VII
Forward Only Ports You Need
Forward only the HTTP and TCP ports that are requited. Do not forward a wide range
of numbers to the device. Do not DMZ the device's IP address.
Do not forward any ports for individual cameras if they are all connected to a recorder
on site. Simply forward the NVR port.
Use a Different Username and Password for DSS
Do not use a username/password combination that you have in use for other
accounts, including social media, bank account, or email in case the account is
compromised. Use a different username and password for your security system to
make it difficult for an unauthorized user to gain access to the IP system.
Limit Features of Guest Accounts
Ensure that each user has rights to features and functions they need to perform their
job.
Disable Unnecessary Services and Choose Secure Modes
Turn off specific services, such as SNMP, SMTP, and UPnP, to reduce network
compromise from unused services.
It is recommended to use safe modes, including but not limited to the following
services:
SNMP: Choose SNMP v3 and set up strong encryption passwords and authentication
passwords.
SMTP: Choose TLS to access a mailbox server.
FTP: Choose SFTP and use strong passwords.
AP hotspot: Choose WPA2-PSK encryption mode and use strong passwords.
Multicast
Multicast is used to share video streams between two recorders. Currently there are
no known issues involving Multicast. Deactivate this feature if not in use to enhance
network security.
Check the Log
The information stored in the network log file is limited due to the equipment’s limited
storage capacity. Enable the network log function to ensure that the critical logs are
synchronized to the network log server if saving log files is required.
Check the system log if you suspect that someone has gained unauthorized access to
the system. The system log shows the IP addresses used to login to the system and
the devices accessed.
Physically Lock Down the Device
Perform physical protection to equipment, especially storage devices. For example,
place the equipment in a special computer room and cabinet, and implement access
control permission and key management to prevent unauthorized personnel from
accessing the equipment.
Connect IP Cameras to the PoE Ports on the Back of an NVR
Cameras connected to the PoE ports on the back of an NVR are isolated from the
outside world and cannot be accessed directly.
Isolate NVR and IP Camera Network
Ensure that the network for the NVR and IP cameras should not be the same network
as a public computer network. Separate networks prevent unauthorized users
accessing the same network the security system.
