Author Topic: Network Compliance Questions  (Read 935 times)

Offline jlarsen

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 4
Network Compliance Questions
« on: April 18, 2017, 02:16:16 pm »
Making sure your network is secure at all times.
« Last Edit: April 18, 2017, 02:18:18 pm by jlarsen »

Offline jlarsen

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 4
Security Cameras
« Reply #1 on: April 18, 2017, 02:17:34 pm »
We had a security guy here today. We are having an problem viewing the cameras from phones/devices according to our vendor the modem needs port forwarding.

The following info is what we have for the NVR (recorder) and cameras:

NVR

IP Address: 192.168.1.2
Need to do port forwarding for ports:
Server Port: 55115
HTTP Port: 80
RTSP Port: 10554

Note: The system can use tcp and udp for the non-http ports mentioned above. But first we need to look at the security:

Options:

1. I have the info I need to punch holes in the firewall on the rtr to restore the workings.

Pros: cheap

Cons: your vendor is a residential systems provider and they are not doing any kind of security updates on
your system. So if we open those ports up to the internet there is a chance that box can get hacked. Anyone that hacks that box will
have the ability to try to hack from the inside your pcs, servers, cloud, etc.

Note: YOU WILL FAIL YOUR SECURITY AUDIT IF THIS IS DISCOVERED. If you have to PCI/(credit cards) or do any other form of external
scan you will fail this scan and have to pay to have it fixed (i.e option 2 or 3 below):


2. Leave the ports closed, and vpn into the cloud to attach to the camera at:

Open a browser to this url next time you are logged in remote and see how it runs:

http://192.168.1.2


Pros: no work needed, very secure, camera vendor can have access as well if he needs to get in remotely. Audit-compliant

Cons: have to open a vpn client to do the work (1 more step)


3. Open the ports BUT also vlan/restrict off the system so that it can go to the internet but CANNOT touch any of your systems
internally.

Pros: audit-compliant, most secure

Cons: have to pay Richweb to make the changes and your vendor to re-ip his NVR and cameras -  this will prob. be a few hrs of
work for each team to complete and test.  grey is willing to do this (probab. would be good for us to teach him some new tricks if
he is going to work with commercial systems or else he can get into legal hot water).
« Last Edit: April 18, 2017, 02:20:14 pm by jlarsen »

Offline jlarsen

  • Richweb Staff (Admin)
  • Newbie
  • *
  • Posts: 4
Re: Network Compliance Questions - open RDP
« Reply #2 on: April 18, 2017, 08:16:14 pm »
I see we also 
have rdp enabled:

pass in quick on $ext_if proto tcp from any to $fwip port 3390 rdr-to
10.0.0.3 port 3389

Customers will (and have) gotten hacked with this setup. You then end up having a security 
risk if anyone has a weak passwd.

Just so you know - PCI compliance and other audits will fail if you have 
any open windows rdp on the ip they scan. If you have something like
citrix secure gateway (what UMFS ran) you can get away with that being   
open as long as the ssl security checks pass. But open rdp wont work any 
more

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.

Note: this post will not display until it's been approved by a moderator.
Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
What NBA Player just left the Miami Heat to rejoin the Cleveland Cavaliers? (3 letters):