Need Clarification--How Does A VPN Protect Your Surveillance System from the Outside World?

[Arjun]

Need Clarification--How Does A VPN Protect Your Surveillance System from the Outside World?
Need a detailed explanation.

I just configured VPN on my Netgear Router, and the only benefit I'm seeing is being able to view the NVR securely from any device from any where in the world.

But how does it really protect a 24/7 running NVR when I can access the NVR the Dahua mobile device apps without VPN?

And also, how is a VPN an extra layer of security when the physical IP addresses still exist?

 

[nayr]

Read carefully: VPN Primer for Noobs

If you can still access your cameras remotely w/out the VPN, then you failed.

 

[hmjgriffon]

Buhahaha

Sent from my Nexus 6P using Tapatalk

 

[Arjun]

I read the VPN Primer carefully, but one aspect remains unanswered, generally speaking, when I am connected to my VPN within the same network, shouldn't the physical IP address be masked and replaced with the VPN IP when I check my IP at whatsmyip.org?

Read carefully: VPN Primer for Noobs

If you can still access your cameras remotely w/out the VPN, then you failed.

 

[nayr]

there is absolutely no need to use VPN when on the same network; its used for remote access.. its doing nothing but slowing you down when you use it locally.

 

[Arjun]

Lol, then I see what you mean by a security standpoint
I think I was overanalyzing the purpose of VPN here

Then again, can't we still remotely access the cameras using the Dahua iOS / Android apps from anywhere in the world? Doesn't that still make it a vulnerability?
How can we address that?

Read carefully: VPN Primer for Noobs

If you can still access your cameras remotely w/out the VPN, then you failed.

there is absolutely no need to use VPN when on the same network; its used for remote access

 

[hmjgriffon]

Lol, then I see what you mean by a security standpoint
I think I was overanalyzing the purpose of VPN here

Then again, can't we still remotely access the cameras using the Dahua iOS / Android apps from anywhere in the world? Doesn't that still make it a vulnerability?
How can we address that?

Stop using their ddns crap

 

[nayr]

No you cant; when setup correctly there will be no way to make a connection to your cameras without a VPN Tunnel established.. disable uPNP on firewall, and PNP/EzViz on Cameras and add some extra firewall rules that prevent cameras from talking to anything not local

 

[Arjun]

Just to make sure, you mean Dahua (their), right?
You all use tinyCam Monitor Pro with Open VPN when away? Umm...that makes sense now, lol

Stop using their ddns crap

 

[Arjun]

Unless you have their proprietary apps installed, right? How was I able to view my Amcrest cameras using their app from the other part of the country via LTE then?

No you cant; when setup correctly there will be no way to make a connection to your cameras without a VPN Tunnel established..

 

[nayr]

disable uPNP on firewall, and PNP/EzViz on Cameras and add some extra firewall rules that prevent cameras from talking to anything not local..

Most consumer routers let anything forward ports to them selves with this horrible technology called uPNP

 

[hmjgriffon]

Unless you have their proprietary apps installed, right? How was I able to view my Amcrest cameras using their app from the other part of the country via LTE then?

Because they provide a service where the cameras connect to their server and the app connects to their server, turn that crap off in the cameras.

 

[Arjun]

I disabled uPNP but still am able to view the cams even on WiFi and LTE, what's the common port and protocols these companies (Amcrest, Swann, etc) are using?

disable uPNP on firewall, and PNP/EzViz on Cameras and add some extra firewall rules that prevent cameras from talking to anything not local..

Most consumer routers let anything forward ports to them selves with this horrible technology called uPNP

 

[nayr]

create firewall rules to block the camera from all communications with the internet, network security has to be enforced externally.. cant trust the devices themselves.

 

[Arjun]

These consumer routers are half-baked. Besides shouldn't I block the ports on the gateway, but keep them opened on the router? How else would I be able to access the cameras? Alternative ports?

create firewall rules to block the camera from all communications with the internet, network security has to be enforced externally.. cant trust the devices themselves.

 

[misterfredsr]

I used my netgear router for that. I reserver an address for my cam then I blocked it from the internet. There has been no logs for the cam except for motion detection.

 

[Arjun]

Ryan, so what are you using to remotely view your cameras when those ports are blocked? Are you creating your own open ports?
What happens when someone on the other side of the world injects a code to scan for open ports on your network and go from there?

create firewall rules to block the camera from all communications with the internet, network security has to be enforced externally.. cant trust the devices themselves.

 

[nayr]

i have no ports open, thats the point of the fucking vpn..

do you bend light being this dense?

 

[Arjun]

Lol, so once the camera's are assigned an IP, everything set
Thus, block all ports from beginning to end

i have no ports open, thats the point of the fucking vpn..

do you bend light being this dense?

 

[Chuckv]

Hi Arjun,

My first post. New to cameras but not to routers. Ports are only open based on 3 things. You have a rule set up for a service? You forward a port from your wan to your Lan. Or you can access any part of your Lan from the wan side of your firewall. The fact that you can remote into your network using an app means you have at least one if not more ports open. Usually port 80 that allows web sites to send you their content. Apps can use this port pretty safely. Ask your vendor what port they use as no one here can answer than easily. Look at your rules list and your port forwarding list. Anything that allows tcp or udp traffic should be deleted. Still can get in remotely. Ask your app vendor how. You don't like their port being open. Block traffic on it. It's better to configure a router all blocked, open as needed. If you have a consumer based router that has stuff open by default then you are not serious about security. Time to hire a proffessional.