printer friendly version

Dispelling the myths of IP video: Myth #5: IP transmission is insecure for video

In this series, Roy Alves, country manager of Axis Communications South Africa, examines 10 myths about IP video.

Roy Alves

One of the most pervasive misconceptions about using Internet protocol to transmit video for security and surveillance applications is that the transmission is insecure. This is largely due to the general perception that the Internet is a portal to any and all information. Additionally, there have been news stories about intruders accessing network cameras after finding them through Google searches.

The IP-based networks used for video are the same as the networks used by corporations, banks, governments and hospitals for transferring data, e-mail and voice over IP. These networks are safe conduits for sensitive information if the correct security measures, such as firewalls, virtual private networks and password protection, are implemented. The same security precautions need to be taken when transferring video.

There are many examples of network video installations that monitor highly sensitive activities. Network video has been used for security during the Olympic Games, in downtown Washington, DC, and at major airports and government facilities. In all of these cases, those who installed and operated the systems took precautions to ensure that video would be kept secure.

Securing a security system

There are three important ways to ensure secure transmissions via the Internet: authentication, authorisation and privacy protection.

Authentication and authorization. These go hand in hand. A device or user must identify itself to the network before gaining access, so it provides identity and access information to the network or system, such as via a username and password. Once the connection has been authenticated, the system compares the submitted information to a database of approved identities to establish the permissions to be granted. Once the authorisation is complete the device is fully connected and operational in the system, or the user is free to use all authorised network features.

Password protecting network cameras and video servers is just as important as protecting your PC or servers. Passwords should be at least six characters long, combine numbers and letters, and mix lower and upper case. Most network cameras support anonymous user access by default, which means that in the absence of a password, the video is made available to everyone with access to the network. If a video application needs to be highly secure, IP filtering should be used, meaning that the network camera will only send video if the request comes from a certain IP address, preventing access to unauthorised computers even if they have a valid username and password.

Privacy protection. Encryption prevents unauthorised users from accessing data. Two of the more commonly used encryption methods are virtual private networks (VPNs) and hypertext transfer protocol over secure socket layer (HTTPS). A VPN is a way to use public infrastructure such as the Internet to provide remote users with secure access to a network. The VPN essentially creates a secure 'tunnel' between the end points; only authorised devices or users can operate within the VPN. The data itself is not secured within the VPN, but anyone not on the VPN (such as when it is travelling over public carriers) sees only encrypted data. If the data must be protected end-to-end, ie, between the camera and a client PC for example, HTTPS can be used. Most network cameras act as mini-Web server. HTTPS is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. When a connection between the two devices is requested, the user or a third-party body such as Verisign verifies certificates that have been issued to the two devices. If the user or third party determines that the devices can be trusted, an encrypted communication is opened. HTTPS is commonly used when creating a connection to secure websites such as online banking pages.

Firewalls can serve as gatekeepers, blocking or restricting traffic to and from the Internet. They can prevent outsiders from accessing private data and control what information remote users can access.

A safe solution, well managed

Today's professional network cameras have built-in password protection, IP filtering and encryption, which make them very secure. In addition, the recorded video can include the unique hardware number of the camera, called the media access control address. This confirms the origination of the video and helps make network camera technology more trustworthy than analogue. The New York State Unified Court System (UCS) is a prime example of how these security techniques can be used effectively. The UCS, which has more than 30 court buildings in New York State, uses rigid firewalls and security settings to protect its video system from hackers and other security risks. The technology team developed its own Linux-based video management software and created an advanced permissions system to allow different users access only to certain cameras. This means that images can be viewed from any courthouse PC, but only by the people who have permission to view it. For added security, the UCS even opted to transmit the video over its own high-speed fibre network rather than over the Internet.

Viruses and worms

Network video users are sometimes concerned about software viruses and worms. Viruses are commonly transmitted in e-mail attachments or file downloads. While some viruses are harmless, others can erase data and can require that an entire hard disk be reformatted. A worm is a virus that automatically resends itself as an e-mail attachment or as part of a network message. A worm typically does not alter files but resides in active memory and duplicates itself. Often, worms go unnoticed until they slow down a system and cause errors. Most network cameras do not have an open operating system or hard disks, so worms and viruses cannot infect them. The servers that are used for video management in a network video system, called network video recorders, are standard Microsoft, Unix or Linux servers for which a virus scanner with up-to-date filters can be used. This should be installed on all computers, and operating systems should be regularly updated with service packs and fixes from the manufacturer. In an analogue video system with a proprietary DVR, protective software and updates are normally not available. This makes such systems vulnerable if connected to an IP-based network.

Although making IP-based networks safe for video may seem a little complicated the requirements are no different from the requirements of any business network. The techniques discussed above are proven methods that the IT industry has used for many years. In contrast, analogue systems offer no way to authenticate or encrypt information, making it easier for anyone to tap into the cables and illicitly view 'secure' video transmissions. In addition, it is possible to substitute one video stream for another, just the as the band of thieves did in the movie Ocean's 11. Had Terry Benedict's security staff used network video technology, the outcome would have certainly been quite different for Danny Ocean and his accomplices.

Share this article:

Further reading: