Protect an insecure appliance by limiting access to its dedicated VLAN using authentication.

Greenshoe
New here

Protect an insecure appliance by limiting access to its dedicated VLAN using authentication.

Good afternoon, forum!  I need to protect an inherently insecure security camera appliance DVR so that it is exposed only to its users and owners, who will be nice to it and use it for good.  To anyone else, the DVR must be unaccessible.  I am pretty familiar with networking, switching and firewalls but less familar with routing and with Meraki's finer points.

 

Situation

I have a notoriously insecure (https://depthsecurity.com/blog/unauthorized-flir-cloud-access) but very functional camera DVR appliance from LOREX (https://www.lorextechnology.com/downloads/security-dvr/LHV1000/LHV1000_SERIES_MANUAL_EN_R2.pdf) which I have installed at a social service oriented non-profit with the assistance of several volunteers, including 16 cameras which completely cover the space.  This will be very helpful in making the target demographic feel safe in the space as well as to protect the space.

 

The DVR itself is physically locked away on a UPS so that even if power is lost, the infra red enabled cameras can still record inside and outside and retain all footage from all 16 cameras for about 2-3 weeks running 24x7.

 

The building (let's call it Building 1) sits on a block with 2 other buildings, all served by Meraki as are all the other 13 sites in the city.  The block (I believe) is in its own VLAN, though there may be an additional VLAN for one of the other buildings.  The network is fairly flat.  The IT people are cooperative and we probably have a good amount of flexibility to implemented whatever configuration changes we need to in order to make this work.  We just need to understand it well and document the design before planning to implement.

 

Wired users can plug in at any time.  The network is monitored, and users are pretty compliant, so the network is monitored, and if new unrecognized devices get plugged in, the it team notices.  Also all but 1 ethernet jack are in private areas, physically protected.

 

Wireless users in Building 1 must click through a guest wifi page before being allowed on the network.

 

Problem:

I need a way to authorize only a specific handful of users to have network access to the machine so that it is accessible to only 3 police officers who will share one Azure AD based service account, and about 2-3 staff members.  The authentication on the device itself is trivial, so I need to rely on the network and authentication to protect this device from malicious attackers.  

 

Suggested Solution (Captive portal):

 

 

My preferred solution would be something like this, though I'm open to suggestions and to learn:

 

VLAN 1 (wifi with captive portal)

VLAN 2 (the wired network)

VLAN 3 (only the DVR) - conditional access only upon successful authentication.

 

 

So the use case is: 

- User on VLAN 1 or VLAN attempt to visit the DVR at, say http://192.168.3.10.  

- User is redirected to an auth page like the user had to click to get on the network in the first place.

- After successful authentication, routing for that specific user/machine/MAC would be allowed to 192.168.3.10 (all ports are allowed).  

- as a convenience the auth page would then redirect to the url.

 

 

Solution 2: Network authentication?

Solution 3: Captive portal for wifi only.  2 options:  click through, or log in.  If log in, and the user is recognized as being in a group allowing for access to the cameras then VLAN 3 is also accessible.

 

 

 

 

 

 

Anticipated questions:

1. Why aren't you using Meraki cameras?  

- We are a small nonprofit with an annual budget of $120k/year.  We are working with a larger one who doesn't have budget for these cameras.  We need 16 cameras.   With Meraki that is about half our budget for the year I believe. 

- bandwidth in that building is not the best.  To have 1080p from 16 cameras in real time + recorded camera footage from the DVR, we would be competing with the guest traffic.  

 

2. Why are you using such an insecure appliance?  

Unfortunately all the DVR appliances I have seen are like this.  If you know of a better one please tell me.  I'll snap that in, and hook all the Coax cameras into the back of it and we'll be done.

 

3. Just use FILR Cloud and you'll be done.   

Sadly, that is also a block of Swiss cheese with regard to security.  Look at the first link for an indication of the trivial nature of the successful attacks and LOREX/FLIR's casual attitude toward internet security.  It's pretty sad.  But the DVRs are very functional for controlling the cameras.

 

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

Is the default gateway for each of these networks an MX, so the MX controls the access between the VLANs?

 

If so create a group policy and configure it to override the firewall rules. Create rules to allow the users the specific access.  You could also consider simply using the built in "whitelist' group policy which gives a user access to everything.

Then apply this group policy to those machines that are alow access.

 

 

Otherwise you'll need to let us know what provides the security between the different VLANs.

Get notified when there are additional replies to this discussion.