Ive owned a Hikvison system for approx 1 yr now. Ive spent the past week reading various threads about NVR security and I feel I need to know what settings my NVR should be set up to secure it. I've started to make a list of questions for my installers, but could someone give me a list of what should be done? I don't want a plug and play system that allows every man and his dog trying to get into my NVR /Router.
How to Lock Down My Hikvison System?
- Thread starter maxcars1
- Start date
- Messages
- 3,235
- Points
- 113
It depends on how it is set up currently for remote connection.
If it's registered with Hik-Connect, no port forwarding is needed and additionally you can encrypt the images. Some will suggest a VPN as the only secure way to access the device remotely. Unfortunately if you don't use the Hik-Connect service (which you cannot if you're using a VPN), you miss out on features such as filtered playback, push notifications and others.
To some extent you're choosing between convenience and security. I choose convenience. There is a really easy way to secure your system...remove it from the network.
If it's registered with Hik-Connect, no port forwarding is needed and additionally you can encrypt the images. Some will suggest a VPN as the only secure way to access the device remotely. Unfortunately if you don't use the Hik-Connect service (which you cannot if you're using a VPN), you miss out on features such as filtered playback, push notifications and others.
To some extent you're choosing between convenience and security. I choose convenience. There is a really easy way to secure your system...remove it from the network.
- Thread starter
- #5
remove it from the network - you mean there's another way to install a CCTV system - sorry for sounding thick.
- Messages
- 3,235
- Points
- 113
I mean if the NVR is not connected to your router, it's not connected to the internet and so is secure from hacking attempts as it can only be operated locally.
Sunchaser
New Member
- Messages
- 4
- Points
- 1
I've implemented several measures to enhance the security of my system, and I'm eager to hear the expert insights from JW Solutions on their strategies and if i've missed anything. My efforts include:
But as JW Solutions stated removing the cameras from the internet or VPN is the most secure but it's a pain for sure.
I'm interested in adding an extra layer of security, like two-factor authentication through services such as Google Authenticator, for accessing Hik-Connect. To my knowledge, this feature hasn't been implemented yet. I hope I am wrong.
- Updating firmware on cameras and Network Video Recorder (NVR) to ensure the latest security patches and features are in place.
- Establishing a robust, randomly generated password for the admin user to prevent unauthorized access.
- Avoiding port forwarding by utilizing Hik-Connect for remote access, enhancing security by minimizing direct exposure to the internet.
- Isolating the NVR within a dedicated and segregated VLAN, limiting potential network vulnerabilities.
- Activating stream encryption to protect video data integrity and confidentiality.
- Enabling HTTPS browsing on the NVR, securing web interface communications.
But as JW Solutions stated removing the cameras from the internet or VPN is the most secure but it's a pain for sure.
I'm interested in adding an extra layer of security, like two-factor authentication through services such as Google Authenticator, for accessing Hik-Connect. To my knowledge, this feature hasn't been implemented yet. I hope I am wrong.
- Messages
- 3,235
- Points
- 113
It's always best to keep cameras and NVR up to date. Unfortunately there are bugs reported from time to time in firmware updates. There will be many systems out there that get installed and just left, never updated and that's where risk lies.
Again easy to do. It's a shame that the 'admin' username cannot be changed to further enhance security and thats something that has been communicated to Hikvision by use-ip staff previously I believe (as one of Hikvision's own security hardening white papers details it but doesn't implement it in it's own systems). If port forwarding or UPnP are not in use, and the NVR/DVR/Camera http interface are not accessible from the internet, the password on the NVR/DVR is preventing access to the local interface or from the LAN.
For viewing remotely, port forwarding is no longer necessary/advised. An issue arises if remote configuration is needed...
Hikvision have come up with Hik Partner Pro allowing installers to access systems without port forwarding required and with the ability of the end user to control access (allowing/revoking of permissions from within their Hik-Connect app). It's a nice concept but currently is lacking in number of areas. Slow access, many menu items inaccessible using the platform, firmware updates limited to security patches rather than being able to remotely load a general release firmware file. Hikvision have decided to charge installers per site for this service. That might be fine for installers dealing with commercial installations where ongoing maintenance plans are in place. However for smaller installers dealing primarily with residential systems it doesn't work. The inability to be able to access all programming features that are available by browser and the cost will likely push installers back to using port forwarding.
Beyond the scope of most home users; some users will create an IoT VLAN for all devices that need to 'call home' to internet services (TV's, smart home devices etc)
Adds security but also adds some latency and sometimes can cause glitches in the images when viewed in the app.
Certainly worthwhile if there needs to be port forwarded access to the device web interface to prevent username and passwords being transmitted unencrypted.
@Sunchaser I think you've probably implemented more with regard to securing the system than most users (or even installers) would bother with, certainly for a domestic system.
As has been mentioned before, there's a balance between network security and convenience. Many are concerned about access to the CCTV system but are more than happy to have Amazon, Google and other devices connected to their network; listening in around the home and recording every journey they've made/location they've visited with their smartphone.
Does that mean the mobile Hik-Connect app does not allow a direct connection to a Hikvsion NVR? (You have to go through their P2P server.)
I'd love to completely isolate the NVR from the Internet,
and still be able to use Hik-Connect over a VPN to interface to the NVR.
Disappointing if Hik-Connect won't let two devices on the same LAN talk directly to each other.
Thanks for any help & clarification.
- Messages
- 3,235
- Points
- 113
No you can still add the device to the Hik-Connect app using its IP address and server port to avoid using Hik-Connect P2P service. However some features are unavailable such as push notifications and event clips in app.
You can just add the NVR to Hik-Connect using it's LAN side IP address and then access it over a VPN as you've described.
