My company has a contractor in installing IP based security cameras. These cameras will be monitored remotely via a monitoring center and will also be viewed locally by employees for access purposes.
The problem I have is that the Network Video recorders only have one NIC so either the remote monitoring station get set up with VPN to view these cameras or the users view the cameras via broadband.
I would like a way to bridge the broadband and LAN so that the remote monitoring station can connect via broadband and the employees can connect via a local IP.
Can anyone tell me how to go about getting this kind of set up to work.
Your post is a little confusing. A simple diagram would may help. Why can't the employees VPN into the office and view the cameras?
This probably isn't the answer you want, but anyway: if it's security you're concerned with, don't guess - get some professional advice.
One way would be to do as you suggest, us e a VPN, but I reckon it's overkill for what you need.
Another, simpler way would be to find out what TCP & UDP ports the DVR needs to allow a remote party dial into, and you could create port forwards / pinholes through your NAT router from the internet to the DVR - that way the DVR is accessible both locally (as it will have a local IP address) and remotely.
What make/model is the DVR? And what make/model is you router?
THe security contractors should be able to tell you about port forwarding etc.
The CCTV installers have less ideea about TCP,UDP and NAT...talk to them about cable,video signals and resolution,yeah,they are the best in that field !!
I've installed a system in one of my sites and the guys asked the first day for the client' IT Consultant to be on-site !!!
So,it depends VERY VERY much by your broadband router !!
Just a draft ideea...you create a DMZ area in your router that is placed at the border WAN/LAN.
In that DMZ,you place all your IP cameras and/or your network DVR,with static IPs in a specific range,'dictated' by router. Create rules for allow traffic ONLY on that port AND AND only from speciffic IP addresses:internal LAN and...your monitoring station IPs.
Create NAT-ing / Firewall rules for proper access WAN/DMZ and LAN/DMZ.
Pointless to say that those IP cameras web interface and Network DVR to be made secured by installers !
Also,i'll pay twice to be sure that i'll get a full picture diagram / map after installation !
Of course,if you need professional advice,send me a PM and i can assist you !
the VPN can be helpful in this regard, use a simple vpn like hidemyass that will allow access to the vpn into the network through Broadband or LAN....
excuse my ... ignorance ...but...
how do you see your proposed solution working in the OP topic !??
Just a quick Q just flashed my mind:do you expect every user to install some VPN software that will allow them access to DVR or CCTV IP cameras !?? Do you know that some companies are not allowing users to install or run other software than approved and licensed,also users not having local admin rights,the software might not been able to run !!
Do you expect every "third-party" user that has VPN installed to have F U L L connectivity to my local network,server,desktops and printers,just for sake of having access to some cameras !??? I'll fire the IT guy that propose that to me OR install it...fired without even letting take the stuff of his desk !
What if the desktop or network connected from "other end" of the vpn has a virulent virus spread/infection local to them...once VPN connected,that will spread on OP's network in second packet !!!!
Let's go back to table and digest it...if we want your stuff on the desk,in the office !!
You're making a lot of leaps and assumptions there rolion; I get the impression you don't have a whole lot of experience with VPN configuration.
If this IP phone company is any use at all, they'll be able to configure a site-to-site VPN between an endpoint on their network and the client site, meaning no client software needed. Obviously, full connectivity would not be permitted; I don't understand why you're making a big hoopla about that, with your bold letters and mention of viruses. Only traffic on specific ports/services should be permitted from the monitoring company, and ideally the video equipment should be in a DMZ (you got that bit right, at least).
While this could technically be done by opening access from the monitoring company's public IP range in (assuming the cameras and/or monitoring system support encrypted sessions), a VPN would be a cleaner and safer way of doing things.
SO...you are saying that me,as a CCTV monitoring company i should have a possibility of installing VPN tunnel(s) (site-to-site OR gateway-to-gateway) solution for every site that has my equipment installed !? Forget it...
Also,if is in the DMZ...why you'll need a VPN ???
Also,setting ports and restrictions and basically Policy NAT-ing the VPN...what's the point of having a VPN link !? Same as ip2ip and port filtering based solution !
I'll get back to that CCTV installer company of mine and check how they work in this scenarious...
Also,the OP will be very 'nice' if he can give us an update here AS despite technical solutions been possible,in various combination (in bold-ed or not letters),i reckon is VERY determined by the type ,capability, knowledge, equipment and cost coming from the whole installation'scope and budget...
So...we can be right ,all of us...all giving free advices here AND taken as a free advice !!
In mean time,have a nice Paddy's Day..i have two myself !!!
re my VPN skills,we can have a chat in private and trust me,you'll be disappointed !!..
not sure but...bold means anything to readers,i thought THIS MEANS SHOUTING !! sorry...
let's say that OP office LAN is 192.168.1.x/24
in my office' router/firewall i setup a VPN site-to-site,assuming that his IP address is static already.
then,somehow i have to create a rule in my routing table saying that ALL traffic with the destination of 192.168.1.x coming from my CCTV company LAN of 10.1.1.x/24 should use this VPN tunnel,establish and keep it alive ! all ok so far.
also,from my Cisco & Sonicwall,i understood that VPN is treated as a safe,trusted zone ( i can be wrong here) so nat and/or policy can be ignored(i can be wrong here)...so all VPN traffic site-to-site is trusted ! you can go on ACL,per ip and port ...correct...hmmm
...but what if their router is not so smart !??
...a l s o ...
what if me ,as a CCTV company i have to install another system,in another site ...and...has same IP range...i'm i going to change their IP addressing network just to get my VPN working for a port in for DVR !??? Or OP's site...
install the VPN client only on one PC in the monitoring station,but then ...how the central crawling monitoring agent knows to use that PC or connect and process external monitored data and line status...lost here !
Yes, that's exactly what I'm saying. VPN-capable gateway devices are very common, and any responsible company that connects remotely to a client over the internet should use one. It's 2012 - even consumer-grade home routers now commonly support IPSec tunnels. A site-to-site IPSec VPN can be built in a couple of minutes by someone who knows what they're doing. I do exactly this kind of work very regularly (contracted by various support companies that need remote access to client sites).
The DMZ is for protecting the internal network. External access to your internal LAN should never be given to a third party if it can possibly be avoided. The VPN is for protecting the traffic in transit. Simply using port filtering to limit inbound traffic from the internet is absolutely not the same thing as using a VPN. Not even close. An IPSec VPN can provide authentication, confidentiality and integrity protection to monitoring traffic all in one go.
You don't need a static IP for a site-to-site VPN. IKE authentication can be done with other information, provided the dynamic peer initiates the process.
Yes, it can be, but this kind of configuration should only ever be used for VPNs to trusted sites. ACLs should be used for tunnels to untrusted third-parties. The VPN does not need to be terminated on the OP's border router - if he uses iRock's suggestion of an OpenVPN appliance or image, this can be used for VPN and firewalling purposes.
You can either use NAT to work around this problem, or get the client to set up a new network/VLAN specifically for use with the camera equipment (which they should be doing anyway for security).
This would not be an appropriate solution. The most sensible configuration would be a site-to-site VPN.
No offence, but I have my doubts, as you seem to have been quite confused by a lot of what has been said so far. You seem to understand basic networking, but you're fuzzy on security.