Network security

There are different levels of security when it comes to securing information being sent over IP networks. The first is authentication and authorization. The user or device identifies itself to the network and the remote end by a username and password, which are then verified before the device is allowed into the system. Added security can be achieved by encrypting the data to prevent others from using or reading the data. Common methods are HTTPS (also known as SSL/ TLS), VPN and WEP or WPA in wireless networks. The use of encryption can slow down communications, depending on the kind of implementation and encryption used.

Username and password authentication

Using a username and password authentication is the most basic method of protecting data on an IP network and may be sufficient where high levels of security are not required, or where the video network is segmented off from the main network and unauthorized users would not have physical access to the video network. The passwords can be encrypted or unencrypted when they are sent; the former provides the best security.

Axis network video products provide multi-level password protection. Three levels are available: Administrator (full access to all functionalities), Operator (Access to all functionalities except the configuration pages), Viewer (Access only to live video).

IP address filtering

Axis network video products provide IP address filtering, which gives or denies access rights to defined IP addresses. A typical configuration is to configure the network cameras to allow only the IP address of the server that is hosting the video management software to access the network video products.

IEEE 802.1X

Many Axis network video products support IEEE 802.1X, which provides authentication to devices attached to a LAN port. IEEE 802.1X establishes a point-to-point connection or prevents access from the LAN port if authentication fails. IEEE 802.1X prevents what is called “port hi-jacking”; that is, when an unauthorized computer gets access to a network by getting to a network jack inside or outside a building. IEEE 802.1X is useful in network video applications since network cameras are often located in public spaces where an openly accessible network jack can pose a security risk. In today’s enterprise networks, IEEE 802.1X is becoming a basic requirement for anything that is connected to a network.

In a network video system, IEEE 802.1X can work as follows: 1) A network camera sends a request for network access to a switch or access point; 2) the switch or access point forwards the query to an authentication server; for instance, a RADIUS (remote authentication dial-in user service) server such as a Microsoft Internet Authentication Service server; 3) if authentication is successful, the server instructs the switch or access point to open the port to allow data from the network camera to pass through the switch and be sent over the network.

9_5a

IEEE 802.1X enables port-based security and involves a supplicant (e.g., a network camera), an authenticator (e.g., a switch) and an authentication server. Step 1: network access is requested; step 2: query forwarded to an authentication server; step 3: authentication is successful and the switch is instructed to allow the network camera to send data over the network.

HTTPS or SSL/TLS

HTTPS (Hyper Text Transfer Protocol Secure) is identical to HTTP but with one key difference: the data transferred is encrypted using Secure Socket Layer (SSL) or Transport Layer Security (TLS). This security method applies encryption to the data itself. Many Axis network video products have built-in support for HTTPS, which makes it possible for video to be securely viewed using a web browser. The use of HTTPS, however, can slow down the communication link and, therefore, the frame rate of the video.

VPN (Virtual Private Network)

With VPN, a secure “tunnel” between two communicating devices can be created, enabling safe and secure communication over the Internet. In such a set up, the original packet, including the data and its header, which may contain information such as the source and destination addresses, the type of information being sent, the packet number in the sequence of packets and the packet length, is encrypted. The encrypted packet is then encapsulated in another packet that shows only the IP addresses of the two communicating devices (i.e., routers). This set up protects the traffic and its contents from unauthorized access, and only devices with the correct “key” will be able to work within the VPN. Network devices between the client and the server will not be able to access or view the data.

9_5b

The difference between HTTPS (SSL/TLS) and VPN is that in HTTPS only the actual data of a packet is encrypted. With VPN, the entire packet can be encrypted and encapsulated to create a secure “tunnel”. Both technologies can be used in parallel, but it is not recommended since each technology will add overhead and decrease the performance of the system.