IP Security Cameras - Access Point Security Risk

I currently have one Foscam that I use as a baby monitor so I'm familiar with them and how to access them and their security risks (You cannot access mine without being on the network), but I'll be purchasing a home in the coming months and I'll be wiring the home for ethernet before we move in. I intend to get at least two POE IP security cameras. Now I know it might seem a little ridiculous to have this concern, but I'm curious if anyone has experience here / what solutions have you deployed: Having a security camera outside of your home means having an access point into your home network. IE, someone could get a ladder and unscrew the camera and unhook the ethernet cord, and vola they are on your network. Aside from locking down your internal network, how have you guys addressed this concern (or am I simply being too ridiculous here)?

I dont have such a camera. But.. Just the usual security measures come to mind. The cameras should never change so have it set off an alarm if the MAC changes or the camera is disconnected.

Dont think youd need to do anything else (except the usual, segregate VLANs etc.), youd know if someone tried that.

I utilize vlan seperation for that. The IPCams are on a seperate untrusted vlan (needs a managed switch) and the NVR, though it only has one NIC is vlan aware and has two vlan interfaces; One on the camera vlan and the other at the internal vlan.

The cams have no access to the internet themselves as the NVR handles the updates, downloads the firmware and pushes it to the cameras.

So even if a attacker unplugs a cam (which all are wired network only) he ends up in a totally seperated network with only the other cameras and the NVR (which is secured with iptables - so no access to the management web interface through the cctv vlan) showing on the network.

If your hardware supports it you can also use port authentication and port security to prevent someone from unplugging a camera and accessing your network.


1 Like

I was experimenting with that - but either I am not aware how, but I more think that my HP switches don't offer that.. and the ubnt cams can not authenticate against a radius server.

I've only ever used RADIUS on wi-fi, but that's broken at the moment and I can't figure it out.

The implementation, at least the FOSS one is a nightmare; I have not found any somewhat convenient radius server... the web gui that is out there is cumbersome and from 2009 last updated if I recall right - and managing it from the cli is - yeah ... webgui is better XD

I've used freeradius on pfsense and that's pretty okay, although some of the options are hidden in the config file, but the config file will regenerate if you change anything in the GUI or update the package which breaks any changes you might make.

I heard that the GUI on pfsense is quite alright - but besides that there is nothing; And I do not want to spin up pfsense just for radius

It might seem like a given but it's also all about your installation, first don't run your cables on the exterior of the home, make all your connections inside, most cameras have about a foot of pigtail that should easily allow you to make your connection and stuff the cable back up in the hole.....and of course the higher location you can put the cameras the better off you are from a security standpoint, sure this will make your installation harder, but in the end it will be more secure.

I have several cameras that are within reaching distance but someone would have to be pretty bold to try it since they are exposed to the neighborhood for everyone to see them, if you have the budget using extra cameras to cover each location works also, a case in point I have a camera that covers a entry door on my garage that camera is in the field of view of another camera that covers the driveway so anyone tampering with the 1 cam is detected by the 2nd cam, the 2nd cam is in a location that requires a extension ladder to reach.

Honestly in the over a year my system has been up almost no one notices the cameras, really, it's odd but even at night when the night vision has the cameras glowing red people just don't seem to notice them, but if you can run the wires inside the house and only have the cameras exposed you will limit the liability of someone gaining access to your network cable.

Hope this helps.

Thanks for the replies. I think I have an idea of how I want to secure them now. Appreciate the help as always.