Eye on Video: Network security for cameras

A look at options for securing video transmissions

SSL was developed by Netscape and published in 1994. The security offered by SSL/TLS is based on three main elements: 1) authentication of the communication partner, 2) symmetrical data encryption, and 3) protection against the manipulation of transferred data.

When an SSL/TLS connection is made, a handshake protocol determines which cryptographical methods are to be used by the sender and receiver: such as cryptographic algorithms, key set-ups, random number generations, etc. The protocol then validates the identity of the communication partner by having the web server use a certificate to identify itself to the web browser. A certificate is like an ID card which a person uses to prove his identity. It is a binary document that is usually issued by a certificate authority like Verisign. Users can also issue their own certificates to be used internally for closed user groups, like a LAN web server to which only company employees have access.

The next step is for the communication partners to exchange a premaster secret that has been encrypted by the public key from the server's certificate before being transmitted to the server over an asymmetrical encryption or Diffie-Hellman key exchange. Both parties compute the master secret locally and derive the session key from it. If the server can decrypt this data and complete the protocol, the client is assured that the server has the correct private key. This step is crucial to proving the authenticity of the server. Only the server with the private key that matches the public key in the certificate can decrypt this data and continue the protocol negotiation.

Many network video products have built-in support for HTTPS, which makes it possible for video to be securely viewed using a web browser. Using HTTPS, however, can slow down the communication link and, therefore, the frame rate of the video.

Anti-hijacking protection for network ports: 802.1X
One of the most popular and secure authentication methods used by the wireless community today is IEEE 802.1X. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails. 802.1X is often referred to as Port Based Network Access Control because it prevents "port hi-jacking," which is when an unauthorized computer gains access to a network by connecting to a network jack either inside or outside a building.

With 802.1X, authentication occurs at three levels: the supplicant, the authenticator and the authenticating server. The supplicant corresponds to a network device such as a network camera that requests access to a network. The authenticator can be a switch or an access point. Logical ports on the authenticator allow the video transmission from the supplicant to pass through once the supplicant is authenticated. The authenticating server is usually a dedicated server on the LAN to which other servers have to identify themselves in the authentication process.

The authenticating server, which can be a Microsoft Internet Authentication Service server, is called a remote authentication dial-in user service (RADIUS). If a device wants to access a network, it asks for access to the network through an authenticator that forwards that request as an authentication query to an authentication server. If authentication is successful, the server instructs the authenticator to authorize access to the network for the querying server.

802.1X is often built into network cameras and video encoders, and is very useful in network video applications where the network cameras are located in public spaces such as receptions, hallways, meeting rooms or even mounted outside a building. Without 802.1X, having a network jack that is openly accessible poses a significant security risk. In today's enterprise networks, where both internal users and external partners routinely access data, 802.1X is becoming a basic requirement for any components connected to the network.

802.1X enables port-based security and involves a supplicant (e.g. a network camera), an authenticator (e.g. a switch) and an authentication server.

What type of security should you use?