|Any wireless device can be a soft target |
Internet of Things security
We all want our networks to be the network of everything. We want to be able to access our security systems everywhere. We want to view cameras, receive alarms, get notifications on our cell phones or from access points that are not our own. We want to cut the cable with wireless transmission. All of these are just an invitation to make our systems less secure.
We demand more security and blame camera manufacturers, video management systems (VMS) or network video recorders (NVR); at the same time, we want to pay less. We want the convenience of accessing everything over the Web and mostly using the Internet.
Closed network security systems
No one is safe. In June, antivirus software provider Kaspersky Lab was hacked. Most of our security devices protect themselves with user names and passwords, and in most cases these are ineffective. The real protection is to limit access to a system as much as possible.
In a typical network system, we have cameras connected to a network switch fed to a recording device usually in the form of a video server or NVR. The first question is: How much exposure do I really need? Video security used to be referred to as CCTV – closed circuit television. Sometimes, it still is. The key word is “closed.” Why not think about network video security systems as CNSS or “closed network security systems?”
Every access point on a network has a potential for hacking. Once a security system is hacked, anything is possible. Studies have shown that hackers can exchange real video feeds from cameras for fake ones. It’s a variation on what used to be cutting the video cord or masking the lens in the analogue days. So what can you do to prevent your system from being hacked?
Every access point on a network
Create a separate network
Let’s start with the obvious, make it a CNSS. This can be as political as it is technical, given that governance of security systems is shifting from the security department to IP directors who want to centralise their control. Next are the common sense approaches. If you can access IP devices by pinging them from any point outside your system, it is an open door for hackers.
Disable common access
Port 80 which is most commonly used for Internet traffic should especially be disabled. Most network switches have the ability to be accessed with the help of a function called Telenet using ports 21 and 23 – disable these as well.
Create your own unique subnet and IP address
An IP address is basically a 32-bit number that can range from 0 to 429496794, and has the potential to create about 4.3 billion unique addresses. Keep in mind, we are dealing with our own CNSS, so concerns about conflicts outside the network don’t exist. For example, if you are using an address of 192.168.1.xxx, with a subnet of 255.255.255.0, any IP address starting with 192.168.1 will be able to access devices on your network.
Do you really need a Layer 3 switch?
Keep in mind that “layering” as it pertains to network switches is primarily a marketing term and not a standard. The major difference in what we can consider a Layer 2-plus and Layer 3 is routing. A router routes IP packets among IP networks, which in our case makes it a major point of exposure. Think about routing in terms of Google. You ask a question, send it out and it crosses hundreds, perhaps thousands of access points on different networks until it is finally received at its destination, is responded to and is transmitted back to your computer over hundreds or thousands of additional access points. All of these cross different subnets over Wide Area Networks. Do you really need to have your system exposed to this for the privilege of paying more for Layer 3 capability as opposed to Layer 2?
Most network switches have the ability to be accessed with the help of a function called Telenet using ports 21 and 23 – disable these as well
User names and passwords
They give us a sense of security, but in reality names and passwords are probably the least secure method.
We now know that Android phones can be easily hacked without requiring the user to view a message or open an attachment. In doing so, all your information is exposed, including the phone application that allows you to view your security system. While a fix exists, due to the open source nature of Android it will be significantly more difficult to secure in comparison to single sources such as iOS.
Network switching - most critical point
The network switch is a gathering point for your security system. Once you have created your own network, removed access from outside networks by disabling common port access and avoided the use of routers or Layer 3 switches, you can take additional steps to internally secure your system. One of the most common and effective methods is the use of internal system MAC (Media Access Control) addressing. It is unique to each product that is IP-enabled. Your computer, cell phone and every component of your IP-based security system has a unique MAC address. Select a managed switch whose programming allows you to secure your system using MAC addressing. Your cameras can be connected to specific switch ports using MAC addressing, thus preventing them from unauthorised changes. Most importantly, the MAC address of the client computer can be tied to the switch to prevent outside or even internal access. This feature is known as MAC locking and is directly related to MAC lockouts, which disables unauthorised MAC addresses from gaining access.
In the end, the decision as to how you construct your system network is up to you. Regardless of how attractive, the use of cell phones or the thought that Layer 3 must be better than Layer 2 switching are just invitations to hack your system. Every access point is another open door. Maybe it’s time to reconsider the meaning of “Closed Circuit.”