CCTV IP networks: Security & Suitability

It is worth noting at the outset that designing a CCTV IP network must be done correctly as all-too common implementations provide direct access to all CCTV equipment from the camera pole. Are your camera IP addresses in the same range as your NVRs and control room workstations? Are you lacking a firewall beween you and the outside world? This applies to you. Network design is often overlooked, and connection by a malicious individual could have dire consequences.

There are plenty of best practice guidelines currently in press, of particular note is the NSI code of practice for design, installation and maintenance of CCTV surveillance systems - NCP 104.3

Network design is critical.

IP CCTV is a paradigm shift from its analog predecessor. Simply connecting up some Cat5e in the same way one would perform a coaxial installation just doesn't cut the mustard - designing a network with suitable performance and security is a challenge in itself. It is trivial to build a functional IP network by simply connecting unmanaged switches together and unfortunately, often due to lack of understanding on the installer's part, this is often what happens. Network video is transferred using a simple protocol, UDP, which provides predictable transmission latencies at the cost of reliability. h.264, the compression algorithm, relies on data sent in previous packets to decode an image so if data is lost it can be some time, often seconds, before a usable image finally appears. With this combination of technologies packet loss often manifests itself as green blocks appearing on the video for a while, then disappearing, then reappearing.

Network links between infrastructure are almost always oversubscribed, meaning multiple gigabit devices are attempting to stuff data down a single gigabit uplink. This situation causes outbut buffer overflows on the switch leading to aforementioned packet loss. If oversubscription is not carefully managed and mitigated CCTV systems can deteriorate rapidly as cameras are added or control room load increases.

Finally, troubleshooting an unmanaged or lightly-managed, flat network often boils down to disconnecting devices in order to determine where the problem exists. Needless to say this process is time consuming and often highly disruptive.

The resulting lack of performance from an unsuitable network often cripples an otherwise functional system; furthermore troubleshooting this mess is difficult so it's imperative to design a suitable network for the task in hand. Some of the performance and security challenges presented by CCTV networks are not trivial to solve and require an experienced engineer to design, configure and test the new network.

Network outages can be catastrophic.

A classic analogue NVR will terminate individual coaxial inputs into the recorder and allow downloads to be performed through the network interface. Viewing and telemetry control will often be provided through an analogue matrix and RS-485. With a pure IP NVR all traffic will pass through the network leading to a single point of failure. While network hardware is often very reliable cables or fibre can be damaged, switches can fail or wireless links can become misaligned / fail and all control of that network segment is lost. Outdated layer 2 network designs rely on spanning tree (the bane of many network administrators!) to provide failover links between devices but this protocol is slow, cannot select the best path between two points and often causes management nightmares. Modern layer 3 designs use routing protocols which are highly tuneable and mitigate these problems; these can be used to build a far more reliable network.

The consequences of a network outage on an analogue NVR system varies widely depending on the implementation. In many cases all analogue viewing and telemetry are performed out-of-band compared to review and download operations, so loss of the network will not affect recording or control. In a pure IP system loss of network connectivity to the NVR means a complete loss of all recording and control until the issue is resolved.

Network security is paramount.

As mentioned to at the beginning of the article the importance of this cannot be overstated. Unlike a legacy analogue installation an IP CCTV system requires extending network connectivity into public areas; many installations simply extend the internal layer 2 CCTV network out to the camera pole. If a would-be attacker rocks up to a camera column and plugs in a laptop they may as well have direct, physical access to the control room itself; connections to cameras, NVRs, network equipment, storage and workstations become trivial. Needless to say the consequences of such an attack are unspeakably dire.

Here be dragons. If a would-be attacker has physical access to the network, as is the case with an ethernet port in a public area, it is very difficult to prevent them from having some level of access and most security paradigms preclude direct access to the network for this reason. Methods for frustrating access and reducing the attack surface require multiple layers of security and this requirement should not be taken lightly.

Let's get this right from the outset. A properly designed and commissioned IP network is as important as having a suitable control room solution. Don't build your house on sand - it'll be alright, until it's not!

©2018  -  Hygrinet