keep camera clocks in sync.

    Port forwarding from WAN into SS Macintosh (with hairpin NAT) allows SS server access from WAN and LAN1.

    Took me three days doing it from scratch. If someone wants to do similar to protect their SS setup, post here to let me know.

    I could put together a generic config file that could be uploaded to get most of the configuration done quickly. One would only need to edit a few things in the EdgeMax GUI and turn on hardware acceleration via the CLI.

    Because such a config file will take a few hours work. I will create one only if someone is actually going to use an Edgerouter X with their SS setup.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!