5

One of our remote offices has given a security contract to a company that came in and set up IP security cameras and a server in our office. They clearly didn't know anything about integration of their system into an existing network, as they completed the job without talking to anyone in our team.

Our internal network is running on 10.6.n.0/24. They set up their equipment to use 192.168.1.0/24. It's all plugged into the same network infrastructure - the same broadcast domain. Of course, all their equipment can talk to each other, so the security system works, internally at least.

If we have no requirement for external access to or from the security system, are there any issues that would necessitate proper integration with our network? Or can I safely leave the equipment set up as it is?

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • Ok - I'll admit this is pretty similar to http://serverfault.com/questions/25907/what-are-the-implications-of-having-two-subnets-on-the-same-switch but I am not interested in using VLANs - just whether or not there are strong reasons for putting resources into fixing this, or I can stop worrying about it. – dunxd Mar 26 '13 at 12:31
  • 1
    Seems to be an issue with DVR installers/vendors. – ewwhite Mar 26 '13 at 12:45

3 Answers3

6

There are several reasons to separate the two:

  1. One broadcast domain equals one failure domain. If something goes wrong, and you VLAN gets flooded, both subnets are down. IP cameras can flood links very easily, or a hardware or configuration fault can do the same,
  2. Malicious software or users can access your cameras unchecked, and as mentioned before, vulnerabilities abound in IP camera's
  3. Your network becomes confusing to any third party coming in for a project or troubleshooting, making any work longer and more prone to mistakes. This increases your cost of operation, or worse: prolongs downtime.

Separating the two is easy: Make two VLAN's on all you switches, make sure all the new devices are in one VLAN and all the rest is in the other and all links between the switches have both. (If you don't have any switches that can handle VLANs, you have to use physically separate switches and then invest in some proper switches.) If you need connectivity between the two networks, have one layer 3 switch, router or firewall with interfaces in both networks and voila.

NB: Best practice is to not use VLAN 1. You can choose any VLAN number you want, so just pick any number except 1.

Added bonus: once your network grows more complex, you are already set up to separate out other things in your network, since the basis is there already.

Mark Berry
  • 263
  • 3
  • 18
JelmerS
  • 777
  • 6
  • 12
  • The first two are reasons to have a separate broadcast domain for IP camera's but not necessarily reasons not to have two subnets on the same broadcast domain. The third is a good reason, but to be honest, we wouldn't be in the situation we are now if we were working with people who weren't confused by networking anyway... I don't agree with the suggestion that unmanaged switches aren't proper switches - they do the job in a vast range of use cases. – dunxd Mar 30 '13 at 01:06
  • 1
    I interpreted you question about proper integration as: should we keep this separate subnet in the same broadcast domain or separate it out? While it will work technically, it is also a lot more prone to break spectacularly in this setup. Since the subnets are already divided, it is almost no work to seperate these broadcast domains. The "proper switches statement" was meant as a bit tongue in cheek. – JelmerS Mar 30 '13 at 09:23
3

It's happened to me. I'm working to undo it at one site. Ideally, the ports would be VLAN-separated, which should be easy to do at the switch level without total reconfiguration of the camera equipment.

The main issue I have is the bandwidth and congestion that affects a couple of applications, but the setup does work as-is.

Don't you need access to the cameras? Maybe from an internal PC client? I find that people who install these solutions also tend to want external access. That's a good enough reason to work to fix this. But again, in my case, the setup is stable enough that there's no urgency on my part to undo the bad work...

ewwhite
  • 194,921
  • 91
  • 434
  • 799
3

If you are not responsible for the software running on the security equipment, I'd go ahead and isolate the network, unless you're 100% sure that they have no need (even in the future) for access, there's always a risk with network cameras that they're not updated with the latest firmware. There are no shortage of vulnerabilities, a little work now means that issues of that sort would be less worrying..

NickW
  • 10,183
  • 1
  • 18
  • 26