A few weeks ago, we have featured a blog article about “How to secure your Network Video Security system” where we covered Peer-to-Peer (P2P) and Geolocation restrictions. In addition to those important methods, there are more features to take advantage of that can improve overall security.

Disabling Unneeded Services

IP devices as well as online PC servers support many services and protocols. Most of these are designed to simplify access, enable different configurations, or enhance interoperability with 3^rd party devices and remote applications. For example, CGI and ONVIF are protocols that allow IP cameras to be easily added to a recorder. The “Device discovery” feature allows the NVR to be detectable on the network, which simplifies set-up procedures when using the Dahua Config tool software. All of these services offer increased convenience — but if you are not planning to use those features, it is best practice to turn them off and reduce your online exposure. For example, if you are using the same brand IP camera as your NVR, there’s no need to support the ONVIF protocol and you can switch it off with no loss in convenience. The logic here is simple: don’t leave doors and ports open that you don’t need to.

Enable Secure Communication Features

SSL/TLS is the most widely used protocol for encrypted connection to most network services. Enabling Digest Authentication allows the host web service to negotiate credentials with a user’s web browser. This is used to confirm the identity of a user before replying back. Unlike basic authentication, digest authentication does not require the password to be transmitted as open text and thus minimizes exposure of the user’s credentials.

However, Digest authentication only protects the authentication credentials. SSL/TLS goes one step further and encrypts everything in the page. SSL/TLS will be somewhat less efficient as a result, but has the advantage that it can allow parties to verify one another’s identities, if they use trusted certificates. Think of this as two-way verification, so that both parties know that both are who they say they are.

Most Dahua NVRs support use of CA or Certificate Authority certificates, which verifies to the client user that indeed you are connected to the host that you wish to be connected to.

Advanced Firewall Options

Common ways an attacker can bring down website (or any device with a web host) is to launch a DOS attack. A Denial of Service attack can flood the host device with SYN messages or ICMP packets, which could render it unresponsive to legitimate connections. The common phrase DDOS represents a ‘distributed’ denial of service attack, where the flood of (illegitimate) calls usually comes from a network of hijacked computers (botnet) remotely controlled by a hacker.

Some NVRs have protection from SYN or ICMP Flood attacks. Enabling this protection will use special filtering to mitigate that attack technique.

Stream Encryption

A/V Encryption enables the NVR to accept encrypted audio and video streams from a compatible IP camera. Alternatively, you can enable RTSP over TLS if available. Real time streaming is a protocol used to deliver A/V streams to most devices. Enabling RTSP over TLS allow encrypting the stream before transmission.

Both of these methods help prevent eavesdropping on the video feed, if other methods of denying unauthorized access have somehow been circumvented.

In conclusion, there are many advanced security methods that were once exclusive to advanced firewall devices. By investing a little extra time during setup and making the choices that are best suited to your particular situation, you can better protect against unauthorized access while ensuring reliable availability for the uses you intend to support.