IP Camera Hardening and Cybersecurity Guide |
Secure Configuration and Operation
7 |
14
Data subject to change without notice | August 22
Security Systems / Video Systems
802.1X
802.1x is a standard for Network Access Control (NAC). It allows devices to authenticate in the network, granting
only authenticated devices access to the network. Bosch IP cameras support 802.1x either with password or
certificate-based authentication, with certificate-based authentication being the preferred method. To use 802.1x
the network switch must support this standard, and an authentication server is needed.
Recommendation:
If network infrastructure allows it, use network authentication with 802.1x.
Syslog
As the camera does only provide a limited space for log messages, they should be sent to a central location and
analysed there to detect any attacks or misconfigurations.
Recommendation:
Use TCP Syslog to avoid losing messages due to packet loss, use Syslog with TLS to encrypt
and authenticate messages.
SNMPv3 Mode
SNMPv3 is the successor of SNMPv1 and allows for secure authentication and transfer of information.
Recommendation:
When using SNMPv3 use SHA1 as authentication protocol and AES as privacy protocol (if
supported).
IP Filter
In IP Filter several IP addresses (single hosts or network subnets) can be defined, that are allowed to access the
camera. It is recommended to define the computers or networks accessing the camera here.
Recommendation:
It is recommended to use the IP filter to define allowed hosts or networks.
Date / Time
For having the correct timestamp on logs and video data is it recommended to sync the time to a central
timeserver. Both SNTP and TLS date can be used to achieve that. The advantage of SNTP is a more precise time
synchronization, the advantage of TLS date is the possibility to check for a correct certificate making it the more
secure solution.
Recommendation:
Use a secure means of synchronizing time either with SNTP or TLS date.
Cloud based services
Bosch offers its own cloud-based services to manage cameras over the Bosch Cloud Portal. The cloud services do
not automatically connect to the cloud and are disabled by default. Each camera needs to be connected to the
cloud portal first if it should be used. Every precaution has been taken to secure the connection between cloud and
camera, so if needed the portal can be used in any environment.
Recommendation:
Bosch cloud portal can be used depending on if cloud solution is in use.
Software Sealing
After a completed configuration of an IP camera the settings of the device should not change. A software seal can
be enabled to be notified of any changes to device configuration (break of seal).
Recommendation:
Enable software sealing if there are no pending configuration changes.
