You need to have it on a separate network and use Openvpn to access it remotely, no port forwards or P2P app, that way your boss can access it over the VPN from his PC or smartphone without a static ip. You do that and then hackers will have a very hard time getting to it so likely to move on to the next easier target. Where you pop Openvpn (windows/linux or router/firewall with OpenVPN support) is up to you.

Thanks for that. So any NVR that uses port forwards or P2P, with no alternative is out basically. It comes down to a question of how quickly the response to security vulnerabilities is. Wait for NVR manufacturers to respond with new firmware or apply fixes on a Linux/Windows system. I can’t help feeling that issuing new firmware would be slower.

No you use your firewall to separate the CCTV and terminate your CCTV Openvpn on that device. Your firewall only needs to provide a NTP service to your cameras. Block all other traffic out&in only allow traffic from your VPN into the CCTV subnet. That way its not hackable unless they gain physical access (but they you have much bigger problems). So you can buy any NVR so long as it meets your recording needs and then protect it with a firewall. Any of the Teltonika, pfSense, OpenSense, Sonicwall etc will do that for you.

Okay. Since your original response, we’ve setup a standalone IP camera behind a VPN connection successfully. That’s been running for a couple of weeks with no problems. Given what’s happened with the old DVR while it’s been open and vulnerable to the internet, I’d be wanting to reset it to factory defaults before I get it sitting behind the VPN. The possibility of there still being remnants of the original hack is concerning, especially as it took out the phone system when it flooded the internet with traffic. Another busy weekend coming up, I think.

So, what you’ve asked is the primary reason why you hire a professional surveillance company to design and install your system. I tell my customers this, you aren’t buying cameras, you’re buying safety, security and peace of mind. Analog systems are being rapidly phased out. Network cameras are the way to go. As for being hacked. I’ve been an installer going on 32 years now. In that time I’ve seen a dozen cheap systems (the kind of stuff you buy at Costco and off Amazon) suffer hacking issues. I’ve been selling Dahua USA and Turing Video for years without a single incident. The #1 way to ensure you don’t get hacked? Don’t use out of box IP addresses, use custom IP addresses and hire an IT person to oversee it. The #2 way to ensure you don’t get hacked? Update the NVR and cameras to match the server version. When you don’t update you don’t get security patches. Every single system I’ve encountered which was hacked suffered from both of these. If your infrastructure, like many customers I have, is analog, don’t fret, Dahua makes an EoC converter which will allow you to use network cameras on coax lines (power and data). I’ve installed thousands of them and haven’t had any issues yet.

Quotes from professional surveillance companies were way too high. Basic price for the NVR and cameras. Cabling extra. A lot extra. How many of them would also advise on firewall and network settings outside the normal scope of an IT person with no experience of CCTV systems. Some installers recommend Dahua which I understand suffered an authentication bypass vulnerability just a few years ago, others recommend Hikvision, which made headlines and there are calls for it to be banned in the U.K. How much of this is hype and how much to ignore and just take the advice of an expensive company is not an easy decision to make. Looking at the CVE lists for many NVRs and cameras is a huge eye opener and gives one pause. The Xvision box was installed and integrated ten to twelve years ago by someone in the company and we enjoyed hassle free use of it until the first hack last year. I’m all for getting the right people in to do the work but finding the right people is more than half the battle.

The vulnerability issues of Dahua past have been rectified. I primarily sell Dahua and we haven’t had a single breach yet. I sold Hikvision many years ago but they burned that bridge with us when they couldn’t clearly rectify an issue we had with several of their products. I’m stateside and when I write an estimate it contains everything; system, parts and labor. Anyone who quotes pricing for products and says parts and labor are extra probably aren’t professionals. Especially if they don’t employ an IT engineer or at least have one on contract. Depending upon where you are located, I personally know several UK / EU installers and the companies they work for. If any of them are close to you I’m happy to refer someone to you.

We’ve contacted several local installers and a lot of them are HikVision resellers. One of them suggested a Swann wireless system, which I wouldn’t touch with a ten foot pole. A few of them didn’t quote for cabling until we asked for it and then said they subcontract that particular part of the work, which basically says to me that I’ll be in a “No, it’s a cabling problem. No, it’s a system problem” ping pong match between the two of them, if a problem arises. British companies are particularly good at playing that game. The rest were outside our price range.

Swann? Hahahaha I’d have laughed at him and hung up. PM me what they gave you as estimates and I’ll tell you if it’s fair or not. I’ve been in this business since the late ‘80s.

Not necessary to PM you. 13 POE IP cameras with 4TB HD and Hikvision DS 7616 NVR plus cabling came out at between £8,500 and £12,000 across four quotes. I think part of this could’ve been danger money as the cabling would’ve been inside wet rooms and prep areas for a fish wholesaler. All the companies mentioned the tricky cabling. TBH I could do the cabling myself. All we need is someone to install and integrate it.

Lol, tricky cable? Do you guys not have EMT conduits over there? EMT and outdoor rated Cat6 would solve the problem. Honestly though, the estimated amounts are about the same as we would charge, we'd just offer better products. That system is mediocre at best. For that price I would have given you top end cameras and a 32 channel 8K NVR with 8TB of storage.

No EMT. I haven’t seen it used a great deal in the U.K. All the wet and prep areas are built inside the main buildings with insulated foam and metal ceilings and walls. Where an electrical item or a camera is introduced into these areas, the cable comes straight through the walls into a sealed junction box, followed by the waterproof (immersible mostly) unit. The cameras in these areas are high IP because the walls and ceilings are disinfected and pressure washed daily. Outside the areas themselves, the wiring is in plastic conduit. Additional conduit would be required to accommodate Cat5e or 6 wiring for the cameras. This would be exterior grade.

We use EMT metal conduit for 90% of our exterior or wet area installs.

XVision are still a well know brand in the UK. Have you tried contacting them for an update or patch? I notice their site seems to have no firmware updates etc.

Yes I have. It’s out of support and they’re suggesting new hardware ( POE IP camera, NVR etc) as a replacement.

Ultimately you need to reduce your attack vectors. NVR’s and cameras should be segmented and denied access to the internet. That’s half the battle done. Remote access should be via a secure VPN back to your corporate network. Cheap re-branded NVRs aren’t easily updated from a firmware prospective. For a more turn key solution you could pick a known reputable brand. Using a server running Windows gives greater flexibility to pick your own hardware and what Video Management Software you use. But you’ll have to maintain this. Ultimately you could pick the most expensive NDAA compliant NVR and if it’s just chucked on a flat LAN with access to the internet you’re asking for trouble. People use port forwarding and P2P remote access from manufactures for an easy life. Personally I run a combination of Hikvision and Dahua POE cameras and NVRs. Properly installed and maintained it’s no less secure than other brands. At home I use a windows server running Nx Witness (re-badged as DW Spectrum) in the USA. Costs about £100 per cameras for licensing, lifetime perpetual licenses, free upgrades and has some innovative remote access implementations. Main thing is it’s really light on hardware requirements, 16 x 8MP cameras at 20 FPS on a Core i5 with 8GB ram and it doesn’t skip a beat, not many VMSs can achieve that. Multi platform clients and a Linux server installer too so might be worth spinning up a free trial. Spin up a few free trials on a spare PC. Get a feel for what software fits your use cases.

Interesting. The main problem with the XVision was that once it was hacked, even when it was on its own VLAN, it flooded the network with so much outbound traffic, it affected the VOIP system, which fell over. Fortunately, there was fallback to a landline. It fell foul to lack of updates, being so old and we got caught with our pants down, which is why your second suggestion sounds interesting. I can easily protect windows PC’s and have down for many years, because I have more control over it than a lump of metal running a proprietary OS and who knows what unpatched vulnerabilities. I’ll have a look at the software you mentioned. I know someone who installed BlueIris on an old PC for his cameras and although I keep nagging him to segment the cameras and the PC, he hasn’t yet got round to it.

I prefer to protect devices at an OS level too, however fundamentally, were you using any sort of portforwarding or P2P remote access on that old recorder? I’ve messed with BI before, many use it for home or DIY use, ok software, not the most polished, unbeatable price, it may be enough for your needs but personally I don’t find it robust enough for critical use. Also it’s much more resource intensive than Nx Witness. It also doesn’t scale well whereas more corporate solutions have better support, failover redundancy, better multiuser management etc so it depends what your expecting. Again id spin up some trials and test it all out as a proof of concept, a fairly modern PC should get you pretty far in terms of a feel for the different solutions. Regardless whatever you pick no unrestricted WAN access and remote access via a VPN to the network segment would be best practise. Personally I use Tailscale (it has a really nice wireguard VPN implementation) uses 2FA etc and really user friendly.

Yes and we lasted a hell of a long time like that right up to the point we had to remove IP whitelisting because the owner changed his broadband to one that didn’t offer static IP. Then Covid hit and as a food wholesale distributor we nearly went under. Further expenditure was out and we took the decision just a few months ago to go full POE IP cameras and upgrade the DVR. I’m going to take a look at Nx Witness and see if it’s suitable. Thanks.

Talks about well known brand - then promotes HikUA Bad installer!

Hikvision is a well known brand… what part of the world you live in plays a part in what the political view is of them.. from a security perspective though most issues are present in most brands and best practice can mitigate them. I’m in the UK and Hikvision is installed extensively and properly maintained.

Oh the old 'it's not going on the network anyway' argument.

Minimal attack vectors for an offline system though 🤣

Are Nx Witness license costs per year?

No they’re one time perpetual lifetime licenses with included updates and you can deactivate and reactivate on new hardware three times.

Apologies, you did actually say that in your original reply. Oh that’s a relief. I had visions of £2,000 per year costs. We haven’t stopped laughing from the £16,000 per year costs for route planning software for seven vans. Thanks.

I had a look at Nx Witness yesterday and was extremely impressed. I'm working on the assumption that VPN will be the way we secure it, although their Nx Cloud seems quite robust. VPN on the Draytek and segmenting the network using VLAN's looks fairly straightforward. I've also been toying with the idea of saving some money on licenses and cameras by using fisheye and multiple dewarped views in the same area, rather than three or four cameras. My assumption being that the main fisheye stream is recorded and the dewarped windows derived from that will be viewable during playback. Network Optix use resellers in the UK for their licensing and I'm not sure what their attitude will be when an end user asks for pricing. Some companies in the UK have a very strange attitude in regard to who they deal with.

Nice! I used my system remotely behind a VPN with no problem. Although after testing the Nx Cloud that’s all I use now, and personally I find it secure enough and very convenient. I use two fisheye cameras on my home setup and can confirm you can display as many dewarped views as you need, all independently controlled. Nx effortlessly dewarps for live view, playback and export. As for resellers… yes in the UK they can be funny with end users, I’m an end user myself and use a company called USE-IP. Brilliant customer service, happy to sell and support end users. Had my licenses within 24 hours.

Thanks for that. I’ll bear USE-IP in mind. Going in tomorrow to mount a couple of demo cameras to show the owner and then first fisheye arrives next week to test in various areas. Your help on this has been extremely valuable. Thanks very much.

Sounds good, no problem mate, had this exact headache a couple of years ago. What type of fisheye are you considering? I’m using 6MP and whilst they’re ok I wish I’d have gone for 12MP. The higher resolution would really help with clarity once dewarped.

I’ve purchased a Dahua 5MP as a test. It will be used in an area where we need to derive two views from it. In the prep room and the dry store, we’ll use 12MP. This would be for four, possibly five views. Not sure about the car park yet. Would be nice to have one high up watching the loading bay and the front entrance but we’d probably have to sub contract a mountain climber for that.

Sounds good let us know how you get on.