By Ciaran Gillespie, Solutions Engineer
Each wired network device, such as PCs, Switches, IP Phones, and Cameras will be wired back to a type of network switch commonly known as the “Access Switch”. These switches are at the inner edges of the network, acting as the interface between the end devices and the corporate network. Due to the nature of these switch ports being physically accessible to end-users and bad actors, this can pose a threat to your network security. As a part of your security strategy, you should consider the risks associated with exposed access ports, and how you should secure them.
Some of the common methods to secure access ports are:
- 802.1x: Authenticates the device or user against a central authentication server
- MAB: MAC Authentication Bypass, a method of authenticating devices that do not support 802.1x
- Port-security: The switch port is assigned one or a couple of MAC addresses and devices with different MACs are not allowed
The switch ports IP cameras connect to are often overlooked, but it is still important to secure them, as the underlying infrastructure could be vulnerable to attack. This is especially true in some older on-prem systems where security flaws can go unpatched for some time. Aside from some technical security methods, the physical security aspect should also be considered as this is often the first line of defense.
802.1x (sometimes shortened to dot1x) is the most advanced authentication method out of the above options. This protocol offers a high level of security but can also be complex to setup. Using dot1x requires the maintenance of authentication infrastructure such as RADIUS or TACACS+ servers, which can sometimes be complex depending on the level of redundancy.
The main benefit of using dot1x is that the user/device credentials are centrally managed, so these can be added/revoked at a single point. It also supports a range of authentication methods which makes it an extremely flexible protocol. Some of the common authentication methods include:
- Device/user certificates with EAP-TLS
- WebAuth, where the user is directed to a browser for login
- P-EAP where the user is authenticated with user/device credentials
One of the drawbacks of using 802.1x in CCTV deployments is the complex configuration needed for each individual camera. You’ll need to issue credentials or certificates to each camera and have these settings configured on each device along with the infrastructure to support it. This can quickly become difficult to maintain with a large-scale CCTV deployment. In addition, certificates have an expiry date and have to be refreshed before this point is reached.
MAB, or MAC Authentication Bypass, is an authentication method commonly used in conjunction with 802.1x deployments, to allow devices that do not support 802.1x methods to connect to the network.
MAB works by first checking if the connected device is 802.1x compliant, by trying to initiate an authentication session, and afterward falling back to MAB in case the initial try fails. With MAB, the MAC addresses of the cameras will be stored in a central database, often within a RADIUS server, where the username/password is simply the MAC address of the device.
The benefit of this method is that it’s easy to configure if you already have 802.1x infrastructure and need a bypass method for unsupported devices. The downside is that MAC addresses are easy to spoof, so attackers can use this to bypass the authentication.
Read more about using Verkada cameras with MAB here
Port-security is one of the most basic methods of securing access ports, but it’s pretty effective if you need basic security with little to no additional infrastructure. In its most simple form, port security works by defining a MAC address under the switch port configuration. If a device connects and the MAC address does not match the configured value, the switch port will be shut down until an administrator re-enables the port. There are additional configuration options with port security to streamline this process, such as auto recovery, meaning that the port will re-activate after a pre-defined period of time. This can help reduce the workload on the administrator.
The benefit of port security is that most switches will support this basic feature. There is no additional infrastructure to maintain like with 802.1x and MAB, but managing configurations on a switch-by-switch basis vs centrally, can increase administration overhead. This is manageable in a smaller-scale environment, but this does not scale well across a large, distributed environment. Port-security is also vulnerable to the same issue as MAB - the MAC can be spoofed.
Physical Security Recommendations
Preventing physical access to network infrastructure is also very important in a CCTV deployment. If infrastructure like network jacks, switch cabinets, and cables are exposed, it leaves them vulnerable to tampering, which can render a single camera, or in the worst case, the whole network, unusable or subject to further cyber attacks.
A general rule of thumb for physical network security is to keep cables protected. In a bad CCTV installation, the cables can be easily reached and tampered with, allowing an attacker to cut the cable and disable the camera. These should be run through conduit, or within walls, never within reaching distance. You should also keep network jacks out of reach, so attackers cannot unplug your devices to plug in their own. If a jack is not in use ensure the switch port is disabled, or unpatched.
Network cabinets containing switches are extremely vulnerable if an attacker can gain access. Once physical access to the switch is obtained, one can pull the power cable to disable all cameras connected to that switch. Physical access also gives access to the console ports and other switch ports, which can pose further risks. Always keep network racks locked in a secure area, ideally covered by access control and CCTV. Power sockets and power switches should not be exposed and in the case of smaller remote cabinets, these should be mounted high and out of reach or in a secure IDF closet.
Finally, cameras should be fitted with security torx screws to prevent someone from easily taking them off the wall and gaining access to the network wiring, and in the case of Verkada cameras, they should have tamper alerts enabled to notify the administrator if physical tamper is detected.