0

I need to setup a home security system based on IP cameras that are connected via LAN cable (wire because it cannot be jammed from a distance as it would be possible with WiFi). I need to access the camera data and control their motors via LAN from my computer and the home security server. The problem I see here is that due to having the cameras outside I expose my LAN cables directly to outer world, which is a very bad idea, because I only have one physical network at home where all devices are attached to, right now including my computers, data server, router, mobile devices (via Wifi bridge) and the cameras.

The same issue I have with a LAN cable driven door bell (with camera) where the door bell is located some meters away from the house.

What options do I have to either make the exposed LAN cable unusable for visitors? Any other idea?

Sebastian Barth
  • 101
  • 1

4 Answers4

1

Check if your router has a MAC address whitelist.

That would let you restrict what can connect; however, someone determined to gain access that way would also probably be capable of getting the MAC address from the security devices.

You could see if there is any possibility of limiting specific devices/IP addresses to only certain routes [but that's a much more complicated issue to work out.]

Tetsujin
  • 47,296
  • 8
  • 108
  • 135
0

As you can't physically protect the cable, you need to protect the software that is listening on the other side and isolate it from the rest of the network. This is because you can't know which vulnerabilities this software could have.

You may use either a virtual machine, or enclose the program in a sandbox using a product such as Sandboxie.

harrymc
  • 455,459
  • 31
  • 526
  • 924
0

I only have one physical network at home where all devices are attached to, right now including my computers, data server, router, mobile devices (via Wifi bridge) and the cameras.

Start with that first. "Physical" is not exactly the problem, but your first step would be to divide the network into multiple IP subnets. A decent router (and usually some VLAN-capable switches) would allow that.

For example, either one of the router's ports could be dedicated to the "camera" subnet that goes to its dedicated switch (capabilities don't matter), or the router could have a VLAN and the switch (needs to be 802.1Q VLAN capable) would separate the "camera network" ports from the "main network" ports.

Communications between subnets separated this way always go through the router, so it would become possible to set up firewall filter rules on the router that allow your computer to reach the camera subnet but not the other way around.

(This could also be achieved with multiple routers chained, if you really want to do it that way, though it would still need the "camera" router to have at least some firewall configurability.)

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
0

There are 2 parts to this:

  1. securing the LAN from an intruder that gets access to the LAN and is trying to sniff around. This is already covered by the other answers.
  2. securing the physical cable from an intruder trying to plugin his/her own device in order to get to point 1)

You will have to do both to be really on the safe side.

As for the physical access.
Most wired IP-cameras have some kind of mechanical construction that locks the RJ45 connector in-place. Usually the camera is screwed or bolted on a bracket (or mount-plate) and the RJ45 plug is covered by the bracket itself. This makes it impossible to unplug the cable without being filmed by the camera itself, while you are messing with the camera.
You can just run an (outdoor rated) cable in plain sight, but it is better to run the cable through a (ideally buried) metal conduit or pipe to limit access to it as much as possible.
If cables are accessible there is always the risk that someone cuts the cable, crimps on a new RJ45 connector, and then uses that cable to plugin his own device.
That is a lot of effort though and it isn't very likely anyone will be doing that.
But you can't really prevent/stop anyone who is determined enough to make the attempt.
That is why you also need to do the LAN separation and why it is always a good idea to have multiple camera's that cover each other (and the cable-runs), so you have the intruder on camera if they make an attempt.

Still: If you are a high enough risk-profile target to warrant an attacker to go to such lengths you shouldn't be posting here for advice, but hire a professional security firm.

Tonny
  • 29,601
  • 7
  • 52
  • 84