dahua intercom security issues on 3 apartments?

[frank10]

I would like to install an intercom on a building with 3 apartments.
So I thought of this Dahua VTO2000A-C + VTO2000A-B (3 button module).
They must be connected to their POE switch VTNS1060A and to 3x 7'' internal monitors.
Both external unit + 3x internal monitors are to be connected to the switch that must also be connected to one router with Internet connection (to show video also on the smartphone).

Well, the point is, one of the tenant must provide the Internet connection to all the system (it should be absurd paying for a dedicated line only for this task...): that way, hypothetically, one in other apartment could disconnect its monitor and connecting to the RJ45 cable will have access also to its LAN! Besides, even someone that could reach the site of the switch, could access the private LAN.

1) Is it correct? It seems a bit too much insecure system, isn't it?

2) Are there other solutions to avoid this situation? I saw one Dahua 2-wire system: could this solve the issue? In that, are each monitor connected to the own private LAN, so you can't access it from the 2-wire cable?
Which modules do I need (also with 3 dedicated buttons)?
Which are the disadvantages respect the direct IP one?

 

[frank10]

I found a manual install of 2-wire system and there is a pic pag.10:
http://www.dahuasecurity.com/asset/upload/download/Dahua_VDP_2-Wire_VTH5222CH_Users_Manual_V1.0.0.pdf
So I misunderstood the connection.

The external cam will connect directly with RJ45 cables to the router with Internet (so inside one apartment), then there will be a connection to 2-wire switch from which you will reach each internal monitor with 2-wire cables. So I suspect you can't use that 2-wire connection from other apartments to get to the tenant LAN, BUT, as the previous IP models, this way one could always access it from the outside of the building, opening the doorbell cam!
Am I wrong? Yes, a bit paranoic, but not exceptionally good to expose a personal LAN on the outdoor, I think

 

[redfive]

This question mostly refers to network security, regardless the devices ... an approach, could be using a managed switch and a good firewall, dedicated VLAN for Intercoms, with firewall rules for isolate that VLAN from the rest of the network, QoS rules for limit the bandwidth on the VTO's (most probably is also possible allow outgoing connection only to the ip address used for the P2P), and, on the switch, something like switchport port-security, maximun 1 and violation shutdown .... this, generally speaking, but then depends on which network devices you can use....
Cheers,
jonatha

 

[frank10]

Thank you.
1) in the direct IP connection I could manage only the one port from the Dahua POE switch. So if I put it on a managed switch I should fix it.
2) in the 2-wire connection, I will put the managed switch on the port from the external cable.
So, both schemas, only one port to manage: it could suffice an 8port managed switch.
Which one do you prefer? Which is the benefit/drawbacks of the 2-wire communication?

For managed + firewall, have you some suggestion on the cheap side? Such as TP-link, d-link, linksys or what?

 

[frank10]

But this way, if I put intercom into a VLAN in the managed switch, I imagine I can't look at the video doorbell into BI for example, as VLAN cannot communicate with pc. Not that so important, but is it correct?

 

[redfive]

The inter-vlan routing is under your control, with fw rules, you can allow some ip addresses, which belong to a different VLAN, to initiate connections, specifing protocols and ports, to the doorbell(s), but not the opposite. For the router, I'd suggest, as cheaper one, the Ubiquiti Edgerouter-X,little, but really powerful, while for the switch, actually, I don't know .... with cisco switches sure you can, should be possible even with the cheap SG200-08 (you can search for it on amazon, or ebay), but maybe there is some tp-link/netgear on which you can set the portsecurity with some options for the violation ...
Cheers,
jonatha

 

[frank10]

I'm studying managed switches, so I would ask:
if I buy a L2+ (or L3 switch), I know they can do inter-vlan: should I be ok without the router?
Or do I need the router also with a L2+ switch? Or if I must buy a router I could buy a cheaper normal L2 switch?

I mean:
1) L2 switch + router
2) L2+(/L3) switch
3) L2+(/L3) switch + router

Do I always need the firewall or is it sufficient a L2+/L3 switch to make some basic routing + rules on the intercom?

 

[SquareEyes]

The two prior posts are really interesting. One company worth a look at is Mikrotik. You guys have some knowledge or at least interest. Best bang for your buck if you have networking basics down.

 

[redfive]

I'd go with a L2 managed switch, and a router/firewall with VIF's ...

 

[SquareEyes]

I'd go with a L2 managed switch, and a router/firewall with VIF's

Sounds good. What would you recommend looking into?