IP Camera Hardening Tips
The most apparent threat to a network camera is physical sabotage, vandalism and tampering. To protect the camera from these threats, it is important to select a vandal-resistant model or housing, to mount it in the recommended way, and to protect the cables. From an IT/network perspective, the camera is a network endpoint similar to business laptops, desktops, and mobile devices. Unlike a business laptop, a network camera is not exposed to the common threat of users visiting potentially harmful websites, opening malicious email attachments, or installing untrusted applications. However, the camera is a network device with an interface that may expose risk. These tips focus on reducing the exposure area of these risks.
1. Check and Upgrade the Firmware
Firmware is the software that enables and controls the functionality of network devices. Always use the latest firmware so that you get all possible security updates and bug fixes.
2. Reset to Factory Default Settings and Reset the Root Password
The password is the most important protection measure of a network camera. Make sure to use a strong password and keep it protected. On a multi-camera installation, the cameras can have the same password or unique passwords. Using the same password simplifies management, but increases the risk if one camera’s security is compromised.
3. Review and Reset User Permissions
4. Review and Reconfigure Basic Network Settings
5. Set Date and Time to a known good time source
6. If your application doesn’t require Audio, make sure Audio is Disabled
7. Make sure Encryption is Enabled
Access the camera using HTTPS, which encrypts the traffic between the client and the camera. All camera administrative tasks should go through HTTPS. Video streamed over RTP/RTSP is still unencrypted. If the video stream contains sensitive data, tunnel RTP/RTSP over HTTPS. This is controlled by (and depends on) the video client/VMS capabilities.
8. Create SSL Certificates to provide encryption services.
9. Create a Backup Admin Account
Good practice is to create a backup administrator account with a different password than the primary administrator account.
10. Create Video Client Account
A client or a Video Management System (VMS) should normally use the operator group with restricted administrator privileges. Video systems and clients should not use the administrator account. In most cases the operator group is sufficient. However, the VMS may use services that require administrator rights.
11. Disable the Following:
b. Discovery Services
d. Link-Local Address
g. Always Multicast Video option
12. Set IP Address Filter
This allows for management of what devices make connections with the camera
13. Configure SNMP Monitoring
Monitoring of your security devices is a necessary component of an overall hardening plan.
If you have any questions or need any assistance, please contact one of our trusted technicians by contacting tech support at 631.647.9970 or by email at firstname.lastname@example.org.