0

I have a local network and an IPCam (with its own storage) in it. Due to some practical limitations, I cannot use technologies such as AP isolation or VLAN to isolate low-integrity and high-integrity devices.

There could be some malicious users in the Wifi network (let's assume there are some) and I am concerned with the security of my IPCam.

The goal I am aiming for is the following

  1. Fix the IP address of the IPCam.

  2. Block all the inbound traffic to the IPCam's IP (when management is needed, I am going to disable the rule temporarily).

For the first step, as I understand, there are two ways of doing it:

  1. Set a static IP address in the dashboard of the IPCam;
  2. Use the DHCP service of the router and statically assign an IP to the IPCam (by its MAC address).

Personally, I would prefer method two since the management would be centralized (given that I have many IPCams). However, for method two I think it would be possible for a malicious client to spoof the IPCam (or the whole LAN) to "change" the IP of the IPCam (something related to ARP?).

Would it be possible to do that under method two? How about method one? Would method one be more secure?

If the whole plan is not a good one, would there be any better solutions apart from purchasing new routers/firewalls which support AP isolation/VLAN?

schroeder
  • 123,438
  • 55
  • 284
  • 319

1 Answers1

0

If you don't trust devices on your local network the second method wouldn't work, since someone could host a rogue DHCP server (unless you have some nifty switches which can do layer 2 ACLs to prevent this). If that DHCP server would respond faster than your own DHCP server, the attacker would be able to tell your camera to start using another IP address.

If you're worried about the IP address of a device getting changed, setting a static IP (method 1) would be the best way to do so.

I think there's another issue with the second action you're mentioning though: I assume you want to block traffic to the camera's IP on a router/firewall. However, devices in your local network will not use that device to reach the camera. So unless you can configure that ACL on the camera itself, this won't help you against attackers coming from your local network.

The bottomline here is that you probably should isolate the camera to another network not shared with untrusted devices where you can implement stricter security measures, but you mentioned that that was not possible.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • Thanks @Teun, I have a new question related to the one above: Would it be possible for a client (wired or wireless) to totally hide itself in my LAN if it doesn't use the router's DHCP service (and any other services which would expose its existence)? (Since usually I would check the list of connected devices by viewing the DHCP leases or the ARP Table) –  Jul 31 '18 at 09:25
  • You can't without a switch which can isolate traffic so the camera can only communicate with the gateway, or you should be able to configure access lists on the cam itself. – Teun Vink Jul 31 '18 at 13:18