1

I have several PoE IP webcams installed on my house. Each mounting point has only one wire going to it: the Cat6 with 8P8C plug at the end, which both powers and communicates with the camera.

I would like to ensure that if any device other than the known camera is connected to the port, the attacker won't be able to access the network. What's the best way to do that? I would prefer the solution to be as much hands-off as possible. Thank you so much!

Improve this question

1 Answer 1

Reset to default
2

Place the cameras and the machine monitoring them on a separate VLAN. They would then be completely shielded from the rest of the network no matter what is attached to the cables leading to a camera.

Requires: Managed switch supporting VLAN feature.

Note: You may also want to disable switch login access from the camera VLAN to increase security.

Edit: As suggested by Keltari, all cameras can still be accessed. You could assign each camera one VLAN and then let the monitoring machine be part of all. Then they would have to hack the machine to get access to the rest of the cameras.

Improve this answer
5
  • This would still allow an attacker to the camera's network though. You could enable MAC address filtering, but that isnt much of a deterrent.
    – Keltari
    Commented Jan 26, 2015 at 1:37
  • What if I want to access the machine monitoring it remotely? Do I have to have two NICs in it or can I configure the single NIC to be in several VLANs (as you can tell, I don't have experience with managed switches). The machine is Linux, if it matters.
    – Rom
    Commented Jan 26, 2015 at 1:37
  • @Keltari: I already use MAC address filtering (DHCP level), and I assume the VLAN routers can enforce it on their level too. However, it's not that difficult for the attacker to change the MAC address on his/her device.
    – Rom
    Commented Jan 26, 2015 at 1:39
  • @Rom As I said, its not much of a deterrent.
    – Keltari
    Commented Jan 26, 2015 at 1:40
  • It really comes down to how secure you need to be, versus the effort you want to put out. Always assume if someone has physical access to a device, they have complete access. I wouldnt go as far as putting each camera on a separate VLAN, but that depends on you.
    – Keltari
    Commented Jan 26, 2015 at 1:44

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .