Hi r/networking. I'm the "IT guy" (really a software eng by trade) for a small business who is in the process of having an IP-camera and recording system installed throughout a building. The camera installer has understood my concerns with their plan to add the video recorder to the existing simple network, and expose access to it it to the internet directly, but still insists "it's safe". It's going to be up to me to network it in a way that I think satisfies my security concerns, since I can not completely trust the video recorder server to be secure itself. I would like to separate it from all other devices on the network, so in the worst-case if the video server is compromised by some OS/net stack exploit or the camera server manufacturer neglects to release patches for their software, the attacker is prevented access to the rest of the network.
The problem here is that the current network is dead simple. For ease of managing it, the entire network is comprised of a mesh Eero router system, sitting behind a modem/router provided by Comcast for business. Eero provides very little configuration for more complex networking layouts, so it will not support additional subnets or rules preventing access from the NVR server to other local addresses.
What the network looks like now:
Comcast -> Comcast Modem/Router -> Eero routers -> Devices What I hope the network can look like:
Comcast -> Comcast Modem/Router \ |-> Eero routers -> Devices |-> (Managed switch?) -> NVR Server The intention is to enable access to the NVR server over the internet, and preventing the NVR server from accessing the other network.
Does this approach achieve my goals, and more importantly, will it even work? If not, how can this be accomplished simply, and with what additional hardware?
Would a managed switch placed between the Comcast Modem/Router and the NVR server enable me to configure the rules I'm hoping for?
One way or another, I'm going to have to expose some server to the internet in order for the business owners to get remote access to their camera footage. I considered additionally securing the video recorder behind a VPN, but I do not have any experience configuring something like an OpenVPN server. I am imagining the managed switch/additional router approach should make later setting up the VPN and not exposing the video server directly to the internet easier.
In my quest to keep it simple, I was thinking was that I could enable the guest Wi-Fi network, and attach the video server wirelessly to take advantage of the client isolation provided by the guest network. It's stupid, but it does get the isolation properties I wanted. Unfortunately I don't think Eero supports port forwarding for clients on the guest network.
Thanks
No comments:
Post a Comment