Boards.ie uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Click here to find out more x
Post Reply  
 
Thread Tools Search this Thread
09-03-2012, 09:43   #1
mickotoole
Registered User
 
Join Date: Aug 2005
Posts: 80
Bridging between Broadband and Corporate LAN

My company has a contractor in installing IP based security cameras. These cameras will be monitored remotely via a monitoring center and will also be viewed locally by employees for access purposes.

The problem I have is that the Network Video recorders only have one NIC so either the remote monitoring station get set up with VPN to view these cameras or the users view the cameras via broadband.

I would like a way to bridge the broadband and LAN so that the remote monitoring station can connect via broadband and the employees can connect via a local IP.

Can anyone tell me how to go about getting this kind of set up to work.

Cheers.
mickotoole is offline  
Advertisement
09-03-2012, 15:30   #2
Zab
Registered User
 
Join Date: Feb 2002
Posts: 1,856
Your post is a little confusing. A simple diagram would may help. Why can't the employees VPN into the office and view the cameras?
Zab is online now  
09-03-2012, 21:56   #3
swampgas
Registered User
 
swampgas's Avatar
 
Join Date: Apr 2008
Location: West Cork
Posts: 1,550
Quote:
Originally Posted by mickotoole View Post
My company has a contractor in installing IP based security cameras. These cameras will be monitored remotely via a monitoring center and will also be viewed locally by employees for access purposes.

The problem I have is that the Network Video recorders only have one NIC so either the remote monitoring station get set up with VPN to view these cameras or the users view the cameras via broadband.

I would like a way to bridge the broadband and LAN so that the remote monitoring station can connect via broadband and the employees can connect via a local IP.

Can anyone tell me how to go about getting this kind of set up to work.

Cheers.
This probably isn't the answer you want, but anyway: if it's security you're concerned with, don't guess - get some professional advice.

Last edited by swampgas; 10-03-2012 at 21:27. Reason: your -> you're
swampgas is offline  
Thanks from:
09-03-2012, 22:58   #4
Dardania
Registered User
 
Dardania's Avatar
 
Join Date: Aug 2008
Location: Nomadically vague
Posts: 1,242
One way would be to do as you suggest, us e a VPN, but I reckon it's overkill for what you need.

Another, simpler way would be to find out what TCP & UDP ports the DVR needs to allow a remote party dial into, and you could create port forwards / pinholes through your NAT router from the internet to the DVR - that way the DVR is accessible both locally (as it will have a local IP address) and remotely.

What make/model is the DVR? And what make/model is you router?

THe security contractors should be able to tell you about port forwarding etc.
Dardania is offline  
10-03-2012, 19:16   #5
rolion
Registered User
 
rolion's Avatar
 
Join Date: Jan 2005
Posts: 1,161
The CCTV installers have less ideea about TCP,UDP and NAT...talk to them about cable,video signals and resolution,yeah,they are the best in that field !!

I've installed a system in one of my sites and the guys asked the first day for the client' IT Consultant to be on-site !!!

So,it depends VERY VERY much by your broadband router !!

Just a draft ideea...you create a DMZ area in your router that is placed at the border WAN/LAN.
In that DMZ,you place all your IP cameras and/or your network DVR,with static IPs in a specific range,'dictated' by router. Create rules for allow traffic ONLY on that port AND AND only from speciffic IP addresses:internal LAN and...your monitoring station IPs.
Create NAT-ing / Firewall rules for proper access WAN/DMZ and LAN/DMZ.
Pointless to say that those IP cameras web interface and Network DVR to be made secured by installers !
Also,i'll pay twice to be sure that i'll get a full picture diagram / map after installation !

Have fun...

Of course,if you need professional advice,send me a PM and i can assist you !

Last edited by rolion; 10-03-2012 at 19:18.
rolion is offline  
Advertisement
14-03-2012, 13:49   #6
Jackalvano
Registered User
 
Join Date: Mar 2012
Posts: 5
the VPN can be helpful in this regard, use a simple vpn like hidemyass that will allow access to the vpn into the network through Broadband or LAN....
Jackalvano is offline  
16-03-2012, 15:40   #7
NullZer0
Registered User
 
NullZer0's Avatar
 
Join Date: Sep 2006
Posts: 1,578
Job done -
https://openvpn.net/index.php/access.../overview.html
NullZer0 is offline  
16-03-2012, 17:40   #8
rolion
Registered User
 
rolion's Avatar
 
Join Date: Jan 2005
Posts: 1,161
Quote:
Originally Posted by iRock View Post
excuse my ... ignorance ...but...
how do you see your proposed solution working in the OP topic !??


Just a quick Q just flashed my mind:do you expect every user to install some VPN software that will allow them access to DVR or CCTV IP cameras !?? Do you know that some companies are not allowing users to install or run other software than approved and licensed,also users not having local admin rights,the software might not been able to run !!

Do you expect every "third-party" user that has VPN installed to have F U L L connectivity to my local network,server,desktops and printers,just for sake of having access to some cameras !??? I'll fire the IT guy that propose that to me OR install it...fired without even letting take the stuff of his desk !

What if the desktop or network connected from "other end" of the vpn has a virulent virus spread/infection local to them...once VPN connected,that will spread on OP's network in second packet !!!!


Let's go back to table and digest it...if we want your stuff on the desk,in the office !!
rolion is offline  
16-03-2012, 19:56   #9
FruitLover
Butt Demon
 
FruitLover's Avatar
 
Join Date: Oct 2004
Location: 東京都
Posts: 2,474
You're making a lot of leaps and assumptions there rolion; I get the impression you don't have a whole lot of experience with VPN configuration.

If this IP phone company is any use at all, they'll be able to configure a site-to-site VPN between an endpoint on their network and the client site, meaning no client software needed. Obviously, full connectivity would not be permitted; I don't understand why you're making a big hoopla about that, with your bold letters and mention of viruses. Only traffic on specific ports/services should be permitted from the monitoring company, and ideally the video equipment should be in a DMZ (you got that bit right, at least).

While this could technically be done by opening access from the monitoring company's public IP range in (assuming the cameras and/or monitoring system support encrypted sessions), a VPN would be a cleaner and safer way of doing things.
FruitLover is offline  
Advertisement
16-03-2012, 21:35   #10
rolion
Registered User
 
rolion's Avatar
 
Join Date: Jan 2005
Posts: 1,161
Quote:
Originally Posted by FruitLover View Post
You're making a lot of leaps and assumptions there rolion; I get the impression you don't have a whole lot of experience with VPN configuration.

If this IP phone company is any use at all, they'll be able to configure a site-to-site VPN between an endpoint on their network and the client site, meaning no client software needed. Obviously, full connectivity would not be permitted; I don't understand why you're making a big hoopla about that, with your bold letters and mention of viruses. Only traffic on specific ports/services should be permitted from the monitoring company, and ideally the video equipment should be in a DMZ (you got that bit right, at least).

While this could technically be done by opening access from the monitoring company's public IP range in (assuming the cameras and/or monitoring system support encrypted sessions), a VPN would be a cleaner and safer way of doing things.
SO...you are saying that me,as a CCTV monitoring company i should have a possibility of installing VPN tunnel(s) (site-to-site OR gateway-to-gateway) solution for every site that has my equipment installed !? Forget it...

Also,if is in the DMZ...why you'll need a VPN ???
Also,setting ports and restrictions and basically Policy NAT-ing the VPN...what's the point of having a VPN link !? Same as ip2ip and port filtering based solution !

I'll get back to that CCTV installer company of mine and check how they work in this scenarious...
Also,the OP will be very 'nice' if he can give us an update here AS despite technical solutions been possible,in various combination (in bold-ed or not letters),i reckon is VERY determined by the type ,capability, knowledge, equipment and cost coming from the whole installation'scope and budget...

So...we can be right ,all of us...all giving free advices here AND taken as a free advice !!

In mean time,have a nice Paddy's Day..i have two myself !!!

PS
re my VPN skills,we can have a chat in private and trust me,you'll be disappointed !!..


PPS
not sure but...bold means anything to readers,i thought THIS MEANS SHOUTING !! sorry...

PPPS
VPN class:
let's say that OP office LAN is 192.168.1.x/24
in my office' router/firewall i setup a VPN site-to-site,assuming that his IP address is static already.
then,somehow i have to create a rule in my routing table saying that ALL traffic with the destination of 192.168.1.x coming from my CCTV company LAN of 10.1.1.x/24 should use this VPN tunnel,establish and keep it alive ! all ok so far.
also,from my Cisco & Sonicwall,i understood that VPN is treated as a safe,trusted zone ( i can be wrong here) so nat and/or policy can be ignored(i can be wrong here)...so all VPN traffic site-to-site is trusted ! you can go on ACL,per ip and port ...correct...hmmm
...but what if their router is not so smart !??

...a l s o ...


what if me ,as a CCTV company i have to install another system,in another site ...and...has same IP range...i'm i going to change their IP addressing network just to get my VPN working for a port in for DVR !??? Or OP's site...


...or...

install the VPN client only on one PC in the monitoring station,but then ...how the central crawling monitoring agent knows to use that PC or connect and process external monitored data and line status...lost here !

regards.

Last edited by rolion; 16-03-2012 at 21:53. Reason: added PPPS
rolion is offline  
17-03-2012, 14:32   #11
FruitLover
Butt Demon
 
FruitLover's Avatar
 
Join Date: Oct 2004
Location: 東京都
Posts: 2,474
Quote:
Originally Posted by rolion View Post
SO...you are saying that me,as a CCTV monitoring company i should have a possibility of installing VPN tunnel(s) (site-to-site OR gateway-to-gateway) solution for every site that has my equipment installed !?
Yes, that's exactly what I'm saying. VPN-capable gateway devices are very common, and any responsible company that connects remotely to a client over the internet should use one. It's 2012 - even consumer-grade home routers now commonly support IPSec tunnels. A site-to-site IPSec VPN can be built in a couple of minutes by someone who knows what they're doing. I do exactly this kind of work very regularly (contracted by various support companies that need remote access to client sites).

Quote:
Originally Posted by rolion View Post
Also,if is in the DMZ...why you'll need a VPN ???
Also,setting ports and restrictions and basically Policy NAT-ing the VPN...what's the point of having a VPN link !? Same as ip2ip and port filtering based solution !
The DMZ is for protecting the internal network. External access to your internal LAN should never be given to a third party if it can possibly be avoided. The VPN is for protecting the traffic in transit. Simply using port filtering to limit inbound traffic from the internet is absolutely not the same thing as using a VPN. Not even close. An IPSec VPN can provide authentication, confidentiality and integrity protection to monitoring traffic all in one go.

Quote:
Originally Posted by rolion View Post
in my office' router/firewall i setup a VPN site-to-site,assuming that his IP address is static already.
You don't need a static IP for a site-to-site VPN. IKE authentication can be done with other information, provided the dynamic peer initiates the process.

Quote:
Originally Posted by rolion View Post
also,from my Cisco & Sonicwall,i understood that VPN is treated as a safe,trusted zone ( i can be wrong here) so nat and/or policy can be ignored(i can be wrong here)...so all VPN traffic site-to-site is trusted ! you can go on ACL,per ip and port ...correct...hmmm
...but what if their router is not so smart !??
Yes, it can be, but this kind of configuration should only ever be used for VPNs to trusted sites. ACLs should be used for tunnels to untrusted third-parties. The VPN does not need to be terminated on the OP's border router - if he uses iRock's suggestion of an OpenVPN appliance or image, this can be used for VPN and firewalling purposes.

Quote:
Originally Posted by rolion View Post
what if me ,as a CCTV company i have to install another system,in another site ...and...has same IP range...i'm i going to change their IP addressing network just to get my VPN working for a port in for DVR !??? Or OP's site...
You can either use NAT to work around this problem, or get the client to set up a new network/VLAN specifically for use with the camera equipment (which they should be doing anyway for security).

Quote:
Originally Posted by rolion View Post
install the VPN client only on one PC in the monitoring station,but then ...how the central crawling monitoring agent knows to use that PC or connect and process external monitored data and line status...lost here !
This would not be an appropriate solution. The most sensible configuration would be a site-to-site VPN.

Quote:
Originally Posted by rolion View Post
PS
re my VPN skills,we can have a chat in private and trust me,you'll be disappointed !!..
No offence, but I have my doubts, as you seem to have been quite confused by a lot of what has been said so far. You seem to understand basic networking, but you're fuzzy on security.
FruitLover is offline  
Post Reply

Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline

Insert Image
Wrap [QUOTE] tags around selected text
 
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search



Share Tweet