Slashdot Mirror
Ask Slashdot: Security Monitoring Company That Accepts VPN Video Feeds?
mache writes: My cousin is finishing up a major remodel of his home in Houston and has installed video cameras for added security. At my suggestion, he wired up all the cameras to be on a separate VLAN that only uses wired Ethernet and has no WiFi access. Since the Houston police will only respond to security alarms if the monitoring company is viewing the crime in progress, he must arrange for the video feed to available to a security monitoring company. I told him that the feed should use VPN or some other encrypted tunneling technique as it travels the Internet to the monitoring company and we proceeded to try and find a company that supported those protocols. No one I have talked to understands the importance of securing a video feed and everyone so far blithely suggests that we just open a port on his home router. Its frustrating to see such willful ignorance about Internet security. Does anyone know of a security monitoring company that we can work with that has a clue?
What's wrong with a port forward?
Get them to tell you THEIR static IP, and only apply port forwarding from their address to your internal VLAN.
Problem solved.
Have to do it all the time for telephony, CCTV, remote software support, etc. I let them have a port-forward but only if:
a) they give me their source IP (I get the asked the same when I set up VPN's etc. anyway, so everyone does this!)
b) they only get one set of port-fowards to the internal system
c) I reserve the right to cut that connection off for 99.9% of the time until they actually NEED to do something. They ring me up, I open up JUST THAT PORT to JUST THAT IP, then they have to tell me when they are finished.
It makes it much easier to manage, to log, and to control your devices.
Nobody sensible opens up any port to the world unless they have a public-facing service on that port and have secured it properly (e.g. email, web, vpn). But "port-forward" does not mean you let the world into it.
And if the attackers know and can spoof the IP of your remote support, then you're in bigger trouble anyway! That's not the kind of attacker that you're going to be able to easily defend against. But with a plain port-forward, all they'll get (if you've done it properly) is into the VLAN and the cameras, not your systems.
And, guess what. The only device that traverses several VLANs should really be your gateway anyway. There's no point VLANning off and then having everything sit on all the VLANs. So you might as well just have the gateway port-forward and then all the config is on one device.
(Not only that, VPN setup like you suggest is a pain in the arse for most people anyway. If you have a hundred customers, with a hundred VPN's, it quickly becomes stupendous to put them all on 24/7, because of IP subnets stomping over each other and all sorts of confusions. That's before you get into the million-and-one variations of VPN and VPN settings and managing certs and credentials).
VPN in modern slang times is generally used by people in one country trying to access restricted content in another (say copyright restrictions not allowing AU to view US shows on Hulu or something) or to obfuscate the original of the data being transmitted (dissident materiel or perhaps illegal to some extent material). The practical application of a VPN (secure tunneling access to a remote network like work access) seems to be forgotten by those using it for other reasons or the other reasons are more prevalent in certain circles that the reasoning doesn't flow as quickly.
I used to play a game online and people were constantly complaining about having to find a VPN. Turned out their ability to access the game came at a time there would be almost no one online in their country so they used a VPN to fake their location in an area where a lot of people would be online and had a better overall game experience. The game attempted to route you to servers in your time zone to prevent culture clashes and whatever which lead to a lot of boring sessions in odd hours evidently.