IP Cameras and Vlans

[MinimalTech]

I am getting ready to deploy a new network in my business. I have everything basically thought out and know how to go about it. I have POS system, Guest WiFi, Regular wifi and the ip cameras. I am going to put each of those on their separate vlans. The only thing i am having difficulty wrapping my head around is that i will need to access the ip camera vlan via wifi to view the cameras. How? if i open the wifi to that vlan wouldn't that defeat the reason for the vlan?

If you need anymore information please just ask. Just trying to start a dialog here.

 

[bfun_x1]

What kind of switch, router, and firewall do you have?

 

[MinimalTech]

What kind of switch, router, and firewall do you have?

it will all be ubiquity gear. USG, Switch

 

[bfun_x1]

VLANs are important part of security but their real purpose is to break the LAN up into smaller chunks and eliminate network congestion. The router is what will connect all the VLANs together and you'll most likely use the firewall/router to control who gets to talk to who across the VLANs. You'll need to think about how the rules will work. For example, you'd probably want to make a rule to deny anything from the guest VLAN from reaching anything but the Internet. This may even be the default behavior of your ubiquity system. Then, you may want to make some rules to deny everything except your PC from reaching video VLAN. Anything should be possible.

 

[mv2devnull]

VLANs are important part of security but their real purpose is to break the LAN up into smaller chunks and eliminate network congestion. The router is what will connect all the VLANs together ...

A subnet (aka LAN) is a group of devices that can see/talk with each other directly. A router is a device that is a member of two or more subnets and does route (aka forward) traffic between those subnets. Router can be selective about what it does forward.

Keeping something like cameras in subnet of their own is good security. It would be "nice" to lay dedicated cabling and switches for each subnet. If you can configure a switch to host different subnets on different ports, i.e. keep subnets separate despite passing same hardware, then you need less switches and have VLANs. Furthermore, switches and routers that support VLANs can pass traffic of multiple subnets through one shared wire while maintaining the separation. A VLAN is a LAN.

Yes, (most of) ubiquity gear should be sufficiently configurable.

 

[MinimalTech]

A subnet (aka LAN) is a group of devices that can see/talk with each other directly. A router is a device that is a member of two or more subnets and does route (aka forward) traffic between those subnets. Router can be selective about what it does forward.

Keeping something like cameras in subnet of their own is good security. It would be "nice" to lay dedicated cabling and switches for each subnet. If you can configure a switch to host different subnets on different ports, i.e. keep subnets separate despite passing same hardware, then you need less switches and have VLANs. Furthermore, switches and routers that support VLANs can pass traffic of multiple subnets through one shared wire while maintaining the separation. A VLAN is a LAN.

Yes, (most of) ubiquity gear should be sufficiently configurable.

Could I, for instance, have computer A on VLAN A and have a computer access VLAN A while connected to VLAN B via wifi? Possibly on a Mac address online basis... Hope that's clear.

 

[bfun_x1]

Being able to permit and deny traffic between the vlans should absolutely be possible. How it's done will depend on the Ubiquity equipment. Typically a router isn't going to let you filter traffic by MAC address .What you'll most likely need to do is assign a static IP address to the MAC address in the DHCP config and then do all the routing and filtering you want with that assigned IP address. That's still not going to be 100% secure but it's a good step to stopping anyone on the same vlan from trying to connect to the camera. Your rules will basically be this. Permit Static IP to Camera VLAN, Deny all traffic to Camera VLAN. The first rules lets your static IP assigned to your MAC address through to the camera. The second rule blocks everything else.

 

[mv2devnull]

Two LANs, A and B. Router X connected to both. Device T on LAN A can connect to device U in LAN B, if
(1) T has a route that tells to send to subnet B via member X of subnet A
(2) the X is willing to forward packets from A to B (and replies back).

The second, routing, is primarily by IP addresses, although MAC can be checked somewhat.
Attacker can fake both IP and MAC.

 

[Red Squirrel]

What I would do is put the DVR on the normal network, and allow access to that from the wifi, but only allow the DVR to access the cameras, nothing else. This can be a rule at the vlan level that allows the DVR's IP to connect to the cameras' ports. Also, do not allow the camera vlan to have ANY access to the internet or network, as it won't need to, and it will prevent any oddity like cameras that may try to "call home" or if an intruder happens to plug something into a camera's port to try to get on your network.

Optionally if you will always be using the same wifi device, assign a static IP to it, and only let that IP access the DVR as well. Keep in mind that won't stop someone from manually setting a static, but it will add an extra layer of security. Of course, only put it on your own wifi and not the guest one.

For the sake of security though I would personally try to avoid needing to use wifi to access the cameras then you won't have to worry.

Of course, also avoid wireless cameras. You need a power source anyway, so it makes sense to use POE cameras then your data and battery backed up power is in one single cable going to a central closet.