Most active commenters

    ←back to thread

    257 points voxadam | 18 comments | | HN request time: 0.631s | source | bottom
    Show context
    skopje ◴[] No.45663732[source]
    PoE is awesome. My custom home security system is all CCTV PoE with a gstreamer backend running on four-core fanless linux box. Way to go. Complete control. No batteries, no wares spying on me, no personal data getting scraped by big guys. (Cloud connectivity sucks because I have segmented mp4s and jogging through them hurts but I only care for events after they happen, not while they happen.)
    replies(6): >>45663770 #>>45664711 #>>45664915 #>>45665099 #>>45665193 #>>45667449 #
    1. benhurmarcel ◴[] No.45667449[source]
    If one of those cameras is outside, did you consider the case of someone plugging in his laptop on that ethernet cable? He'd be on your local network.
    replies(6): >>45667551 #>>45667567 #>>45667989 #>>45669412 #>>45671399 #>>45672136 #
    2. teddyh ◴[] No.45667551[source]
    Zero-trust networking.
    3. matt-p ◴[] No.45667567[source]
    You would normally put CCTV on its own vlan for this reason.
    replies(1): >>45668917 #
    4. transpute ◴[] No.45667989[source]
    MACsec, https://forum.openwrt.org/t/macsec-802-1ae-with-802-1x-eapol...
    replies(1): >>45668639 #
    5. bc569a80a344f9c ◴[] No.45668639[source]
    MACSec is irrelevant for this purpose. MACSec encrypts points to point links, it doesn’t authenticate. That’s what 802.1x is for.
    replies(1): >>45670987 #
    6. EvanAnderson ◴[] No.45668917[source]
    Absolutely. Ideally one with Private VLAN[0] functionality and an upstream router configured to allow the CCTV server to pull video streams from the camera while disallowing any outbound communications from the cameras themselves.

    [0] https://en.wikipedia.org/wiki/Private_VLAN

    7. tehlike ◴[] No.45669412[source]
    Vlan is the answer.
    replies(1): >>45669481 #
    8. beala ◴[] No.45669481[source]
    This is a pretty significant lift for most home networks, both in terms of cost and complexity, but I agree it’s the right way to go. If you’re upgrading to a PoE switch, you might as well go all the way and make it a managed switch.
    replies(2): >>45670986 #>>45671789 #
    9. thmsths ◴[] No.45670986{3}[source]
    I would assume that putting a router between the POE switch and the rest of the network would work too and basic routers are cheap.
    10. RationPhantoms ◴[] No.45670987{3}[source]
    No it isn't. Most MACsec-capable platforms have a "must-secure" or "should-secure" transmission mode.

    If the security association isn't completed on a "must-secure" configured port then no traffic is transmitted. One would need access to the pre-shared keys to successfully use the link.

    Now, could one perform a side-channel attack of the memory on the camera and get access to them? Maybe.

    replies(2): >>45672024 #>>45682432 #
    11. bityard ◴[] No.45671399[source]
    If someone can roll up to your property undetected and get physical access to the network, then the security cameras aren't even doing their job.
    12. mmmlinux ◴[] No.45671789{3}[source]
    When you get to the point of building out your own ip security camera system and then worrying that some hacker is going to roll up and plug in to one of your cameras. you probably already have vlans going.
    replies(1): >>45682143 #
    13. mkipper ◴[] No.45672024{4}[source]
    This is veering into pedantry, but from what I can understand of that setting (I'm not a sysadmin guy but have used MACsec on embedded stuff), that's just as much of an 802.1X feature as a MACsec feature.

    Sure the switch will only accept encrypted L2 traffic...but that encrypted link is set up via MKA, which is a part of the 802.1X standard. If you don't have 802.1X authenticating the endpoint, you don't have MKA setting up the encrypted link between that endpoint and the switch and you don't have MACsec.

    So if you're trying to prevent a bad guy from getting on your LAN, you need 802.1X, whereas MACsec is an optional extra (a very useful extra if you're worried about MITM attacks). But 802.1X is still doing the heavy lifting w.r.t access control.

    replies(2): >>45672329 #>>45681384 #
    14. nucleardog ◴[] No.45672136[source]
    I did. Implemented a "simple" solution (simple for anyone who is going to be setting up their own IP camera system and NVR):

    Cameras are on their own VLAN. Port isolation is enabled so they can't connect to each other. Only connectivity allowed to/from that VLAN is from the cameras to the router for NTP, and from the NVR to the cameras.

    So if you plug in you can... check the current time on my router. Maybe see how many other cameras are on that segment? Likely not going to get very far given you're already caught on camera, an alert's been fired, and pretty soon I'm going to be making a call to the police.

    15. brohee ◴[] No.45672329{5}[source]
    802.1x-2010 includes MACsec. 802.1x without MACsec is mostly a joke, (802.1x-2002 IIRC) you just get a legit device to open the port...
    16. eqvinox ◴[] No.45681384{5}[source]
    > This is veering into pedantry,

    It's not veering, it's a full on car crash ;)

    You run MACsec either with 802.1X, or with your switch vendor's favorite color of proprietary switch-to-switch 802.1X replacement. MACsec without 802.1X [or equivalent] is a bit like TLS without certificates. It exists in a few places because some people have really weird custom requirements (TLS with pre-shared keys… TLS with NULL encryption…) but those things shouldn't drive a discussion outside their special usage areas.

    In that sense: MACsec implies and requires 802.1X. Exceptions confirm the rule.

    17. tehlike ◴[] No.45682143{4}[source]
    The more likely scenario is camera firmware being compromised and either allowing outbound or inbound connections, either of which can be prevented with a firewall+vlan
    18. graealex ◴[] No.45682432{4}[source]
    What's everyone here talking about?

    The absolute low-tech solution would be to dedicate a switch for it.

    If you have decent infrastructure with a managed switch, you can easily create a VLAN.

    Besides the fact that the female RJ45 is usually inside the dwelling. You'd have to unmount the camera, pull out the cables and connect to it, all at typical heights of 6' and above. That's maybe a concern in commercial setups, although then we're circling back to VLAN.