what else can i do to secure my network? any advice or tips

Dr Ian

Young grasshopper
Joined
Dec 14, 2016
Messages
60
Reaction score
15
ok, im an enthusiastic amateur!

recently had Miral malware pop up on one on my dlink cams, so got that removed and logically looking to improve network security

things I have done so far:

removed uPnp from router and everything else
made sure latest firmware in everything and more complex passwords etc
using vpn for remote viewing (built in orbi router) and then openVPN on my phone
added stunnel to blue iris computer for https lan and wan
removed all port forwarding EXCEPT the forwarding 8080 to 81 for BI machine stunnel

what else would you do?

duel lan/ nic is harder as bi is on a laptop ( and two old cams are wifi, so can't block all access)
its a pain to block cameras accessing internet totally and calling home as orbi router blocks keywords not ip addresses

so any other tips?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Even with "wifi" cams, if you secure them in a Vlan which has absolutely no internet access at all, you are already a level higher in the security maturity scale. As long as your NIC in your laptop support vlan tagging 802.Q, it is already (virtually) serving two networks by the use of 1 physical adapter.

Nothing but good news today, right? ;-)
CC
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
@Dr Ian - another easy thing to do to keep the cameras from accessing the Internet is to remove the default gateway from the camera's IP settings. This way, the camera will still communicate with Blue Iris, but not the Internet. You may also want to look into NetTime which is an NTP server you can run on your local network. Assuming you cameras maybe going out to the Internet to get their time via NTP, if you remove the default gateway IP from the cameras, you could set this up and point them locally for their NTP settings.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
@Dr Ian - another easy thing to do to keep the cameras from accessing the Internet is to remove the default gateway from the camera's IP settings. This way, the camera will still communicate with Blue Iris, but not the Internet. You may also want to look into NetTime which is an NTP server you can run on your local network. Assuming you cameras maybe going out to the Internet to get their time via NTP, if you remove the default gateway IP from the cameras, you could set this up and point them locally for their NTP settings.
There have been camera's found that smart to spawn "generic" gateways addresses to "find" common router addresses... So I wouldn't secure your network by "obscurity"... Drop your cams into a vlan which is simply not routable, and you are safe.
 

Dr Ian

Young grasshopper
Joined
Dec 14, 2016
Messages
60
Reaction score
15
@Dr Ian - another easy thing to do to keep the cameras from accessing the Internet is to remove the default gateway from the camera's IP settings. This way, the camera will still communicate with Blue Iris, but not the Internet. You may also want to look into NetTime which is an NTP server you can run on your local network. Assuming you cameras maybe going out to the Internet to get their time via NTP, if you remove the default gateway IP from the cameras, you could set this up and point them locally for their NTP settings.

excuse my basic understanding, so if I change default router and dns in the camera settings to say 0.0.0.0 but leave the static ip and subnet?

im still looking into getting a new bigger switch as I have no ports left on my basic 8 port unmanaged with vlan capabilities
 

copex

Getting the hang of it
Joined
Feb 15, 2015
Messages
225
Reaction score
79
Location
Cumbria,England
excuse my basic understanding, so if I change default router and dns in the camera settings to say 0.0.0.0 but leave the static ip and subnet?

im still looking into getting a new bigger switch as I have no ports left on my basic 8 port unmanaged with vlan capabilities
Yes but you only have to do the gateway, if a IP is outside of the subnet it is sent to the gateway, if the gateway is invalid the trafic will not be routed and just dropped, (so you could set the gateway to the BI server if the device dose not like been 0.0.0.0 & Bi has not been setup to do routing)

you could also use two niks in the BI server one for cameras and one for local / remote access :)

another thought you could add the cameras MAC address to the router to block internet access if your router supports MAC address filtering
 
Last edited:

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
excuse my basic understanding, so if I change default router and dns in the camera settings to say 0.0.0.0 but leave the static ip and subnet?

im still looking into getting a new bigger switch as I have no ports left on my basic 8 port unmanaged with vlan capabilities
Yes - just change the gateway. If the camera has no gateway, it has no path out to the Internet.
 

Dr Ian

Young grasshopper
Joined
Dec 14, 2016
Messages
60
Reaction score
15
Yes but you only have to do the gateway, if a IP is outside of the subnet it is sent to the gateway, if the gateway is invalid the trafic will not be routed and just dropped, (so you could set the gateway to the BI server if the device dose not like been 0.0.0.0 & Bi has not been setup to do routing)

you could also use two niks in the BI server one for cameras and one for local / remote access :)

another thought you could add the cameras MAC address to the router to block internet access if your router supports MAC address filtering
sadly its an older Alienware laptop running BI so only 1 network as standard

this is weird thought , I change DHCP to static in the camera and save settings and on reboot its back to DHCP? Admittedly these are Old Dlink dcs-2332 camera ( waiting on some new 5442 turrets from Andy)
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
sadly its an older Alienware laptop running BI so only 1 network as standard

this is weird thought , I change DHCP to static in the camera and save settings and on reboot its back to DHCP? Admittedly these are Old Dlink dcs-2332 camera ( waiting on some new 5442 turrets from Andy)
You can purchase a USB to ethernet adapter and boom, instant 2nd network.
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
13,670
Reaction score
22,777
ok, im an enthusiastic amateur!

recently had Miral malware pop up on one on my dlink cams, so got that removed and logically looking to improve network security

things I have done so far:

removed uPnp from router and everything else
made sure latest firmware in everything and more complex passwords etc
using vpn for remote viewing (built in orbi router) and then openVPN on my phone
added stunnel to blue iris computer for https lan and wan
removed all port forwarding EXCEPT the forwarding 8080 to 81 for BI machine stunnel

what else would you do?

duel lan/ nic is harder as bi is on a laptop ( and two old cams are wifi, so can't block all access)
its a pain to block cameras accessing internet totally and calling home as orbi router blocks keywords not ip addresses

so any other tips?
airgap what you can...
 

Dr Ian

Young grasshopper
Joined
Dec 14, 2016
Messages
60
Reaction score
15
Yes - just change the gateway. If the camera has no gateway, it has no path out to the Internet.
omg, this is literally the easiest and best thing so far!!

BI still works as expected
cameras can't be seen by the manufacturers app (dlink lite) which was one thing I wanted!
im no longer getting alerts from the orbi router of outgoing connections to suspect ip numbers

and as a bonus Fedex just emailed to say my Andy/ empire delivery is due tomorrow
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
Very cool. I would still consider the time on the cameras next, now that they are probably not going out to some host on the Internet for their time. The NetTime software can be run on your BI laptop. I have mine running on a virtual machine and all the computers on my network reference it.


Sent from my iPhone using Tapatalk
 

Dr Ian

Young grasshopper
Joined
Dec 14, 2016
Messages
60
Reaction score
15
Very cool. I would still consider the time on the cameras next, now that they are probably not going out to some host on the Internet for their time. The NetTime software can be run on your BI laptop. I have mine running on a virtual machine and all the computers on my network reference it.


Sent from my iPhone using Tapatalk
For now I just unticked the sync time check box and set time manually.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
For now I just unticked the sync time check box and set time manually.
Keep in mind that clocks drift. That’s why having an NTP server to keep everything in synch is important. You’ll end up logging into cameras to update the time when you notice they are out of sync. If you don’t have a bunch of cameras, not too big a deal but if you have a bunch it becomes a pain. I have 16 cams in synch all the time within 1 second of each other using NetTime as my local NTP server.


Sent from my iPhone using Tapatalk
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
There's a good primer here on setting up an NTP server on the BI machine and then pointing the cams to that NTP server and is easy enough to do so I'd get that done. This would also take care of clocks going forward/back as they do in the UK where I am.
 

Dr Ian

Young grasshopper
Joined
Dec 14, 2016
Messages
60
Reaction score
15
There's a good primer here on setting up an NTP server on the BI machine and then pointing the cams to that NTP server and is easy enough to do so I'd get that done. This would also take care of clocks going forward/back as they do in the UK where I am.
that's great, I set up netime service, working for most cameras. the two really old cameras are acting weird with it, guessing because the date range (in the camera gui) doesn't go past 2019.... lol

I really must thank everyone for all the great advice on this forum, you all amazing. I feel much more secure now, stunnel, vpn, removing gateway from cameras etc also got spotter cams moving my ptz following other threads.
 
Last edited:

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,377
Reaction score
2,738
Location
USA
Excuse my ignorance, but why the use of stunnel if you can VPN into the system remotely? Couldn't you drop stunnel and use the more secure VPN connection as your sole means of accessing the network?
 
Top