Dispelling the Top 10 Myths of IP Surveillance: Myth No. 5

Note: Over the last several months, SecurityInfoWatch and ST&D have published a series of mythbusters about IP video. Check out ST&D's March issue and Securityinfowatch.com for myths one through four.

One of the most pervasive misconceptions about using Internet protocol to transmit video for security and surveillance applications is that the transmission is insecure for video. Much of this fear arises from the notion that the Internet is a portal to any and all information. Additionally, there have been several major news stories about intruders accessing network cameras after finding them through Google searches.

The IP-based networks used for video are the same as the networks used by corporations, banks, governments and hospitals for transferring data, e-mail and voice over IP. These networks are safe conduits for sensitive information if the correct security measures, such as firewalls, virtual private networks and password protection, are implemented. The same security precautions need to be taken when transferring video.

There are many examples of network video installations that monitor highly sensitive activities. Network video has been used for security during the Olympic Games, in downtown Washington, DC, and at major airports and government facilities. In all of these cases, those who installed and operated the systems took precautions to ensure that video would be kept secure.

Securing a Security System
There are three important ways to ensure secure transmissions via the Internet: authentication, authorization and privacy protection.

Authentication and Authorization. These first two methods go hand in hand. A device or user must identify itself to the network before gaining access, so it provides identity and access information to the network or system, like a username and password. The device or user is authenticated and authorized when the system compares the submitted information to a database of approved identities. Once the authorization is complete, the device is fully connected and operational in the system, or the user is free to use all authorized network features.

Password protecting network cameras and video servers is just as important as protecting your PC or servers. Passwords should be at least six characters long, combine numbers and letters, and mix lower and upper cases. Most network cameras support anonymous user access by default, which means that in the absence of a password, the video is made available to everyone with access to the network. If a video application needs to be highly secure, IP filtering should be used, meaning that the network camera will only send video if the request comes from a certain IP address, preventing unauthorized computers access even if they have the right username and password.

Privacy Protection. Encryption prevents unauthorized users from accessing data. Two of the more commonly used encryption protocols are VPNs and hypertext transfer protocol over secure socket layer (HTTPS). A VPN is a way to use public infrastructure, like the Internet, to provide remote users with secure access to a network. The VPN essentially creates a secure "tunnel" between the end points; only authorized devices or users can operate within the VPN. The data itself is not secured, but the pathway it travels on is protected. If the data itself must be protected, HTTPS can be used. HTTPS is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. When a connection between the two devices is requested, the user or a third-party body such as Verisign verifies certificates that have been issued to the two devices. If the user or third party determines that the devices can be trusted, an encrypted communication is opened. HTTPS is commonly used when creating a connection to secure Web sites such as online banking pages.

Firewalls can serve as gatekeepers, blocking or restricting traffic to and from the Internet. They can prevent outsiders from accessing private data and control what information remote users can access.

A Safe Solution, Well Managed
Today's professional network cameras have built-in password protection, along with IP filtering and encryption, which makes them very secure. In addition, the recorded video can include the unique hardware number of the camera, called the media access control address. This confirms the origination of the video and helps make network camera technology more secure than analog. The New York State Unified Court System (UCS) is a prime example of how these security techniques can be used effectively. The UCS, which has more than 30 court buildings in New York State, uses rigid firewalls and security settings to protect its video system from hackers and other security risks. The technology team developed its own Linux-based video management software and created an advanced permissions system to allow different users access to only certain cameras. This means that images can be viewed from any courthouse PC, but only by the people who have permission to view it. For added security, the USC even opted to transmit the video over its own high-speed fiber network, rather than over the Internet.

Viruses and Worms
Network video users are frequently concerned about viruses and worms. Viruses are programming codes commonly transmitted in e-mail attachments or file downloads. While some viruses are harmless, others can erase data and can require that an entire hard disk be reformatted. A worm is a virus that automatically resends itself as an e-mail attachment or as part of a network message. A worm does not alter files but resides in active memory and duplicates itself. Often, worms go unnoticed until they slow down a system and cause errors. Most network cameras do not have an open operating system or hard disks, so worms and viruses cannot infect them. The servers that are used for video management in a network video system, called network video recorders, are standard Microsoft, Unix or Linux servers for which a virus scanner with up-to-date filters can be used. This should be installed on all computers, and operating systems should be regularly updated with service packs and fixes from the manufacturer. In an analog video system with a proprietary DVR, protective software and updates are normally not available. This makes such systems vulnerable if connected to an IP-based network.

Although making IP-based networks safe for video seems complicated, the techniques discussed above are proven methods that the IT industry has used for many years. In contrast, analog systems offer no way to authenticate or encrypt information, making it easier for anyone to tap into the cables and illicitly view "secure" video transmissions. In addition, it is possible to substitute one video stream for another, just the as band of thieves did in the movie Ocean's 11. Had Terry Benedict's security staff used network video technology, the outcome would have certainly been quite different for Danny Ocean and his accomplices.

As the general manager for Axis Communications, Fredrik Nilsson oversees the company's operations in North America. Mr. Nilsson can be reached at fredrik.nilsson@axis.com.

Related Stories