Slashdot Mirror
A DVR Security System That Isn't Based on Windows?
Brady J. Frey asks: "For months, I've had a client that has been looking for a Linux or Mac alternative for their DVR Security systems. They are a large Real Estate company with 200+ cameras world wide, and their Pelco PC DVR's are hubs for viruses. These systems cannot run anti-virus software at the same time they record -- but require internet inbound/outbound traffic through specific ports that leave some nice holes in the firewall for viruses to find their way in as needed. Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. Therefore we are looking for alternatives. Any suggestions?"
"We've tried looking at Ben's Security Spy for Mac, and running a Quicktime server, but it was not industrial enough for us and the developer has been elusive. We're looking at Endura by Pelco, but there's some questions unanswered for it.
What I want is a high end, professional DVR system for a large business that does not run Windows. Budget isn't really an issue at this point, since we are just looking for options.
To note, I'm hearing I could possibly do IP cameras, and host any ol' web server I want to download those files, but I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated. If you are an expert in this industry, we may have a need for your services and would welcome that too!"
What I want is a high end, professional DVR system for a large business that does not run Windows. Budget isn't really an issue at this point, since we are just looking for options.
To note, I'm hearing I could possibly do IP cameras, and host any ol' web server I want to download those files, but I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated. If you are an expert in this industry, we may have a need for your services and would welcome that too!"
Isn't the camera traffic limited to known IP addresses/MAC addresses? Just lock it down to only accept traffic from those...
This is a sig. It is like every other sig in the world, except that it is mine, and it is different.
Sad to say, SecuritySpy isn't even close to "industrial". They won't even support one of the newer D-Link cameras, the 6620G.
I have two D-Link 6620G cameras and have been looking for *any* solution, industrial or not, that would let me access my cameras via my Mac.
I am by no means an industry expert, I can tell you that the IP Camera solution is indeed viable. Several of them out there -- check out:
http://www.ipcamerademos.com/
and
http://www.ipcameraforums.com/
Also -- most of the IP cameras have their own software, access (and control) via a webserver built into the camera, or a client utility that allows multiple views (at least the D-link does, and I was led to believe that both Toshiba and Panasonic do as well).
There are some serious industrial IP cameras out there. Check out AXIS and I think Panasonic has some heavy-duty cameras as well.
Um, viruses don't just sneak in through open ports. Worms and trojans sneak in through exploits in programs running on those ports. Which exact ports are open? Look, I'm as big a linux zealot as the next guy, but this sounds like a scam. "See the, uhm, viruses are sneaking in through the, uhm, open ports in your windows. You need me to install all new Linux based stuff. See, linux doesn't have ports or windows, so the viruses can't sneak in!"
Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
Acting as home DVR isn't quite the same thing you need for surveillance. Still, that box may make a dandy jumping-off point for this kind of application.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
I think you meen moot.
For the application that you describe viruses should not be a threat on any platform. There should be no users on the box and if there are users they should not run using admin privs unless they are doing admin. Break those rules and you are in trouble regardless.
Your problem is going to come from worms. There are plenty of worms that attack UNIX boxes.
A network router box with port filtering can be bought for $50 or less. It is a good investment regardless of the O/S you run. A large number of security problems are the result of an admin reconfiguring the box.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Basic firewall routers cost $29, and you can set them up to only allow connections from your headquarters location, or even to do IPSEC tunnels if your video application doesn't get into PMTU-discovery problems. Installing them at existing locations costs significantly more than $29, but for new locations it's just an extra couple of minutes to plug in the box when you're plugging in the camera.
Basic PCs cost $250, so if you need a headquarters firewall or IPSEC tunnel server, that's basically free - certainly less than you'd charge your client for the amount of time you're reading Slashdot responses \\\\\\\ \\\\ \\\\\\\ researching solutions. And you can run ClamAV on it to protect outgoing traffic.
If your remote sites are using the video box as a general-purpose PC to surf the net and read email, then you need to run an anti-virus application on it and either run a basic firewall box (wimpy, but a good start), or use the firewall to tunnel all your browsing traffic back to a server at headquarters, where you're running Squid and ClamAV and some decent Linux firewalling, and give them an email server that does some anti-virus and spam blocking and an email client that doesn't come from Microsoft. (If this weren't a real estate company, I'd recommend a text-only email system like Pine, but realistically your real estate people need to send pictures to their clients.) Another choice would be to run VNC, in one of its tighter forms, and run any applications on the headquarters server, wiht appropriate anti-virusing there.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If only things were that easy. Give the questioner the benefit of the doubt and expect that obvious solutions have been tried.
The program inspecting the mac addresses itself could be exploited, if the questioner could run one ... but he said he can't!
Because he can't, he's stuck sitting behind a hardware firewall that only allows traffic on ports required for servicing the camera. We can imagine he's been bright enough to try that and it did not work because the camera software itself has problems or some other service he can't identify or turn off does.
Friends don't help friends install M$ junk.
I think you meen moot.
I think you mean mean.
...company with 200+ cameras.
The problem with the Pelco devices is they are sold as is without any easy way to keep the OS up to date. Our company remembers to update DVR OS software as new things come out.
I myself have asked the exact question to our security cam vendors (and so have all the other larger real estate companies in my city) in part because of the updated software issue. For me, even more helpful would be a more open platform. Pelco (and all DVR vendors) lock you into their hardware platform, and if you so much as add or replace one of their $2000 120GB hard drives, they will discontinue your support. I would love a more open platform so I could network all my video systems together and store archival info on an UNLIMITED (or size of MY choosing) storage system.
The company I work for also sells internet services to other multiple tenant properties. This is something that comes up in almost every large company with lots of cameras. If you actually find a good solution, let me know.
oh for fuck's sake. the MS shills on this site are really beginning to annoy me.
firstly, IIS has only recently (in the last couple of years) become stable enough to reasonably get 20% market share. and that's still only 20%.
secondly, Slashdot has always been more interested in Linux and other UNIX-like operating systems than in Windows systems, so it's the perfect platform to ask a question about a UNIX/Linux/other solution to a particular problem. if you don't like it, shift off somewhere else.
thirdly, unix/linux/etc setups are perfect for set-and-forget remote site installations. they've been stable, remote-administerable, and scriptable for decades. set them up properly and they'll run themselves. decent remote administration for windows is only a recent development. scripting and automation on windows is still very immature.
UNIX/Linux/etc is a superior choice for this type of installation. Set it up right and it'll run itself.
And get a decent f/w system and rules in place in front of the central server and at each location (internet connection) to which you have IP cameras installed.
Deny all traffic to the server except for the IP addresses and ports of the remote cameras.
We have been using a Pelco system in this manner with remote cameras on 2 continents for 3 years without incident of virus or trojan or crash.
The thing you should be worried about with Pelco cameras is the bandwidth usage at night with minimal lighting combined with lower bandwidth video settings. The compression method used can leave artifacts and this compression appears to be done before the "movement comparison" stage where the camera decides to send a new frame. At night with low light levels this causes black level banding and other dotting artifacts to appear. The movement comparison routines see this as... you guessed it MOVEMENT. This result in higher bandwidth usage at night. Our solution? Turn on the lights.
Stick with Pelco.
I am pro-lifechoice.