Eye on Video: Network security for cameras

A look at options for securing video transmissions

Feb. 2008 - With the widespread use of IP networks for data, video and voice by government, financial institutions and corporate enterprises, today's users are demanding better technology for transferring information securely. Over the last decade, a tremendous amount of R&D money has been spent to strengthen security to keep highly sensitive information safe in transit

Creating secure communication means not only addressing security issues within a network, but between different networks and clients. Effective solutions need to control everything from the data sent over the network to who actually uses and accesses the pipeline. They not only need to authenticate and authorize the source of the message but also ensure the privacy of the communication as it flows through the network.

Authentication and Authorization: Who are you and do you have permission to be here?

The first step requires the user or device to identify itself to the network and the remote endpoint - the recipient. There are a number of ways to authenticate this identity to the network or system. The most typical is through a username and password. Once the identity is authenticated, the second step is to verify whether that user or device has authority to operate as requested. Once authorization is confirmed, the user is fully connected and allowed to send a transmission.

As a basic protection, this technology might be sufficient for installations where a high level of security is not required, or where the video network is separated from the main network to prevent authorized users from having physical access to it.

Privacy: Can you keep the transmission from prying eyes?
The second step involves encrypting the communication to prevent others from using or reading the data as it travels through the network. There are a number of technology options open to integrators, each with its pros and cons. I would like to discuss four of them:

• IP filtering
• Virtual private network
• 802.1X

A restrictive firewall: IP filtering
Some network cameras and video encoders use IP filtering to prevent all but one or a few IP addresses from accessing the network video components. IP filtering provides a function similar to a built-in firewall.

This technology would be a good fit for installations that require a higher level of security. Typically, you would configure the network cameras to accept commands only from the IP address of the server hosting the video management software.

A secure pathway: virtual private network
An even safer alterative is a virtual private network (VPN) which uses an encryption protocol to provide a secure tunnel between networks through which data can travel safe from prying eyes. This allows secure communications across a public network, such as the Internet, because only devices with the correct "key" will be able to work within the VPN itself.

A VPN typically encrypts the packets on the IP or TCP/UDP layers and above. The IP Security Protocol (IPSec) is the most commonly used VPN encryption protocol. IPSec uses different encryption algorithms: either the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES). AES, which uses either 128-bit or 256-bit key lengths, offers higher security and needs considerably less computing power than 3DES to encrypt and decrypt data.

VPNs are commonly used between different offices in larger organizations, or for telecommuters connecting to the network. Remote cameras are tied into a corporate wide surveillance system in much the same way.

Data encryption: HTTPS
You can achieve a higher level of privacy through encrypting the data rather than the transport. Hyper Text Transfer Protocol Secure (HTTPS) is the most common data encryption protocol used in applications like online banking to provide the requisite security for financial transactions performed over the Internet. HTTPS is identical to HTTP, but with one key difference: the data transferred is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS).

This content continues onto the next page...