printer friendly version

Building secure IP-based video surveillance systems

Is IP-based video surveillance really secure? This question is commonly asked by customers who have to take a decision what type of video surveillance system they want to use. IP-based video surveillance offers many advantages over traditional analogue CCTV systems but there is a fear that the system could be attacked by hackers. This fear is fuelled by newspaper articles that explain how easy it is to gain unauthorised access and to manipulate the surveillance system.

To start with, an IP-based system is as open or protected as you wish. Many users want to have open access to live videos to share information with family and friends or in Web attraction applications. However, surveillance systems have to be protected against unauthorised access both of insiders and outsiders.

There is no doubt that the usage of a standard network infrastructure for the video surveillance system has many benefits. First of all, installation and maintenance is less costly because a common infrastructure can be used for many different systems including VoIP, building management etc. IP-based video systems do not face the same limitations as standard analogue systems concerning resolution and frame rate.

Security levels

Network security has to be implemented on three levels. It should start with a definition how safe the system should be, who should use it and how and what potential exists to gain unauthorised access.

Based on this information physical security measures should be taken. And, most of all, it is vital to constantly monitor the effect of the taken measures. It is often overlooked that one of the major benefits of IP-based video surveillance systems is the usage of already existing techniques. These techniques are not specific to video and have been developed over the years to prove that they actually work.

Building a secure IP-based video surveillance system is like securing a house. A house has doors that have locks. When leaving the house windows and doors are closed and the doors are properly locked to prevent thieves to get an easy access. When there are more valuable items in the house, an alarm system will be installed. To secure a video system works in the same way. Having a public camera to show everybody the wonderful surroundings and the actual weather does not require special measures.

Password protection for the administration section of the camera might be sufficient. Having video surveillance using the corporate network requires more measures. And having a video surveillance system in a sensitive area requires even harder measures such as authentication of the network device to ensure that it is not replaced by a different source. Data traffic needs to be encrypted to prevent intruders to read and to manipulate video information. Any manipulation of the network infrastructure should result in alarm and the disabling of the part of the network.

Authentication and authorisation: Who are you and do you have permission to be here?

Creating secure communication means not only addressing security issues within a network, but between different networks and clients. Effective solutions need to control everything from the data sent over the network to who actually uses and accesses the pipeline. They not only need to authenticate and authorise the source of the message but also ensure the privacy of the communication as it flows through the network.

The first step requires the user or device to identify itself to the network and the remote endpoint – the recipient. There are a number of ways to authenticate this identity to the network or system. The most typical is through a username and password. Once the identity is authenticated, the second step is to verify whether that user or device has authority to operate as requested. Once authorisation is confirmed, the user is fully connected and allowed to send a transmission.

As a basic protection, this technology might be sufficient for installations where a high level of security is not required, or where the video network is separated from the main network to prevent authorised users from having physical access to it.

Privacy: can you keep the transmission from prying eyes?

The second step involves encrypting the communication to prevent others from using or reading the data as it travels through the network. There are a number of technology options open to integrators, each with its pros and cons.

A restrictive firewall: IP filtering

Some network cameras and video encoders use IP filtering to prevent all but one or a few IP addresses from accessing the network video components. IP filtering provides a function similar to a built-in firewall.

This technology would be a good fit for installations that require a higher level of security. Typically, you would configure the network cameras to accept commands only from the IP address of the server hosting the video management software.

A secure pathway: virtual private network

An even safer alternative is a virtual private network (VPN) which uses an encryption protocol to provide a secure tunnel between networks through which data can travel safe from prying eyes. This allows secure communications across a public network, such as the Internet, because only devices with the correct key will be able to work within the VPN itself.

A VPN typically encrypts the packets on the IP or TCP/UDP layers and above. The IP Security Protocol (IPSec) is the most commonly used VPN encryption protocol. IPSec uses different encryption algorithms: either the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES). AES, which uses either 128-bit or 256-bit key lengths, offers higher security and needs considerably less computing power than 3DES to encrypt and decrypt data.

VPNs are commonly used between different offices in larger organisations, or for telecommuters connecting to the network. Remote cameras are tied into a corporate wide surveillance system in much the same way.

Share this article:

Further reading: