Security and IP Cameras

Security and IP Cameras

While being a security device by vocation, an entry-level IP camera is rarely secure itself: the embedded server does not offer any way to encrypt your login and the data stream. Fortunately there are ways around it, as well as common sense practice to reduce the risks.



If you're willing to spend 300€+, there are IP cameras with embedded SSL on the market (Axis, Panasonic, ...), but if, like me, you preferred buying 6 cheap chinese ipcams instead for that price, you can only use plain, unencrypted HTTP. Thanks to this lack of security, the role your "security" device can be completely inverted by opening a wide open window inside your home. The dream of any potential burglar planning an on-site visit!

First: the obvious ... restrict the HTTP and FTP accounts to reduce potential damage.
The first thing for any unencrypted access to your LAN is to only use it with a dedicated combination of user name and password that is used nowhere else (not even for the FTP service), so to ensure that if your IP cam login is ever "sniffed" by a hacker, the intrusion will be confined to your camera, and won't extend to your NAS, or computer!
Furthermore, the role of the account used for accessing from the WAN should be limited to Visitor (access to fixed view only) or Operator (access to PTZ control), to prevent any intruder from tempering with the configuration and clearing the traces of his visit in the log (you should inspect the log regularly for hints of unusual access).

The FTP service account: this other login will be easily compromised if you use the same user/password as fort the HTTP server or if you upload picture to an FTP server on the Internet. So the same kind of precaution applies here: use another unique user/password set with limited access to the target server, so the potential hacker won't be able to use that account to pump all your data.



Next: consider solutions to prevent intrusions.

1. If you are only accessing your IP cameras from fixed external locations, consider setting up your home router to allow incoming HTTP and FTP requests from these fixed IP addresses only. This alone will greatly reduce the likelihood of an intrusion.


2. If you have a Network Access Server (or NAS), you may have a choice of options:
e.g., the Synology DiskStation range offers a Surveillance Station to control your cameras through its HTTPS access. In the case of Synology though, you need to purchase extra licences to control more than one camera.



3. Some NAS and routers, come with a VPN server, and this is your best free option.
While PPTP is slightly easier to set up,  OpenVPN is generally acknowledged as faster and more reliable.

To make it work with the outside world, you need to check that you router allows the VPN traffic to  pass through. This option is usually present in the user interface and needs to be enabled.

If a firewall is on, further set up is needed to allow traffic through the required ports.
Generally it is UDP 1194 for OpenVPN, and  TCP 1723 + GRE (Generic Routing Encapsulation, IP protocol ID 47) for PPTP.

Once your VPN connection is working, a tunnel is created between your remote client and your intranet at home (i.e. behind the NAT). 
As a result, every server in your LAN can be accessed just as if you were home.


Therefore, you will now use the intranet IP addresses of your cameras to connect to them, but you'll be the only one to watch!




Read More

Upgrading to Gigabit and Wireless-N

Upgrading to Gigabit and Wireless-N
There are many WiFi-N routers on the market, but add the Gigabit requirement, and this choice drops dramatically. Add a further requirement for an embedded ADSL modem, and you're left with just a handful of candidates left.

With time, I accumulated devices with either Gigabit or Wifi-n connectivity (Bluray player LG BD390, Synology NAS DS109, Acer Liquid MT smartphone), so I  decommissioned my good ol'7402GXL for the Billion 7800N with WiFi-n and Gigabit capabilities.

There are several reasons -other than just using less power sockets- for preferring an ADSL router with embedded modem, but for sure, this decision reduces the available options. In Europe, this seems to leave Billion 7800NCisco WAG320N and Netgear DGN3500 as only possible candidates (all Broadcom BCM6358 chipset-based).
Although I didn't mind trying something different than Billion (just for a change), the unconvincing user reviews on the Cisco and Netgear models pleaded for staying with the brand that I know since 2008 for its reliability and for the quality of its technical support service.

The first  most striking difference in the 7800N compared to the 7402GXL, is the size, about 30% bigger (15.5cm x 23cm).  Next come the obvious addition of 2 antennas and the absence of USB connection for a 3G modem.
The interface is similar to the 7402GXL, except that there's no pre-defined firewall rules so you need to define your restrictions from scratch over the unique "allow all" initial rule.
The chipset is also different: Broadcom instead of Connexan. Apparently it gives a little less options when configuring from the Command Line Interface (like adding port forwarding...).
The Billion 7800N is not really a new router and not the cheapest neither (~130€), but considering its outstanding reliability, it's well worth the money.

The companion router
To be complete, the solution had to include a companion Gigabit+Wifi-N router, to play the role of Wireless range extender.
Since a modem was not necessary here, the choice was larger:
Buffalo WZR-HP-G300NH v2, Zyxel NBG4604, D-Link DIR 645, TRENDnet TEW-639GR and TP-Link TL-WR1043ND
It didn't take too long to opt for the later based on its reviews and price (~50€)


These two guys work perfectly together and all it takes to set up the TP Link router as a bridge is to switch off its DHCP while designating the other router as the primary DNS server. I gave the same Access Point name to both boxes but distinct and non-overlapping Wi-Fi channels. This way, when my netbook or phone leaves the coverage area of one, it automatically connects to the other.





One remarkable feature of this router is the excellent user interface, complete and well structured, with a detailed contextual help for every single option, explaining how and why to use them. Something that Billion leaves to Google.




More info:
Billion Bipac 7800N: http://www.billion.uk.com/product/wireless/7800n.htm
TP-LINK WR1043ND: http://www.tp-link.com/en/products/details/?model=TL-WR1043ND

Demo UI for 7800N: http://www.billion.com/edu/EWAN/7800N_GUI/
Demo UI for WR1043ND: http://www.tp-link.com/simulator/tl-wr1043nd/index.htm


Read More

VPN through Billion 7402GXL

VPN through Billion 7402GXL
Until recently, setting up a PPTP VPN passthrough on my Billion  7402GXL router was impossible, and for once, it turns out it was not all my fault...


Unlike most other routers on the market, there's no specific "PPTP Passtrough" option in the 7402GXL, but the method to allow this on the Billion router is quite simple:

Under the Virtual Server > Port Forwarding section, define a redirection for PPTP port and another for GRE protocol pointing to the intranet IP of the VPN server.


And it the firewall is enabled, define an rule to allow the PPTP port 1723 to go through (In and Out)


In theory, this should have done the trick, but not for me: despite the troublesome firewall being off, the VPN client was still hitting an invisible wall, and there was no log entry whatsoever in the router or at the VPN server end to give any clue.

Resolution
I contacted Billion technical support to check for any newer firmware for my model, which was in 6.22b (which, despite being 6 months old is only confidentially mentioned on the UK forum).
They provided me with the version 6.24b(UK build). It appears to be one of the latest available (January 2012) according to the Australian site (no changelog available).

Once installed, the VPN connection worked immediately with the same set of rules and forwarding.

So, it is possibly a bug that the latest firmware eventually resolved. Of course, it is also possible that resetting the router to factory settings -which is a requirement when upgrading a firmware for Billion's devices- cleaned up something corrupted in the configuration.

Read More