Fredrik Nilsson is general manager of Axis Communications and an authority on IP surveillance.
Photo credit: Fredrik Nilsson, Axis Communications
[Editor's Note: This is the eighth in a series of articles that is being published jointly between Security Technology & Design and SecurityInfoWatch.com. This article originally appears in the September issue of Security Technology & Design; earlier articles appear on the website and are linked at the bottom of this article.]
Nearly all network video installations transmit sensitive information that should be protected from unauthorized users and potential hackers. There are several ways to provide security within a wired or wireless network and between different networks and clients. Everything from the data to the use and accessibility of the network should be controlled and secured.
Today, IP surveillance systems can be made just as secure as those used by banks for ATM transactions. Network cameras and video servers are currently being used in highly sensitive locations such as the Logan Airport in Boston (see Case in Point, page 101) and by the largest ferry terminals in Alaska for homeland security purposes.
Some of the most common ways to secure communications on a network and the Internet include authentication, authorization, IP address filtering, VPNs and Hypertext Transfer Protocol over Secure Socket Layer (HTTPS). Some of these methods secure the data as it travels over the network, while others secure the network path itself.
Authentication identifies the user to the network and is most commonly done by providing verifiable information like a username and password, and/or by using an X509 (SSL) certificate.
The 802.1X standard is a new port-based authentication framework available for even higher levels of security in a both wired and wireless system. All users' access requests are filtered through a central authorization point before access to the network is granted.
During authorization, the system analyzes the authentication information and verifies that the device is the one it claims to be by comparing the provided identity to a database of correct and approved identities. Once the authorization is complete, the device is fully connected and operational within the network.
IP address filtering is another way to restrict communication between devices on a network or the Internet. Network cameras can be configured to communicate only with computers at pre-determined IP addressesâ€”any computer from an IP address that is not authorized to interface with the device will be blocked from doing so.
Privacy settings prevent others from using or reading data on the network. There are a variety of privacy options available, including encryption, virtual private networks (VPNs) and Secure Socket Layer/Transport Layer Security (SSL/TLS). In some cases, these settings can slow down network performance because data has to be filtered through multiple applications before it is accessed at its final destination. This could have a negative impact on the performance of an IP surveillance installation, which often requires real-time access to video.
A VPN uses a public infrastructure, such as the Internet, to provide secure access to a network from remote locations. A VPN secures the communication through security procedures and tunneling protocols like Layer Two Tunneling Protocol (L2TP), effectively creating a connection that is just as secure as a privately owned or leased line. The VPN creates a secure â€œtunnelâ€ so that data has to be properly encrypted before entering the tunnel. Data that is not properly encrypted cannot enter the tunnel.
SSL/TLSâ€”also known as Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)â€”encrypts the data itself, rather than the tunnel in which it travels. There are several different types of encryption, including SSL, Wireless Equivalent Privacy (WEP) and WiFi Protected Access (WPA) for wireless networks. When using SSL, a digital certificate can be installed from the server to authenticate the sender. Certificates can be issued locally by the user or by a third party such as Verisign.
Additional network security can be created with the use of firewalls. Firewall software normally resides on a server and protects one network from users on other networks. The firewall examines each packet of information and determines whether it should continue on to its destination or be filtered out. The firewall serves as a gatekeeper, blocking or restricting traffic between two networks, such as a video surveillance network and the Internet.
Wireless network cameras can create additional security requirements. Unless security measures are in place, everyone with a compatible wireless device in the network's range is able to access the network and share services. To better secure IP surveillance installations with a wireless component, users should consider using Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA) encryption.
WEP creates a wireless network that has comparable security and privacy to a wired network. It uses keys to prevent people without the correct key from accessing the network, which is the security commonly found in home networks. Data encryption protects the wireless link so that other typical local area network security mechanismsâ€”including password protection, end-to-end encryption, VPNs and authenticationâ€”can be put in place.
However, WEP has several flaws that make it unsuitable for use in a corporate environment. The standard uses a static key, making it easy to hack into the network with inexpensive, off-the-shelf software.
For additional protection, wireless IP surveillance should employ WPA, which changes the encryption for every frame transmitted. WPA is considered the base level of security for corporate wireless networks, but for even higher security, WPA2 should be used. WPA2 uses Advanced Encryption Standard (AES), the best encryption available for wireless networks today.
Protecting System Access
In addition to protecting data, it is critical to control access to the system via a Web interface or an application housed on a PC server. Access can be secured with user names and passwords, which should be at least six characters longâ€”the longer, the better. Passwords should also mix lower and upper cases and use a combination of numbers and letters. Additionally, tools like finger scanners and smart cards can be used to increase security.
Viruses and worms are also major security concerns in IP surveillance systems, so a virus scanner with up-to-date filters is recommended. This should be installed on all computers, and operating systems should be regularly updated with service packs and fixes from the manufacturer. Network cameras and video servers with read-only memory will also help protect against viruses and wormsâ€”programs that write themselves into a device's memory. If you use network cameras and video servers with read-only memory, these programs will not be able to corrupt the devices' internal operating systems.
Employing the outlined security measures makes an IP surveillance network secure and allows users the flexibility of off-site access without the worry that video will fall into the wrong hands. Understanding and choosing the right security optionsâ€”such as firewalls, virtual private networks (VPNs) and password protectionâ€”will eliminate concerns that an IP surveillance system is open to the public.
About the author: As the general manager for Axis Communications, Fredrik Nilsson oversees the company's operations in North America . In this role, he manages all aspects of the business, including sales, marketing, business expansion and finance. He can be reached via email at Fredrik.Nilsson@axis.com.