I have a local network and an IPCam (with its own storage) in it. Due to some practical limitations, I cannot use technologies such as AP isolation or VLAN to isolate low-integrity and high-integrity devices.
There could be some malicious users in the Wifi network (let's assume there are some) and I am concerned with the security of my IPCam.
The goal I am aiming for is the following
Fix the IP address of the IPCam.
Block all the inbound traffic to the IPCam's IP (when management is needed, I am going to disable the rule temporarily).
For the first step, as I understand, there are two ways of doing it:
- Set a static IP address in the dashboard of the IPCam;
- Use the DHCP service of the router and statically assign an IP to the IPCam (by its MAC address).
Personally, I would prefer method two since the management would be centralized (given that I have many IPCams). However, for method two I think it would be possible for a malicious client to spoof the IPCam (or the whole LAN) to "change" the IP of the IPCam (something related to ARP?).
Would it be possible to do that under method two? How about method one? Would method one be more secure?
If the whole plan is not a good one, would there be any better solutions apart from purchasing new routers/firewalls which support AP isolation/VLAN?