IP Camera Hardening and Cybersecurity Guide |
Secure Configuration and Operation
5 |
14
Data subject to change without notice | August 22
Security Systems / Video Systems
Feature Description and Hardening Decisions
HTTP
HTTP is enabled by default, but unencrypted, so credentials or settings are transferred unencrypted if used.
Recommendation
: Plain HTTP should be disabled in favor of the encrypted HTTPS, especially if the network is
untrusted.
HTTPS
HTTPS is encrypted and should be the default choice for accessing the web interface or access the web-based
RCP API. Using own PKI and certificates is recommended.
Recommendation
: HTTPS is the default secure protocol used for configuration and should remain enabled.
RTSP
RTSP is used for video streaming, but normally unencrypted. If the software receiving the video stream is capable
of using RTSPS, it is recommended to disable plain RTSP. When using other Bosch components (e. g. decoders /
BVMS / VRM / DIVAR IP) a Bosch proprietary encryption for RTSP can be enabled, making transmission secure.
Recommendation:
Risk based approach if video can be transmitted unencrypted or via Bosch encryption. If
possible, use encrypted RTSPS.
RCP
The Bosch proprietary “remote control protocol plus” is the configuration protocol for Bosch IP cameras. Plain
RCP
is unencrypted, so settings are transferred unencrypted.
All Bosch tools now use RCP over HTTPS communication
for some time, but it might be needed for 3
rd
party integration tools or scripting tools still relying on this protocol.
Recommendation:
Disable RCP if not used by 3
rd
party tools or legacy systems.
SNMPv1
SNMP is the common network monitoring protocol used to query health information of a device or send out trap to a
remote receiver, but unencrypted.
Recommendation:
Keep disabled if not required for health monitoring or other compatibility reasons, use SNMPv3
if possible.
SNMPv3
SNMPv3 is successor of SNMPv1 and can also be used encrypted.
Recommendation:
Recommended if SNMP monitoring must be implemented.
iSCSI
Disables the internal iSCSI server which is used to make internal recordings on the camera accessible via iSCSI.
iSCSI is an unencrypted protocol.
Recommendation:
Disable iSCSI server if not used on the camera.
UPNP
Making the camera discoverable via UPNP protocol.
Recommendation:
Disable UPNP if not needed.
NTP Server
Enable an NTP server on the camera to allow other devices or cameras to synchronize time. If possible, a
dedicated device should serve time to the camera network allowing separation of services. If no other device is
available, time can be served by a camera.
Recommendation:
NTP server should be disabled if not needed.
