Eye on Video: Network security for cameras

Feb. 2008 - With the widespread use of IP networks for data, video and voice by government, financial institutions and corporate enterprises, today's users are demanding better technology for transferring information securely. Over the last decade, a tremendous amount of R&D money has been spent to strengthen security to keep highly sensitive information safe in transit

Creating secure communication means not only addressing security issues within a network, but between different networks and clients. Effective solutions need to control everything from the data sent over the network to who actually uses and accesses the pipeline. They not only need to authenticate and authorize the source of the message but also ensure the privacy of the communication as it flows through the network.

Authentication and Authorization: Who are you and do you have permission to be here?

The first step requires the user or device to identify itself to the network and the remote endpoint - the recipient. There are a number of ways to authenticate this identity to the network or system. The most typical is through a username and password. Once the identity is authenticated, the second step is to verify whether that user or device has authority to operate as requested. Once authorization is confirmed, the user is fully connected and allowed to send a transmission.

As a basic protection, this technology might be sufficient for installations where a high level of security is not required, or where the video network is separated from the main network to prevent authorized users from having physical access to it.

Privacy: Can you keep the transmission from prying eyes?
The second step involves encrypting the communication to prevent others from using or reading the data as it travels through the network. There are a number of technology options open to integrators, each with its pros and cons. I would like to discuss four of them:

• IP filtering
• Virtual private network
• HTTPS
• 802.1X

A restrictive firewall: IP filtering
Some network cameras and video encoders use IP filtering to prevent all but one or a few IP addresses from accessing the network video components. IP filtering provides a function similar to a built-in firewall.

This technology would be a good fit for installations that require a higher level of security. Typically, you would configure the network cameras to accept commands only from the IP address of the server hosting the video management software.

A secure pathway: virtual private network
An even safer alterative is a virtual private network (VPN) which uses an encryption protocol to provide a secure tunnel between networks through which data can travel safe from prying eyes. This allows secure communications across a public network, such as the Internet, because only devices with the correct "key" will be able to work within the VPN itself.

A VPN typically encrypts the packets on the IP or TCP/UDP layers and above. The IP Security Protocol (IPSec) is the most commonly used VPN encryption protocol. IPSec uses different encryption algorithms: either the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES). AES, which uses either 128-bit or 256-bit key lengths, offers higher security and needs considerably less computing power than 3DES to encrypt and decrypt data.

VPNs are commonly used between different offices in larger organizations, or for telecommuters connecting to the network. Remote cameras are tied into a corporate wide surveillance system in much the same way.

Data encryption: HTTPS
You can achieve a higher level of privacy through encrypting the data rather than the transport. Hyper Text Transfer Protocol Secure (HTTPS) is the most common data encryption protocol used in applications like online banking to provide the requisite security for financial transactions performed over the Internet. HTTPS is identical to HTTP, but with one key difference: the data transferred is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS).

SSL was developed by Netscape and published in 1994. The security offered by SSL/TLS is based on three main elements: 1) authentication of the communication partner, 2) symmetrical data encryption, and 3) protection against the manipulation of transferred data.

When an SSL/TLS connection is made, a handshake protocol determines which cryptographical methods are to be used by the sender and receiver: such as cryptographic algorithms, key set-ups, random number generations, etc. The protocol then validates the identity of the communication partner by having the web server use a certificate to identify itself to the web browser. A certificate is like an ID card which a person uses to prove his identity. It is a binary document that is usually issued by a certificate authority like Verisign. Users can also issue their own certificates to be used internally for closed user groups, like a LAN web server to which only company employees have access.

The next step is for the communication partners to exchange a premaster secret that has been encrypted by the public key from the server's certificate before being transmitted to the server over an asymmetrical encryption or Diffie-Hellman key exchange. Both parties compute the master secret locally and derive the session key from it. If the server can decrypt this data and complete the protocol, the client is assured that the server has the correct private key. This step is crucial to proving the authenticity of the server. Only the server with the private key that matches the public key in the certificate can decrypt this data and continue the protocol negotiation.

Many network video products have built-in support for HTTPS, which makes it possible for video to be securely viewed using a web browser. Using HTTPS, however, can slow down the communication link and, therefore, the frame rate of the video.

Anti-hijacking protection for network ports: 802.1X
One of the most popular and secure authentication methods used by the wireless community today is IEEE 802.1X. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. 802.1X is often referred to as Port Based Network Access Control because it prevents "port hi-jacking," which is when an unauthorized computer gains access to a network by connecting to a network jack either inside or outside a building.

With 802.1X, authentication occurs at three levels: the supplicant, the authenticator and the authenticating server. The supplicant corresponds to a network device such as a network camera that requests access to a network. The authenticator can be a switch or an access point. Logical ports on the authenticator allow the video transmission from the supplicant to pass through once the supplicant is authenticated. The authenticating server is usually a dedicated server on the LAN to which other servers have to identify themselves in the authentication process.

The authenticating server, which can be a Microsoft Internet Authentication Service server, is called a remote authentication dial-in user service (RADIUS). If a device wants to access a network, it asks for access to the network through an authenticator that forwards that request as an authentication query to an authentication server. If authentication is successful, the server instructs the authenticator to authorize access to the network for the querying server.

802.1X is often built into network cameras and video encoders, and is very useful in network video applications where the network cameras are located in public spaces such as receptions, hallways, meeting rooms or even mounted outside a building. Without 802.1X, having a network jack that is openly accessible poses a significant security risk. In today's enterprise networks, where both internal users and external partners routinely access data, 802.1X is becoming a basic requirement for any components connected to the network.

802.1X enables port-based security and involves a supplicant (e.g. a network camera), an authenticator (e.g. a switch) and an authentication server.

What type of security should you use?

A network video system can be substantially more secure than an analog CCTV system. You can, for example, keep it disconnected from both the Internet and the corporate network and use data encryption for every camera. But oftentimes there are benefits to tightly integrating the network video system with the operations of the corporate network and having access to that video from remote locations over the Internet.

There are no easy answers to what type of security you should implement. It all depends on your environment, your application, and the value of the transmissions you are sending. It is much like choosing security for a particular building. You can use a single lock or a series of locks. If the likelihood of break-ins in that neighborhood is high and the building's contents are valuable, you might decide to add bars over the windows, alarm systems, fences, or even around-the-clock guards. Before you make any decisions, you first need to do a thorough risk assessment to determine what security technology makes the most sense for your particular circumstances. With the array of technology now available, it is simply a matter of choosing the one that best fits your needs and budget.

Loading