Ask Slashdot: Security Monitoring Company That Accepts VPN Video Feeds?

mache writes: My cousin is finishing up a major remodel of his home in Houston and has installed video cameras for added security. At my suggestion, he wired up all the cameras to be on a separate VLAN that only uses wired Ethernet and has no WiFi access. Since the Houston police will only respond to security alarms if the monitoring company is viewing the crime in progress, he must arrange for the video feed to available to a security monitoring company. I told him that the feed should use VPN or some other encrypted tunneling technique as it travels the Internet to the monitoring company and we proceeded to try and find a company that supported those protocols. No one I have talked to understands the importance of securing a video feed and everyone so far blithely suggests that we just open a port on his home router. Its frustrating to see such willful ignorance about Internet security. Does anyone know of a security monitoring company that we can work with that has a clue?

IP matching

[TWX]

There is a degree of understanding for why a security company might not want to use your VPN solution; if they have to monitor a lot of customers' cameras then they'd have to have a lot of different VPN clients running that might cause problems when the networks overlap private IP addresses.

Configure your firewall to allow their IP address range to port-translate to the NVR's IP and port(s). ACL-off your security VLAN from your user VLAN(s), and vice-versa, and allow only the correct ports through from your user network(s) to the NVR.

Re:IP matching

[silas_moeckel]

Not at all, VPN does not mean NAT traversal, IPSec is perfectly capable of security on public IP to another hell that was a design goal.

Re:No, you completely misunderstand.

[93+Escort+Wagon]

Ah, got it. But then why not just find a security company that sends their camera video over https?

Re:No, you completely misunderstand.

You stop now or start posting as A.C.

The video surveillance monitoring agency is not providing an authenticated service. They want the video to be hosted and available for their monitoring server to download. The very best an HTTPS connection can offer in the scenario you describe is security through obscurity.

Re:Really?

I would find two issues with your proposed solution.

The first is that there is no way to know how they manage their IP addresses, which presents at least two problems. The first being, what if they do not manage the addresses themselves and some other company gets control of the IP address. This would mean the feed can be viewed by unauthorized users. The second issue is that they may use a range of IP addresses, adding new ones, dropping old ones, and in the case of an emergency, a new address used may not be have been updated locally, which is also a issue with the first scenario.

The second issue is that it does not address sending the video feed across the Internet in the clear. Do we even know if they can use an HTTPS connection? What if they only support insecure HTTPS configurations? What happens when a new vulnerability is discovered in HTTPS? Will the user promptly update their server configuration?

Unsecure on alarm

[holophrastic]

I certainly understand the need to secure the video, fully encrypted, of my home. But I'd be willing to have it unencrypted, and fully open in fact, during a break-in. It's a big call for help for anyone looking, and it really ought not be that often. And anyone whe'd stage a robbery to see the footage as recon for next time, well, that sounds foolish.

So, while not perfect, why not switch to unencrypted during alarm scenarios?

You need ENCRYPTION not VPN

Others have pointed some of these things out but let me spell it out in big letters.

OP started out by telling the security company "I want a VPN." He then came to /. to say to us "where can I find someone that will do a VPN."
The problem is that a VPN is the wrong tool. When you have a problem state the problem and let the /. world help you; don't state what you think the solution is and why nobody will do it. There's a good reason they won't -- it's the wrong answer.

VPNs are used to link separate private networks across a different (public, non-private, or other private) network. That's not what OP needs here.
What OP needs is end to end encryption to ensure the camera video is visible only to the security company -- not the Internet at large.

Some suggestions have been floated by other posters above me, and to summarize they are as follows. Note that the first by itself won't encrypt but any two of these together gurantee both AUTHENTICATION and ENCRYPTION, which is what OP wants.
- IP source address filter. If the connection doesn't come from the security monitoring company it doesn't allow the connection.
- HTTPS encryption with authentication
- IPsec tunneling

E

Build it ... Then ask someone to work around your

[BitZtream]

Custom worthless crap?

Bwhahaha ... No security company wants to deal with some jackass that thinks they know all about it but was too fucking stupid to think about how it might interoperate before he started and now he's shocked that people have no interest in dealing with him when he walks in the door telling they run their business wrong?

You guys are a joke. You got all wrapped in vlans and no wifi that you forgot that protecting your home was the point ... I'm not sure if that was actually the point or if you guys just wanted to waste a fuckton of money. Your security system was a waste, deal with it