Thank you for all the info. A lot of it is above my knowledge but I'll do some research on how to accomplish.
As far as breaking first rule, I'm allowing remote access to my network/NVR only through a tunnel VPN. Doesn't this provide protection in the form of an encrypted path into my network?
As it relates to network security everything people do in life and business is a compromise of access, ease of use, and management. A person / business’s threat level is dictated by the environment they operate and work in.
This is known as attack surface.
You’re already further ahead when compared to 99% of the average consumers who know nothing about what a VPN is - never mind setting one up and using the same!
Regardless of the above, the information I provided earlier (there’s a lot more) reduces points of entry (attack surface) and should be applied whenever possible.
A VPN is just software and can be compromised at anytime and only encrypts the two points of a connection and not the data within. Every major hardware vendor spanning A-Z has iterated and updated their VPN service within their appliances over the years not once, twice, but multiple times.
Why?!?
Breaches and holes in the existing software code.
If one looks at this from a 30K view a network that has no outside connection to anything has literally zero possibility of being hacked. If we add a single layer to this which is running a separate and isolated network from the main one.
The probability for a breach is now improbable. Add on the extra layers I noted up above of Port AAA, subnetting, MAC filtering, VLAN, Timing / Scheduling, No Ping, and other.
The improbable has now become near impossible without being on site.
When all of the above is managed with biometrics, 2FA, strong and rotating passwords unique to each network device. Coupled by Antivirus & firewall at the service, edge, and every computer system.
System drives are all encrypted and password protected at the BIOS, OS, and application.
The Impossible, is close at hand vs a lack of imagination. Impossible simply takes longer!