Dedicated Micros SD Excel, Руководство по установке

Страница: 59 / 232

59
Installation Guide
Restrict between end point ports End points are defined as the extreme edges of the network, normally
video sources, which could be exploited as potentially insecure
connections into the Closed IPTV network.
This option acts as a hard firewall to stop exposed end points from
being used to mount attacks on other cameras in a different location
(e.g. prevents a camera in a public location from affecting a camera in
the safe vault).
Restrict public access (Port B) Select to restrict all network data between the General/Corporate
network to the video end points. No outside connections except
the NVR are allowed to communicate with end points directly, and
endpoints are separated from the General/Corporate Network..
Note: The NVR itself on standard DHCP or static IP address will still be accessible from Eth-B if
physically connected to network.
Note Non NetVu Connected cameras will only be allocated DHCP addresses by the external network if
this option is disabled.
Warning: If this option is not enabled it will still be possible for external systems connected to
the general corporate network (via port Eth-B) to access all camera/video sources.
Dedicated Micros recommends that Eth-B should always be left restricted in Secure Mode
as security can be compromised if left unrestricted. Additional Closed IPTV systems should
always be added in Config mode to allow auto IP configuration to accommodate existing
systems and avoid ip conflicts.
Restrict multicast from
general network
This disables client network access to the multicast services on
the camera, but does not disable standard web access for camera
configuration etc. unless ‘Restrict public access’ is also enabled. If this
option is ticked, it only allows clients to receive multicast video data
through SAP service group broadcasts from the NVR.
Warning:
Multicasting requires this option is disabled to ensure public access is unrestricted.
Lock ports by MAC Camera ports on the Layer 3 Enhanced CCTV Switch can be locked to
the MAC address of the camera connected to that port. This prevents
casual access from the port to the rest of the system (DVR, other
cameras). No other MAC address will be allowed on that port. This
allows multicast, direct camera access etc but protects the client network
to a limited degree from the exposed end point.
Signature Verify Remote Codecs More sophisticated attackers could bypass the Layer 3 Enhanced
CCTV Switch MAC address rules (described in ‘Lock Ports by MAC’) by
spoofing the MAC address of the camera connected to the port. We can
identify such attackers using Trusted Endpoint Signature Verification of
the video stream.
Warning: If this option and ‘Lock ports by MAC’ is not enabled then cameras or other devices
can be swapped in and out of the port with no restrictions on their network data i.e. an
alternative ‘hacked’ video source could be introduced to the Layer 3 switch in place of a
legitimate source.
Restrict End Point Access to NVR To limit the potential intrusion methods available from the camera
ports, the standard set of TCP and UDP services on the NVR can be
completely disabled to traffic from the camera ports. If a camera has
been swapped for a device that has been given a spoof MAC address
the NVR will still only accept data from that connection via the usual
HTTP port. The port can only supply video, and this will be flagged as
unsigned due to the Trusted Endpoint feature (if enabled).