A DVR Security System That Isn't Based on Windows? 383
Brady J. Frey asks: "For months, I've had a client that has been looking for a Linux or Mac alternative for their DVR Security systems. They are a large Real Estate company with 200+ cameras world wide, and their Pelco PC DVR's are hubs for viruses. These systems cannot run anti-virus software at the same time they record -- but require internet inbound/outbound traffic through specific ports that leave some nice holes in the firewall for viruses to find their way in as needed. Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. Therefore we are looking for alternatives. Any suggestions?"
"We've tried looking at Ben's Security Spy for Mac, and running a Quicktime server, but it was not industrial enough for us and the developer has been elusive. We're looking at Endura by Pelco, but there's some questions unanswered for it.
What I want is a high end, professional DVR system for a large business that does not run Windows. Budget isn't really an issue at this point, since we are just looking for options.
To note, I'm hearing I could possibly do IP cameras, and host any ol' web server I want to download those files, but I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated. If you are an expert in this industry, we may have a need for your services and would welcome that too!"
Traffic (Score:2, Insightful)
Won't work. (Score:3, Insightful)
If only things were that easy. Give the questioner the benefit of the doubt and expect that obvious solutions have been tried.
The program inspecting the mac addresses itself could be exploited, if the questioner could run one ... but he said he can't!
Because he can't, he's stuck sitting behind a hardware firewall that only allows traffic on ports required for servicing the camera.
Re:Won't work. (Score:2)
When it comes to computer problems, if I were to count all the times that giving someone the benefit of the doubt has helped solve the problem, I'd still have all of my fingers left. Nowadays, when someone comes to me with a computer question, I like to go back to the very beginning (whether it's a configuration file, or a system install, or whatever) and work from there. Nine times out of ten, the solution is sim
Re:Traffic (Score:2)
-sirket
Re:Traffic (Score:2)
One word... (Score:2)
Re:Traffic (Score:2)
Usually it's the Boss's computer heavily infected (No one dare to go into their rooms to clean up the virus), and usually the rule allows all the Boss's computers to access that security cam website.
Or you (the computer-illiterate boss) simply hire employees who will walk into your office and make fun of you for having opened the "Just Click Here fore [sic] a Bigger Penis" e-mail. His skill was that required to run a business; mine was in making fun of anyone without computer savvy (which somehow extended
ipcameras (Score:2, Interesting)
I have two D-Link 6620G cameras and have been looking for *any* solution, industrial or not, that would let me access my cameras via my Mac.
I am by no means an industry expert, I can tell you that the IP Camera solution is indeed viable. Several of them out there -- check out:
http://www.ipcamerademos.com/ [ipcamerademos.com]
and
http://www.ipcameraforums.com/ [ipcameraforums.com]
Also -- most of the IP cameras have their own
Re:ipcameras (Score:2)
I've heard really bad things about the Toshibas and mediocre things about the Sonys. The Dlink seemed to be the best value at the time.
Axis and Panasonic are supposedly really good -- plus a few others that aren't well-know outside of the surveillance industry
/. with the perfect timing (Score:2)
In short: it'
flexTPS (Score:2)
Re:/. with the perfect timing (Score:2)
Viruses? (Score:5, Insightful)
Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?
Re:Viruses? (Score:2, Interesting)
The political situation? (Score:2)
I'm gonna guess that, if he goes to a different Windows solution, there are two fears:
(1) the new 'solution' will be as messed up as the current one, and
(2) The PHB's are going to ask "Why are we going to this new system", and if you answer 'security'
Re: (Score:2)
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
"denote" (Score:2)
Re:Just tell your company... (Score:2)
The best that I can suggest is to ignore the ignorant posts -- or at least ignore the ignorant part of those posts and mine the useful parts out of them.
Re:Just tell your company... (Score:2)
What, is that some backcountry dialect, where the j is silent?
"Argsh, mehb an 'erk wit a haxe t'grind, beshorra."
-- Rabid
Re:Just tell your company... (Score:2)
(jerk)
Seconded (Score:2)
Re:Seconded (Score:2)
So while it could jus tas easily be bullshit, I've dealt with plenty
Re:Seconded (Score:2)
How's that a Windows problem? You could have a vendor supply you with a Linux system that you don't have admin rights to and, if they don't patch critical security holes, you're still screwed.
Re:Seconded (Score:2, Informative)
firstly, IIS has only recently (in the last couple of years) become stable enough to reasonably get 20% market share. and that's still only 20%.
secondly, Slashdot has always been more interested in Linux and other UNIX-like operating systems than in Windows systems, so it's the perfect platform to ask a question about a UNIX/Linux/other solution to a particular problem. if you don't like it, shift off somewhere else.
thi
Re:Viruses? (Score:2)
A lot easier said than done for a number of windows-based "solutions." I'm always amused by how often we kick the PoS (point of sale or piece of shit, take your pick) systems in our building offline because some new virus comes around and infects them all. As he pointed out you can isolate them through layers of external protection, but it's a hassle and it would be a lot n
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
For something as critical as a PoS network, I'd hope they have the subnet put in a different VLAN using port to MAC mapping. Plug in a random laptop and you won't even get ARP.
Re:Viruses? (Score:2)
$29 Firewall Routers are your Friends (Score:5, Insightful)
Basic firewall routers cost $29, and you can set them up to only allow connections from your headquarters location, or even to do IPSEC tunnels if your video application doesn't get into PMTU-discovery problems. Installing them at existing locations costs significantly more than $29, but for new locations it's just an extra couple of minutes to plug in the box when you're plugging in the camera.
Basic PCs cost $250, so if you need a headquarters firewall or IPSEC tunnel server, that's basically free - certainly less than you'd charge your client for the amount of time you're reading Slashdot responses \\\\\\\ \\\\ \\\\\\\ researching solutions. And you can run ClamAV on it to protect outgoing traffic.
If your remote sites are using the video box as a general-purpose PC to surf the net and read email, then you need to run an anti-virus application on it and either run a basic firewall box (wimpy, but a good start), or use the firewall to tunnel all your browsing traffic back to a server at headquarters, where you're running Squid and ClamAV and some decent Linux firewalling, and give them an email server that does some anti-virus and spam blocking and an email client that doesn't come from Microsoft. (If this weren't a real estate company, I'd recommend a text-only email system like Pine, but realistically your real estate people need to send pictures to their clients.) Another choice would be to run VNC, in one of its tighter forms, and run any applications on the headquarters server, wiht appropriate anti-virusing there.
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
That said, if you are thinking about hiring someone to help setup a linux solution, why not go open source? As another poster mentioned, Mythtv
Re:Viruses? (Score:2)
Mythtv doesn't even ACTUALLY record video, it relies on V4L for that.
(It does do transcoding itself, though)
Re:Viruses? (Score:2)
But, using a Linux/Unix custom distro cd (Think: RedHat Jump Start) can reduce the cost of administration by providing an easily setup, secure default. In other words, the install procedure gets reduced to
1) Install the O/S CD with minimal options
2) Install install script
3) Run a single command (eg: Setup) which sets everything for the O/S up.
I have something similar to this based on C
Re:Viruses? (Score:2)
1) Insert CD
2) Click Install
Or you can use a drive imaging program and create a setup for all the machines... But that usually only works if they all have the same hardware.
Re:Viruses? (Score:2)
1) Insert CD
2) Click Install
Have you EVER installed Windows without rebooting it some 10 or 20 times?
Neither have I. I'm talking about 2 reboots:
1) To load the installer on the O/S CD:
2) To reboot after the installer, the updates, and all the other patches have been applied.
Total time from opening the computer box to completed setup 15 minutes. I can do about 3 at a time, making the average time to setup
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
But you're still comparing apples to oranges.
A "windows image" includes all the drivers preconfigured for a standardized hardware platform. An "unattended install" loads (crappy!) default drivers that generally don't work, and doesn't download updates as part of the install process. In either case, no
Re:Viruses? (Score:2)
http://www.lavrsen.dk/twiki/bin/view/Motion/WebHo
i'm not sure it does everything you want it to, but ive used it before and thought it was very cool (i was using it out of interest, not for real security cameras)
from a guy who works for a large real (Score:2, Insightful)
The problem with the Pelco devices is they are sold as is without any easy way to keep the OS up to date. Our company remembers to update DVR OS software as new things come out.
I myself have asked the exact question to our security cam vendors (and so have all the other larger real estate companies in my city) in part because of the updated software issue. For me, even more helpful would be a more open platform. Pelco (and all DVR vendors) lock you into their hardware platform,
Re:from a guy who works for a large real (Score:2)
No kidding. I'm about to take over support for a couple of similar units because the vendor, even for an absurd yearly fee, is completely inflexable. For example, every time a drive dies they swap the entire machine thus losing all the old video. Of course adding an sort of
Re:Viruses? (Score:2)
Hey, buddy, this is Slashdot. We don't need that kind of talk around here.
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
Re:Viruses? (Score:2)
But why? You can get a NAT router from Office Max for $20. It will allow for Internet Access, but make machines connected to it effectively invisible to worms
Re:Viruses? (Score:3, Insightful)
No, trojans are executed by the user in the belief that it is an application that the user wants (or needs) to run. Viruses hook on to other executables, causing themselves to be run when that executable is run; they generally fork (or similar), execute the real executable, then seek out other executables to infect. Worms are the only self-mobile code, and do indeed seek out open ports to exploit holes in the software listening
Re:Viruses? (Score:2)
I do. All the time. RHES/CentOS based Linux systems. For years, anytime I've had a security breach happen, it happened well after I was aware of a problem. (Not all the systems I admin are actually mine - meaning that, when I identify a problem, I have to get approval to actually go fix it)
But, it's routine for me. No firewall. In fact, in quite a number of cases, the Linux system IS the firewall. I don't admin AN
Lead you in the right direction... (Score:2)
I don't understand... (Score:2)
and the equipment outlay for new Linux boxes with supported PVR security software, if they do exist, is probably more per unit than the cost of little PIXs, if you couldn't set up DMZs for some reason.
VPN? (Score:2)
if not is there any way to filter based on IP address or reverse DNS?
Very timely post (Score:2)
Re: (Score:3, Interesting)
INstall linux, prolbem sovled (Score:2)
I don't buy it (Score:2)
Smoothwall (Score:2)
Pay a bit for the enterprise license if needed. Then you can setup automatic updates so it recognizes new worms.
Supercircuits (Score:2)
If you're using IP cameras that stream MP4 or whatever over ethernet, why not employ a VPN? You can get a nice hardware VPN endpoint such as one of those SOHO Sonicwalls (google for it) on each end, or a linux box
Dedicated Micros (Score:2)
Re:Dedicated Micros (Score:2)
We have several DS2s installed for years, and there have been two glitches... both caused by power spike/loss. Each time the DVR had to be reset, and though we lost our video archive (what little was not backed up) the DVRs reloaded and reinitialized themselves without issue.
-sid
Open ports != "Hubs for Viruses" (Score:2)
Guess what? If you want remote access to the camera, every OS or hardware IP camera will require open ports! It's just a matter of working within that requirement - e.g.
Also bad... (Score:2)
But unless I'm at a Windows computer, I can't log into my DVR security remotely to see what's going on. About once or twice a year, I get a call from my security company because an alarm has gone off. I can't check on my building from the comfort of my bedroom and my Mac laptop. I have to head downstairs to the office, and boot
Windows isn't your problem (Score:2)
Why are these systems exposed to viruses or worms or whatever? Why are they networked at all? If you need remote monitoring, you can get a one-way connection that will completely isolate your system.
Security through obscurity vs. cost of change (Score:2)
Linux, MacOSX, and other UNIX relatives are not necessarily more or less invulnerable to these pests; the people who create the pests are simply:
1) as or more likely to have Windows systems themselves (based simply on the odds);
2) more likely to find victims running Windows than other OSes because there are a v
Self Promotion. We can help you. (Score:2)
tons of them (Score:2)
I had put together a list a couple of years ago and will post them here. y
That Baby... (Score:2)
Anyway, I just have to point out a few things:
1) You say, "Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations," but then go on to say, "Budget isn't really an issue at this point, since we are just looking for options." Which is it?
2) Why is it you can't run anti-virus while recording? I'll bet it's a performance issue and if so, you've either looked
WTF are your cameras doing on the public net? (Score:2)
Instead of buying a new CCTV system, you could
What is your budget? (Score:2)
Budget isn't really an issue at this point, since we are just looking for options.
Obviously, budget is an issue. You just said so. You state that you "are just looking for options" and you've already ruled out some based on cost. Are you looking for a turn-key solution? Somethi
Options... (Score:2)
In any case there are a few options using Linux. If you are looking to capture/collect snapshots over time, you could do anything from ip based webcams with a backend on Linux using wget to collect snapshots from each camera. Those get hosted on the Linux box as a web page for each location. On each of those pages, display the last 6 or so sn
Multiple cameras, still pics easiest. (Score:2)
I'm not an expert, but I worked in a place that used to sell these Windozy systems. It made me cringe at the time and I'm not surprised to learn they are a virus magnet and easy to 0wn. I never learned to do the same things with free software, but I did learn a few things.
Camera control is usually silly. For the price of one tilt device, you can buy two or three normal cameras
Re: (Score:2)
what hardware? (Score:2)
Open Ports (Score:2)
First, you say you can't change the ports that are used. But you can make it look like you changed the ports? Here is the idea: camera server must run on port 80 (or whatever). So you run a little program on the Windows box that takes any connections on port 8347 (just some random number) and forwards that connection (through the loopback) to port 80. Port 80 is never exposed outside of the the box (must be loopback to connect). I know this can be done on U
zoneminder (Score:2)
Check out zoneminder. This may be the kind of solution you are looking for.
Ask for my project! (Score:2)
Disclaimer: I'm an engineer who develops video cameras.
I kind of hate to turn this into a shameless plug, but my company has been developing exactly what you need. We've got a linux-based network camera which would be perfect for your application. Google Ingenient Technologies.
Okay, now here's the problem: We are an engineering firm - we sell the reference design to other companies which actually manufacture and market the hardware. However, we might be able to work something out with an intermedi
Security Spy is plenty industrial enough (Score:2)
They all dump their data to dual XServe RAIDs (located in separate parts of the building for physcial separation) using XSan (with 1 XServe as a XSan controller), page me via an email when a camera should not be going off at night of the picture, run scripts that write out formatted logs for motion activity.
It took about 4 months to get everything running smoothly - camera settings, getting enough machines to do the work, compression levels that were
You're in the wrong business, pal (Score:2)
It's OK to say "I don't know".
Video appliances (Score:2)
I have deployed Linux DVRs... (Score:2)
Re:I have deployed Linux DVRs... (Score:2)
::diatonic::
Ask and ye shall receive... (Score:2)
These things want plain old P4 Gigabyte motherboards with a few hundred megs of DDR, very affordable rigs and no Linux experience necessary. There's a pretty GUI on the DVR end if you choose to put a head on it, and there's a remote web interface from which you can watch & control feed in-browser. Here's a few screenshots for you on the client end:
#1 [imageshack.us] #2 [imageshack.us] #3 [imageshack.us]
These particular units are limited to 16 cameras per unit, but there are higher-end DVRs which are very simil
I've been looking into this myself. (Score:2)
Second, there are several "Linux on a DOM" solutions and I think one of the more popular is called VPON.
Third, are you sure you really want a PC based DVR rather than a dedicated solution. Many of the dedicated dvrs run Linux and even the ones that run Windows have striped it down to the point where it should be pretty safe.
Good Luck.
Re: (Score:2)
huh? (Score:2)
ADPRO? (Score:2)
Re:ADPRO? (Score:2)
A couple of suggestions (Score:2)
TIVO is a DVR and it's linux based. I know that there was some open source stuff out there for a while, but it was missing a sufficient amount of proprietary code that no one was ever able to get it working. You might be able to do something with the Myth TV stuff, but that's more of PVR than DVR.
Frankly, I think that the issue
Since you asked for options, here's links (Score:2)
Skyway Security [skywaysecurity.com]
Star Dot Technologies [stardot-tech.com]
Big thing to watch for is insist on seeing a simularly sized system to what you want in operation before you sign anything. When you are running the system, do a lot of browser backs. Interupt it in the middle of things. Bring up six live views at once.
Watch for systems that have to have componets reset/restarted. Computers, cameras, hubs, things like that. Insist on references, and check them. (Good idea for anything, really.)
AXIS 2420s (Score:2)
Can't help with more information. (Score:2)
If this was your situation then the camaras wouldnt need any type of computers or firewalls. If this isnt the solution you are using then your entire install
Stick w/ Pelco (Score:3, Informative)
And get a decent f/w system and rules in place in front of the central server and at each location (internet connection) to which you have IP cameras installed.
Deny all traffic to the server except for the IP addresses and ports of the remote cameras.
We have been using a Pelco system in this manner with remote cameras on 2 continents for 3 years without incident of virus or trojan or crash.
The thing you should be worried about with Pelco cameras is the bandwidth usage at night with minimal lighting combined with lower bandwidth video settings. The compression method used can leave artifacts and this compression appears to be done before the "movement comparison" stage where the camera decides to send a new frame. At night with low light levels this causes black level banding and other dotting artifacts to appear. The movement comparison routines see this as... you guessed it MOVEMENT. This result in higher bandwidth usage at night. Our solution? Turn on the lights.
Stick with Pelco.
Re:Open ports have applications linked (Score:3, Insightful)
I think you meen moot.
For the application that you describe viruses should not be a threat on any platform. There should be no users on the box and if there are users they should not run using admin privs unless they are doing admin. Break those rules and you are in trouble regardless.
Your problem is going to come from worms. There are plenty of worms that attack UNIX boxes.
A network router box w
Re:Open ports have applications linked (Score:2, Funny)
I think you meen moot.
I think you mean mean.
Re:Open ports have applications linked (Score:2)
A few points:
1. While I hate Windows, I've assembled DVR systems (1.5 tb of raid storage, 16 channels video+audio @ 25fps, viewable/searchable over the internet) that don't have problems with anti-virus software. (now you can go up to 64 av channels per unit on the same system, btw).
2. I tested a few linux-based systems - they're "not there yet." Maybe in a couple more years.
Re:Open ports have applications linked (Score:2)
http://videowisecanada.com/ [videowisecanada.com], http://milsecure.com/ [milsecure.com]
However, keep in mind that these solutions require custom hardware, so you can't just "upgrade" the software on your current systems. Also, it works with conventional CCTV security cameras (regular, pan-tilt-zoom, and infrared), not the crappy IP Net-Cams from Axis and others.
Re:Honeywell DVRs are Linux based (Score:2)
The HRHD+ Series generates compact encrypted archive video clips as self-executable files. Honeywells minibank format produces an executable (.exe) file containing both the video clip and reader
Somehow, I don't think this solution would work for the author. Doesn't seem like he'd be able to use the video files on anything other than a PC running Windows.
Re:Recommendation for windows then (Score:2)
2) Remove/shutdown everything that is not being used. As others have noted, worms and viruses attack applications, not ports. If there's nothing listening on a port, you're pretty safe... assuming the attack isn't against the stack itself, but those types of worms aren't very common.
3) 80 through 9999 is a shitload of ports. I'd suspect that not all are being used by the DVR app, as there are ports between 80 and 9999 that are used for other services. Here's a list:
http://www.che [chebucto.ns.ca]
Re:Dear Slashdot (Score:2)
Why not, look at all the free stuff they've already coded up for them?
Did I miss something in the GPL about a pover