Security for dedicated IP cam system

[testing123]

I have a machine dedicated to my IP cams. It has it's own static IP address. I have Blue Iris installed to handle the cams. I allowed the Blue Iris remote wizard to configure the forwarded port. The TP-Link WR940N router settings show the Remote Wizard entry under the Forwarding/Upnp tab configured to use port 81 with an internal IP address (192.168. ...). The WAN IP uses the separate static IP as both the WAN IP and the gateway (<-- last digit .1).

The separate IP address isolates the system from my main NW, but I'd like to be sure the machine and cams are as secure as possible. I have no experience with port forwarding and the security involved. On the software end, I use Windows Firewall with default settings and Windows 10 Firewall for outbound traffic.

The OS on the machine is Win 8.1 pro. I set up the Blue Iris web server in order to view the cams via ipads and android phones.

How secure is this set up?

 

[ColinTaylor]

The OS on the machine is Win 8.1 pro. I set up the Blue Iris web server in order to view the cams via ipads and android phones.

Presumably this is so you can view the cameras from outside your network?

How secure is this set up?

As secure as the Blue Iris software is, no more no less.

 

[testing123]

Presumably this is so you can view the cameras from outside your network?


As secure as the Blue Iris software is, no more no less.

Yes, from outside the NW.

As secure as the Blue Iris software is, no more no less.

Is there anything I can do to beef up security?

 

[ColinTaylor]

Yes, from outside the NW.

As secure as the Blue Iris software is, no more no less.

Is there anything I can do to beef up security?

Not much. You have chosen to make the Blue Iris software accessible from the internet so you have to trust that software.

The usual advice would still apply for running any Windows PC, i.e. make sure it running up to date anti-virus. That way if there's a security vulnerability in Blue Iris you might get lucky and have the AV block any intrusions.

If you can change the external Blue Iris port to something other than the default (81) that would be a huge improvement (e.g. 14129). I don't know whether that's an option for you.

 

[L&LD]

Don't use an outdated os such as Windows 8.1 Pro.

 

[testing123]

Not much. You have chosen to make the Blue Iris software accessible from the internet so you have to trust that software.

The usual advice would still apply for running any Windows PC, i.e. make sure it running up to date anti-virus. That way if there's a security vulnerability in Blue Iris you might get lucky and have the AV block any intrusions.

If you can change the external Blue Iris port to something other than the default (81) that would be a huge improvement. I don't know whether that's an option for you.

Yes, I can change the port. Any suggestions as to what ports might be useful? In the past, I've referenced this list on wiki:

List of TCP and UDP port numbers - Wikipedia

en.wikipedia.org

 

[testing123]

Don't use an outdated os such as Windows 8.1 Pro.

How would updating to win 10 help in this circumstance?

 

[ColinTaylor]

Yes, I can change the port. Any suggestions as to what ports might be useful? In the past, I've referenced this list on wiki:

List of TCP and UDP port numbers - Wikipedia

en.wikipedia.org

I had just updated my post when you replied. I suggested 14129 or something thereabouts.

 

[testing123]

I had just updated my post when you replied. I suggested 14129 or something thereabouts.

Thanks. I don't see that on the list I linked to (although it's an old list). Would my objective be to find a little used high numbered port?

On a different note, would a gateway router in front of the router I'm using help, or does the open port eliminate any secure advantage?

Truth is, I have an A/B switch to turn off the internet access to the Cam machine. I only need outside access when I'm out of town, which isn't often, although I wouldn't mind having it on all the time if I knew it was secured.

 

[L&LD]

Updating to Windows 11 is infinitely more secure than Windows 8.1. What more is there to think about?

Since 2018, Windows 8.1 has been on its deathbed. Even if official ('extended') support is in January of next year.

 

[ColinTaylor]

Thanks. I don't see that on the list I linked to (although it's an old list). Would my objective be to find a little used high numbered port?

That's the idea. Use a port number that you're confident nothing else on the system is ever going to use in the range 5001 to 32767. Something random and not obvious like "8000" or "8888".

On a different note, would a gateway router in front of the router I'm using help, or does the open port eliminate any secure advantage?

I don't know what you mean by "gateway router in front of the router". It's either accessible from the internet or it's not. I remember in your thread from last year you were proposing some rather strange network setups, but I don't know what you ended up doing.

Truth is, I have an A/B switch to turn off the internet access to the Cam machine. I only need outside access when I'm out of town, which isn't often, although I wouldn't mind having it on all the time if I knew it was secured.

"A/B switch"? I don't use Blue Iris but I would have thought that there's an option in the software that enables or disables remote access. I assume that would also add or remove the UPnP port forwarding rule as required. So one solution would be to only enable remote access prior to going out of town (and remembering to do that).

 

[testing123]

That's the idea. Use a port number that you're confident nothing else on the system is ever going to use in the range 5001 to 32767. Something random and not obvious like "8000" or "8888".


"A/B switch"? I don't use Blue Iris but I would have thought that there's an option in the software that enables or disables remote access. I assume that would also add or remove the UPnP port forwarding rule as required. So one solution would be to only enable remote access prior to going out of town (and remembering to do that).

I don't know what you mean by "gateway router in front of the router". It's either accessible from the internet or it's not. I remember in your thread from last year you were proposing some rather strange network setups, but I don't know what you ended up doing.

The A/B switch is easier, and also cuts internet access to the machine, which I don't need on a regular basis.

 

[Threska49]

I access my cameras through a VPN running from the android phone, or tablet to the router.

 

[testing123]

I access my cameras through a VPN running from the android phone, or tablet to the router.

Excuse my ignorance, but if the vpn is running on the device, how does that protect the system and cams, given the open port on the router? The vpn on the device still seems like a good idea, though. Currently, my android devices are using NetGuard, which uses the vpn.

 

[testing123]

I'm reading some of the Blue Iris help docs now and it mentions some options:

There are two ways to configure remote access. The first is most direct, but involves
“opening a port” on your router to allow remote traffic to connect through to your PC on a
specific port (channel). This may be a simple task, or it may be extremely challenging,
depending on your network topology (hardware and connections) and networking
experience.

If your attempts fail, or if your ISP simply disallows these type of connections
on any port (some satellite services notoriously), your recourse is to use a secure tunnel.
A secure tunnel is what something like a Nest thermostat or Rachio sprinkler system uses
to provide you access to your home devices without configuring any of your router or other
network hardware—the local devices and your remote clients (phone apps) “meet up” at a
designated website (typically operated by the device manufacturer). If it becomes necessary
to use a secure tunnel instead of opening a port through your router, the NGROK service is
recommended (https://ngrok.com).

 

[bbunge]

Looks like you are spending good money on a system, PC, that is running an insecure OS (Windows 8). Seems as if you have a port forward through your router to a WIndows desktop PC which is also not a good idea. Even upgrading to a WIndows 11 OS I would not recommend a port forward to it even on a random non standard port. While Blue Iris looks spiffy and probably works well it is only as secure as the PC it runs on.

For my money I run a Linux Debian or Ubuntu server with Zoneminder for a security cam server. The Linux machine is behind my router firewall and I use OpenVPN to connect to my router then I can manage/view the CAms on Zoneminder. In about 15 years of running Zoneminder like this I have never had a security issue. Did I say money? Linux and Zoneminder are open source...

 

[Threska49]

Excuse my ignorance, but if the vpn is running on the device, how does that protect the system and cams, given the open port on the router? The vpn on the device still seems like a good idea, though. Currently, my android devices are using NetGuard, which uses the vpn.

Basically: phone--->VPN aka secure tunnel (set up on the phone)--->router running VPN software (usually openVPN)--->computer running blue iris. The only port visible to the outside world is the VPN port.

 

[testing123]

Looks like you are spending good money on a system, PC, that is running an insecure OS (Windows 8). Seems as if you have a port forward through your router to a WIndows desktop PC which is also not a good idea. Even upgrading to a WIndows 11 OS I would not recommend a port forward to it even on a random non standard port. While Blue Iris looks spiffy and probably works well it is only as secure as the PC it runs on.

For my money I run a Linux Debian or Ubuntu server with Zoneminder for a security cam server. The Linux machine is behind my router firewall and I use OpenVPN to connect to my router then I can manage/view the CAms on Zoneminder. In about 15 years of running Zoneminder like this I have never had a security issue. Did I say money? Linux and Zoneminder are open source...

Zoneminder looks worth checking out. I'm assuming my devices would connect via browser? Truth is, even though windows 8x and up may be touted as more secure than say, win 7 (which I love and still run on several machines without a single issue), the data collection isn't appealing.

I've been looking for a reason to switch over to Linux and have run several live versions, but some of my busines software has prevented me from doing so, in particular, QB, for which Linux has no adequate substitute.

Thanks for mentioning this. I'll definitely be trying out Zoneminder. Is there a specific distro that would work better than others for this purpose?

 

[dosborne]

VPN is definitely the preferred option. Enabling UPnP on your router could lead to a world of hurt if you run one of the many popular NAS boxes (search qlocker and deadbolt ransomware) or many other systems that exploit it.

With a VPN, you only have to have trust in the VPN software, and only have 1 thing to keep up to date. Much better than trusting other parties (blue iris), IMO.

Kinda funny you are worried about being secure, but running ancient operating systems. Yet another reason why a VPN would be a better option than port forwarding, and UPnP.

 

[testing123]

Basically: phone--->VPN aka secure tunnel (set up on the phone)--->router running VPN software (usually openVPN)--->computer running blue iris. The only port visible to the outside world is the VPN port.

Another good suggestion. I always run a vpn on my office/home systems, but usually from the PC, since VPN IPs break a lot of sites. This is a good solution for this situation since I only use the Cam machine and router for cams. And it can be employed even if I use Linux/Zoneminder. Thanks!