LVT Chief Technology Officer discusses the need for security when deploying cellular connected IP cameras.
It is common nowadays to imagine the ability to connect an IP camera to a cellular modem to stream live video from virtually anywhere in the world. With the advent of 5G connectivity, the efforts to successfully do this is ever increasing. However, having the idea to connect IP cameras to cellular modems is one thing, understanding how to do it securely, cost effectively, and reliably is elusive and often either not thought of or misunderstood.
The things to consider when deploying cellular connected IP cameras can be broken down into three concepts: security, cost, and bandwidth. I will break down each for you in separate articles to make things simple.
Security
I’m a big security guy so I’m going to talk about this one first. I’ve written previous blog posts talking about the complicated world we now live in regarding cybersecurity and data privacy. Simply put, gone are the days of network perimeters where clear distinctions between private networks and public networks can be established and firewalls can be erected to keep the bad guys out. Nowhere is that more evident than with cellular connectivity.
By the very nature of cellular networks, connecting an IP camera to a cellular network means you are on a public network, or at least a network that is not your own. Where is the perimeter of your network now that you have an IP camera(s) connected to a cellular network? What are the threat vectors? After analyzing this scenario, any network engineer worth their paycheck will realize that they have at least two separate and unique threat vectors—preventing hackers from accessing the IP camera on the edge and preventing hackers from accessing the cloud servers or end users connecting to those cameras. It’s a sort of network sandwich where the hackers are the proverbial fixings between the slices of bread which are your precious network assets.
Assuming that you want to have some level of security in place and therefore will do more than leave a public IP address for the world to see and attack, here are some common and not-so-common ways of dealing with the problem.
Whitelists
I’ve seen people try to deal with these security threats by enabling “whitelist” firewalls on the cellular modems/routers installed with the camera. Although this is effective at blocking everyone except for the IP address of the computer(s) you want to be able to connect to the camera, how do you know those IP addresses won’t change or that your end-users won’t try to access the camera from different computers that are not in your whitelist? What if a whitelisted IP address is issued to a different computer (common with DHCP) that is owned by a user that isn’t authorized to see the camera?
There is a constant trade off between security and convenience and this one definitely complicates that tradeoff. However, a robust cloud video management system (VMS) can mitigate these inconveniences by limiting the whitelist to a single set of video relay servers whose IP addresses hopefully do not change. The end-users would then connect to the cloud VMS and use it as a kind of proxy to the cameras.
Whitelists are definitely better than simply leaving your cameras open for the public to see but do come with heavy user involvement to keep them updated and secure.
Virtual Private Networks or VPNs
A VPN can be another solution by establishing a private network of devices that can securely communicate over public networks, like cellular networks. VPNs are not limited by IP address so they don’t have the limitations that a whitelist strategy has. They also can effectively keep the bad guys out because being a private network means none of the IP addresses on the network are publicly addressable unless you have an active session on the same private network.
The down side of VPNs is that they don’t scale well and have a single point of failure—the VPN server. In addition, they require more specialized network equipment (cellular modem/router) or other VPN devices to establish and maintain the connection which can be costly. Also, a VPN acts more like a data-link layer interface, allowing pretty much any L2 frame to be encapsulated. This means that any network device on either side of the VPN can see all of the other devices on the other side of the VPN. This alone could open an unanticipated threat vector if a hacker were able to gain physical access to the camera/cell side of the VPN. Lastly, without a solid cloud infrastructure in the form of a cloud VMS, VPNs can be a pain for end users who often aren’t savvy enough to know how to use and troubleshoot them.
VPNs are likely a better option than whitelisting but come with additional costs and complexity to stand up. Furthermore, they still come with heavy user involvement to keep them updated and secure.
Software-defined networking or SD-WANs
An SD-WAN or software defined network (SDN) is a more modern version of network virtualization that overcomes the scalability and single-point-of-failure limitations that plague the traditional VPN. This is accomplished by decentralizing network management and allowing network nodes to dynamically associate as a single data plane. In other words, as its name suggests, an SDN can dynamically create private networks as a function of software and not the traditional limits of physical networks (public or private). Because an SDN is not limited/defined by the perimeter of the traditional network hardware, an SDN can be dynamically scaled to any size or segmentation across multiple physical networks or even globally across the internet.
Because the control plane of an SDN can exist in any open systems interconnection (OSI) layer, the SDN can be network L2 based or limited to the specific application or service allowing for a concept called application wide area networks (AppWANs). An AppWAN is cool because it allows applications/services to virtually “connect” to each other over the internet as if the applications were on their own private local area network (LAN). No longer does the entire host have to be visible in a network for individual applications or services running on that host to communicate with applications on other hosts. The applications themselves can now establish a private network connection amongst themselves and block out all other applications/services running on the same hosts. Why is this important? Because if a malware/virus somehow gets installed on a host, it cannot see the private network the applications are communicating over and thus it cannot perpetuate itself through the AppWAN. Now that is VERY cool!
When done correctly, the SD-WAN can be implemented cheaper than the VPN. This is true in hardware and software costs as well as the total cost of ownership in manpower. SD-WANs also have the ability to better use modern identity and access management (IAM) standards that increase security by enforcing multi-factor authentication (MFA) and having revocable tokens. If a node somehow gets compromised by a bad actor, the SD-WAN connection can be immediately revoked limiting the blast radius.
On the down side, being a newer technology, SD-WANs are not commonly found in typical cellular modem/router hardware. Therefore, it could be harder (and maybe more expensive) to stand up an SDN on the edge of a camera/cellular deployment.
I believe SD-WANs are the future of global network connectivity and therefore am very keen on them. They provide the greatest level of security and control for a reasonable price. For cloud-based VMS service providers who want to truly partition end-user network infrastructure, an SD-WAN makes that incredibly easy. Because SD-WANs are still relatively new, the edge (cellular and camera) side of the connection is more complicated and therefore could be an inhibitor to deployment for less sophisticated implementations.
Summary on security
In summary, there are many options one can take to secure access to cellular connected cameras on the edge. The worst thing is to leave the camera publicly accessible. At the very least, try to implement a whitelist strategy. However, if you can implement a more sophisticated solution like a VPN, or even better, an SD-WAN, it is well worth the effort to keep the bad guys out!
In Part 2 of “Understanding Cellular Connectivity for Real Time Camera Streaming,” I will cover the aspects of costs associated with cellular connected camera systems.