A DVR Security System That Isn't Based on Windows?

Brady J. Frey asks: "For months, I've had a client that has been looking for a Linux or Mac alternative for their DVR Security systems. They are a large Real Estate company with 200+ cameras world wide, and their Pelco PC DVR's are hubs for viruses. These systems cannot run anti-virus software at the same time they record -- but require internet inbound/outbound traffic through specific ports that leave some nice holes in the firewall for viruses to find their way in as needed. Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. Therefore we are looking for alternatives. Any suggestions?"

"We've tried looking at Ben's Security Spy for Mac, and running a Quicktime server, but it was not industrial enough for us and the developer has been elusive. We're looking at Endura by Pelco, but there's some questions unanswered for it.

What I want is a high end, professional DVR system for a large business that does not run Windows. Budget isn't really an issue at this point, since we are just looking for options.

To note, I'm hearing I could possibly do IP cameras, and host any ol' web server I want to download those files, but I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated. If you are an expert in this industry, we may have a need for your services and would welcome that too!"

Traffic

[dr_strang]

Isn't the camera traffic limited to known IP addresses/MAC addresses? Just lock it down to only accept traffic from those...

Viruses?

[spun]

Um, viruses don't just sneak in through open ports. Worms and trojans sneak in through exploits in programs running on those ports. Which exact ports are open? Look, I'm as big a linux zealot as the next guy, but this sounds like a scam. "See the, uhm, viruses are sneaking in through the, uhm, open ports in your windows. You need me to install all new Linux based stuff. See, linux doesn't have ports or windows, so the viruses can't sneak in!"

Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?

Re:Open ports have applications linked

[Zeinfeld]

I'm sure it's the application -- but at the same time, this would be a mute issues on a linux/mac setup.

I think you meen moot.

For the application that you describe viruses should not be a threat on any platform. There should be no users on the box and if there are users they should not run using admin privs unless they are doing admin. Break those rules and you are in trouble regardless.

Your problem is going to come from worms. There are plenty of worms that attack UNIX boxes.

A network router box with port filtering can be bought for $50 or less. It is a good investment regardless of the O/S you run. A large number of security problems are the result of an admin reconfiguring the box.

$29 Firewall Routers are your Friends

[billstewart]

I can't tell from the original posting whether the client is trying to replace the hub site or protect the remotes or both, and I can't tell if the remote-site equipment is being used for other applications or only for the camera, which makes a *huge* difference in your threat model.

Basic firewall routers cost $29, and you can set them up to only allow connections from your headquarters location, or even to do IPSEC tunnels if your video application doesn't get into PMTU-discovery problems. Installing them at existing locations costs significantly more than $29, but for new locations it's just an extra couple of minutes to plug in the box when you're plugging in the camera.

Basic PCs cost $250, so if you need a headquarters firewall or IPSEC tunnel server, that's basically free - certainly less than you'd charge your client for the amount of time you're reading Slashdot responses \\\\\\\ \\\\ \\\\\\\ researching solutions. And you can run ClamAV on it to protect outgoing traffic.

If your remote sites are using the video box as a general-purpose PC to surf the net and read email, then you need to run an anti-virus application on it and either run a basic firewall box (wimpy, but a good start), or use the firewall to tunnel all your browsing traffic back to a server at headquarters, where you're running Squid and ClamAV and some decent Linux firewalling, and give them an email server that does some anti-virus and spam blocking and an email client that doesn't come from Microsoft. (If this weren't a real estate company, I'd recommend a text-only email system like Pine, but realistically your real estate people need to send pictures to their clients.) Another choice would be to run VNC, in one of its tighter forms, and run any applications on the headquarters server, wiht appropriate anti-virusing there.

Won't work.

[twitter]

Isn't the camera traffic limited to known IP addresses/MAC addresses? Just lock it down to only accept traffic from those...

If only things were that easy. Give the questioner the benefit of the doubt and expect that obvious solutions have been tried.

The program inspecting the mac addresses itself could be exploited, if the questioner could run one ... but he said he can't!

Because he can't, he's stuck sitting behind a hardware firewall that only allows traffic on ports required for servicing the camera. We can imagine he's been bright enough to try that and it did not work because the camera software itself has problems or some other service he can't identify or turn off does.

from a guy who works for a large real

[uncreativ]

...company with 200+ cameras.

The problem with the Pelco devices is they are sold as is without any easy way to keep the OS up to date. Our company remembers to update DVR OS software as new things come out.

I myself have asked the exact question to our security cam vendors (and so have all the other larger real estate companies in my city) in part because of the updated software issue. For me, even more helpful would be a more open platform. Pelco (and all DVR vendors) lock you into their hardware platform, and if you so much as add or replace one of their $2000 120GB hard drives, they will discontinue your support. I would love a more open platform so I could network all my video systems together and store archival info on an UNLIMITED (or size of MY choosing) storage system.

The company I work for also sells internet services to other multiple tenant properties. This is something that comes up in almost every large company with lots of cameras. If you actually find a good solution, let me know.

Re:Viruses?

[Tim C]

Worms and trojans sneak in through exploits in programs running on those ports.

No, trojans are executed by the user in the belief that it is an application that the user wants (or needs) to run. Viruses hook on to other executables, causing themselves to be run when that executable is run; they generally fork (or similar), execute the real executable, then seek out other executables to infect. Worms are the only self-mobile code, and do indeed seek out open ports to exploit holes in the software listening on them.

Apart from that, you're right, viruses are not sneaking in through open ports. Anything that is getting in of its own accord is a worm by definition. If there really are viruses getting on to these things, then I suspect we're not being told the whole story, which really doesn't make giving recommendations very easy...