Network security: VLAN or Firewall

[davidf]

I used both.
I use a sonicwall SOHO UTM. It has 4 LAN ports on it. I set up a separate VLAN for cameras and ran a connection to it. I call it the security VLAN. I run other security related items on this VLAN as well, like light controls, access control, etc.
I allow access for NTP, DNS, FTP to a different internal VLAN where those servers are running. All workstations are on another VLAN and the ROKUs and such are part of the guest VLAN.
I cut off access to internet for this network because it is not needed and to help control reboots of win10 for updates. I got tired of BI being down after an update reboot, sometimes I didn't catch it til the next day, which of course defeats the purpose of surveillance.

If I ever want remote access to BI, I will setup the sonic wall VPN(I will need to download their app to install on ipad/phone) feature. That way I don't have to open port 81 on the firewall to view BI.

This works well for me. On friday nights(usually) I enable internet access for this VLAN and check and install updates for win 10 and any other updates I need for other items on the LAN. Then I disable its internet access.

[MikeBwca]

Say what! I haven't even turned it on in over 10 years.

[softtechs]

Hi everyone. I did not want to start a new discussion as this one is very similar to what I'm trying to do, plus its my first post here.
I have BI and my cams on a TP-Link TL-SG1016PE Switch configured for Vlans 1,2,3. Vlan3 is my BI/cameras and vlan2 is my lan on a standard 24 port TP-link Switch.
BI server has two nics, one for vlan3 on a different IP/subnet with no dns entered. The second nic is configured for lan access to BI/cams and has my default gateway and no dns entries. BI Server/Cams has no internet access! My questions is that I can access BI/Cams on my local lan and over wifi as I connected the second nic the the 24 port switch. Is this a security concern? Seems like I'm not doing this correctly and someone could access vlan3, see the second nic and make changes to the nics and access the whole network.

[aukipc]

Just want to add what my set up is:

[*]I have a dual-NIC set up, one NIC is camera LAN, the other NIC is general LAN + WAN.

[*]I have a camera VLAN (CCTV feeds + BI PC camera LAN NIC), nothing in my network can communicate to the camera LAN other than the cameras and BI PC NIC, and vice versa.

[*]I've also port isolated the camera feeds and BI PC such that the camera ports can only communicate with the BI PC LAN port and vice versa.

[*]I then have all of this under an SPI firewall.

[*]And the WAN connection to the BI PC is via a private VPN set up on the router.

This probably took around a full day of tinkering to set up and it does involve enterprise-class TP Link gear, but not really that expensive (especially compared to the likes of Ubiquiti); it was a bit of a learning curve but well worth it I think!

[Matts1984]

Hi everyone. I did not want to start a new discussion as this one is very similar to what I'm trying to do, plus its my first post here.
I have BI and my cams on a TP-Link TL-SG1016PE Switch configured for Vlans 1,2,3. Vlan3 is my BI/cameras and vlan2 is my lan on a standard 24 port TP-link Switch.
BI server has two nics, one for vlan3 on a different IP/subnet with no dns entered. The second nic is configured for lan access to BI/cams and has my default gateway and no dns entries. BI Server/Cams has no internet access! My questions is that I can access BI/Cams on my local lan and over wifi as I connected the second nic the the 24 port switch. Is this a security concern? Seems like I'm not doing this correctly and someone could access vlan3, see the second nic and make changes to the nics and access the whole network.

I didn't fully follow your layout as written. It sounded like vlan2 and vlan3 are BI/cams. Regardless, to answer your question, any time you have a connection between two networks, there is a security concern. Generally there should be a single point into/out of a network - via the default gateway and that should be a router of some sort (because it can 'route' between subnets). That router can absolutely be some sort of enforcement/inspection point like a firewall or a simple layer 3 device that just forwards packets. Having a sort of backdoor (2nd NIC), while possibly better for performance - especially for streaming content, bypasses that control. If that bridging host has sufficient security controls then the risk is probably mitigated and to be honest, my BI server does have a secondary NIC directly on my camera vlan.

Yes in theory if someone/something was able to get into your vlan3 and compromise notoriously insecure cameras, they could find that secondary NIC and use it as a pathway to the rest of your network. I'm not sure what controls you have in place but if you have this secondary NIC, your cameras should never (most likely, I don't have your cameras) need direct access to or from ANYTHING and therefore your vlan3 could have a default deny rule. Only your BI server needs to talk to your cameras and it can/should have controls that remove the possibility for vlan3 addresses to make it out the primary NIC.

[softtechs]

Thank you! You did clear this up for me. Seems by having 2 nics on the BI server and using the second nic to access BI locally via vlan2 has created a "loop-hole" to the lan network. Should have got a 3 layer switch! Might have to put my old Netgear AC1200 router on VLAN3 and setup access rules.