Prevent IPCameras from accessing home network.

Roy360

Dabbler
Joined
Nov 27, 2017
Messages
28
OS: FreeNAS-11.3-U3.2

I've got two NICs on my server.
One connected to my home network while the other is connected to a switch dedicated to my ip cameras.
I realize ZoneMinder has to be able to communicate with FreeNAS (or else I can't access it), but is there a way to block the cameras?

All this talk about backdoors in Hikvision and Dahua cameras.....
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
Well, that's a bad design.

To keep things clear to people, I generally tell them that if some client has unfettered access to a FreeNAS host, that they should assume they're granting that client potential root level access to the FreeNAS. This isn't *supposed* to be true, but with the web UI and the API and the ability to log in with SSH and all of that, it's not a good idea to pretend there's no risks.

The problem is that most people want easy. And security isn't easy. What you probably really want is a proper network design. You get a router. It can be a small router, a pfSense host, or a Ubiquiti $100 EdgeRouter, or whatever. You then create a dedicated camera network, and an uplink network to your ISP, and a "home network" network for all your other stuff. Which should probably be several different networks, but I digress.

Then you can use firewall rules to control what's visible.

For example, my company's WWW/FTP archive directly mounts a FreeNAS datastore, but the NFS connection traverses a firewall and the WWW/FTP archive host does not have access to anything other than the very specific set of NFS service ports it needs. But I do this stuff professionally. It's not as difficult for me as it is for random end users (no offense intended).

So you have three general options here, in my opinion.

1) You do like I'm suggesting and learn a bunch of IP networking and beat your head on firewalls and rules and routing. This is great for learning but kinda sucks if you just want something that works quickly and easily.

2) You trust in that potential backdoors for Hikvision are rendered harmless if they are inaccessible. Keep your camera network completely off the Internet and never ever connect the network to the Internet. This means you probably can't use cloud-based DVR services or get automatic camera firmware updates, but if your ZoneMinder is running on the NAS, ZM can see and use your cameras, and you can use ZM from your home network.

3) Just don't worry about any of it and pray for no problems.
 

Roy360

Dabbler
Joined
Nov 27, 2017
Messages
28
Well, that's a bad design.

To keep things clear to people, I generally tell them that if some client has unfettered access to a FreeNAS host, that they should assume they're granting that client potential root level access to the FreeNAS. This isn't *supposed* to be true, but with the web UI and the API and the ability to log in with SSH and all of that, it's not a good idea to pretend there's no risks.
I don't use SSH or any of the APIs of FreeNAS (I don't normally allow internet access to FreeNAS), so I will disable those settings.

I do have pfsense running on a separate machine (primarily for selective VPN routing).
I didn't see the point of routing the the camera traffic through pfsense since I wanted it to keep it isolated, but since you're saying that's not possible to do so in FreeNAS, I'll change my plans and buy an additional NIC to route traffic through the router.

The problem is that most people want easy. And security isn't easy. What you probably really want is a proper network design. You get a router. It can be a small router, a pfSense host, or a Ubiquiti $100 EdgeRouter, or whatever. You then create a dedicated camera network, and an uplink network to your ISP, and a "home network" network for all your other stuff. Which should probably be several different networks, but I digress.
It's even worse than that for me.
I'm also cheap. My main reason for wanting seperating the NICs inside pfsense was to avoid buying a 2nd NIC on the pfsense machine.
If it wasn't so heavily discouraged, I would have FreeNAS, pfsense, ZoneMinder, CUPS and bunch of other servers running on a single machine.

So you have three general options here, in my opinion.

1) You do like I'm suggesting and learn a bunch of IP networking and beat your head on firewalls and rules and routing. This is great for learning but kinda sucks if you just want something that works quickly and easily.

2) You trust in that potential backdoors for Hikvision are rendered harmless if they are inaccessible. Keep your camera network completely off the Internet and never ever connect the network to the Internet. This means you probably can't use cloud-based DVR services or get automatic camera firmware updates, but if your ZoneMinder is running on the NAS, ZM can see and use your cameras, and you can use ZM from your home network.

3) Just don't worry about any of it and pray for no problems.

Option 2 is what I was aiming for. Outside of keeping Zoneminder and the cameras off the network all together, isn't that the best scenario?
Zoneminder will be used for sending alerts (or optionally, remote viewing), while the cameras are de-attached from the rest of the network and only accessible to ZoneMinder. Maybe setup an OpenVPN server on the pfsense machine for "remote" viewing.

I'm getting Chinese cameras, so I probably won't be able to update the firmware even if I wanted to. Since I won't expose them to the internet, I don't think I need the updates anyways.

Based on your post, this is what I concluded (let me know if I misinterpreted anything):
  • It's fine to have FreeNAS and ZoneMinder on the same machine.
  • Have the camera traffic run through a separate NIC on the Pfsense machine.
  • Configure rules on pfsense so that, the camera NIC and home NIC do not allow devices to communicate to each other, UNLESS it's the ZoneMinder machine.
I am definitely a noob when it comes to networking. Once I get a basic idea of what I should be aiming for, I'll start reading up on how to do it.
 

jgreco

Resident Grinch
Joined
May 29, 2011
Messages
18,681
I don't use SSH or any of the APIs of FreeNAS (I don't normally allow internet access to FreeNAS), so I will disable those settings.

Just so we're clear, the issue is that these things, SSH, API's, etc., often end up being somewhat less secure than we'd like, and "disabled" means different things to developers than security folks. I have little faith that you can disable things sufficiently to truly be secure.

That said, I think option 2 is sensible and suitable, and is probably sufficient to your needs.
 

Roy360

Dabbler
Joined
Nov 27, 2017
Messages
28
I gave ZoneMinder a static IP and Alias.
Added a new interface to pfsense called "Camera"
Enabled the DHCP server on the new interface and added the following rules:
1595096580589.png


With my laptop connected to the new interface, I was able to confirm that my laptop could only connect to ZoneMinder. No internet access or access to any of my other LAN devices including FreeNAS (this surprised me)

I think it is as secure as I can possible make it without resorting to building a dedicated ZoneMinder machine or going purely offline.

I think the only other change I will make is swap the processors of my pfsense and FreeNAS machines.
Right now my pfsense machine has a Xeon E3-1220 V2 while the Freenas machine only has a Pentium G2120.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
security isn't easy.
You made my day!
I always hate people suggesting actually good security is easy. Not-having bad security is easy, good security isn't.

And indeed "disabled" is not the same as "not running", things have a strange tendency to start running with the right exploits and some CLI-voodo :P

I run everything off vlans myself (OPNSense router), which works out surprisingly smooth... The (multiple-layers of) DMZ vlans get linked to the jails (without FreeNAS itself having an IP) and FreeNAS management is limited (either by not running certain services and/or firewalling). Inter DMZ traffic needs to pass through the router.


IoT and Camera networks should be seperate IMHO, IoT are "high risk" devices and Cameras are "High Risk" devices, with huge privacy issues attached. Both should indeed NOT have internet access.

You can either:
- Put the NVR software on the FreeNAS vlan and route traffic from the camera vlan through the router.
- Put the NVR software on a seperate(DMZ)VLAN and route traffic from the camera vlan through the router
- Put the NVR software on the Camera network, not grant it internet access and pass the camera vlan throughn using FreeNAS.

I would personally prefer the second option.

So @Roy360 It seems you are on the right track, but I would highly suggest to also put zoneminder in a DMZ.
 

Roy360

Dabbler
Joined
Nov 27, 2017
Messages
28
You made my day!
I always hate people suggesting actually good security is easy. Not-having bad security is easy, good security isn't.

And indeed "disabled" is not the same as "not running", things have a strange tendency to start running with the right exploits and some CLI-voodo :P

I run everything off vlans myself (OPNSense router), which works out surprisingly smooth... The (multiple-layers of) DMZ vlans get linked to the jails (without FreeNAS itself having an IP) and FreeNAS management is limited (either by not running certain services and/or firewalling). Inter DMZ traffic needs to pass through the router.


IoT and Camera networks should be seperate IMHO, IoT are "high risk" devices and Cameras are "High Risk" devices, with huge privacy issues attached. Both should indeed NOT have internet access.

You can either:
- Put the NVR software on the FreeNAS vlan and route traffic from the camera vlan through the router.
- Put the NVR software on a seperate(DMZ)VLAN and route traffic from the camera vlan through the router
- Put the NVR software on the Camera network, not grant it internet access and pass the camera vlan throughn using FreeNAS.

I would personally prefer the second option.

So @Roy360 It seems you are on the right track, but I would highly suggest to also put zoneminder in a DMZ.

I tried listing the steps I would have to take to get this working.
  1. Create the VLAN (parent interface is LAN)
  2. Assign Zoneminder an IP address that's in the range of the VLAN
  3. Create rules so I can access Zoneminder from select LAN PCs (the existing rules connecting Zoneminder to the Camera subnet should still work)
Because the IP ranges of FreeNAS and Zoneminder are different, they shouldn't be able to communicate with each other without the router.
Did I get that right?
Man if this works, I'm going to feel so stupid for buying that second NIC...
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
A vlan is not only a different range, it's actually a virtual network, which means the traffic isn't in the same virtual "cable"

I've a NIC (without IP!), which has multiple vlans attached (also without ip!), which all have a bridge attached.
One of those vlan-bridges has an IP (the FreeNAS management interface). The others don't get any IP and get passed through to VM's and Jails.

So it's more than just a different IP range.
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
a simple way to prevent IP camera to "call home" or hacked is to not provide gateway IP or put at gateway IP the same IP as camera
success
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
a simple way to prevent IP camera to "call home" or hacked is to not provide gateway IP or put at gateway IP the same IP as camera
That won't prevent them from getting hacked and getting hacked back onto the internet.
Please folk: Just use a firewall.
 

Roy360

Dabbler
Joined
Nov 27, 2017
Messages
28
A vlan is not only a different range, it's actually a virtual network, which means the traffic isn't in the same virtual "cable"

I've a NIC (without IP!), which has multiple vlans attached (also without ip!), which all have a bridge attached.
One of those vlan-bridges has an IP (the FreeNAS management interface). The others don't get any IP and get passed through to VM's and Jails.

So it's more than just a different IP range.
Okay so it's as if I'm running two cables instead of one, but you need a device on both ends for it work right? (Sorta like a diplexer and multiplexer)

How does that work with a Zoneminder jail inside FreeNAS.

For the cameras, I just need to access the shell of my ASUS router and configure the VLANs.

EDIT: I guess I just need to follow this: https://www.ixsystems.com/community/threads/how-to-set-separate-vlan-for-jail.54019/
 
Top