class: center, middle # Getting the most out of budget CCTV --- # Introduction * Initial disclaimer - I sell CCTV as part of my job * This will be impartial but I will discuss the products that I sell and have experience with * This talk will not be about making your own CCTV cameras with Pi/Arduino etc * The hardware mentioned along with its firmware is not open source * This presentation is about IP-CCTV with open source and security in mind * I aim to give you an idea of how we design and install professionally and how you can apply that to a home setup --- class: center, middle # Choosing Your Cameras --- # Camera Manufacturers * I sell high-end (expensive) cameras: * Axis * Mobotix * I also sell budget (cheaper) cameras: * HikVision * Dahua * The high end cameras are very good quality but the cheapest are around £300 * Budget cameras have most of the same features but are Chinese imports, typically around £50 for the cheapest. These will be the focus of this talk - If you want to spend the money, Axis can do everything that HikVision can do and more (though not as much more as you might assume) * Budget cameras have some security issues (more on these later) * Well known brands also make cameras, eg Sony, Bosch. These aren't *bad* but they're not necessarily *good* either - they don't specialise in cameras. * Bosch make good drills - that doesn't mean they make good IP CCTV * Cheaper Chinese cameras exist - I don't recommend them * Budget cameras from TP-Link etc exist - I don't recommend them unless you want everything from one manufacturer --- # Image Quality * Most IP cameras (even the unbranded cheap ones) will give you a good enough image quality * Most are 1080p or more * Remember that higher resolution = higher bandwidth and storage requirements * Frame Rate is the same, higher frame rate = higher bandwidth and storage requirements * WDR - Wide Dynamic Range is important for balancing out light levels * Shutter Speed - High shutter speed will give clearer images without motion blur --- # WDR * Wide Dynamic Range .center[] --- # Night Vision * The cameras that we usually use are Infrared Night Vision * IR cameras usually have built in LED illuminators * Be aware that windows reflect IR illuminators * External IR illuminators are available * IR Cut Filter - Feature of cameras to cut out IR during daylight, makes colours look more accurate * Night Vision Goggles / Scopes / Cameras used by the military are a different (and more expensive) technology * Uses a type of camera sensor which highly intensifies the available light * Converts the light to green * Poor depth perception * Camera can be blinded with sudden bright light - though autogating features prevent it * "Generation" denotes advancement in technology * IR fabric treatment - Stops clothing from glowing and standing out * Thermal Imaging is a different (and more expensive) technology * Thermal IP cameras are available - Axis / Mobotix etc * Can be used just to see in the dark * Can be used to gather temperature readings * Used for monitoring industrial equipment, powerlines etc --- # Analogue vs Digital * I would very rarely install new analogue systems * IP interfaces to analogue cameras do exist * Unless you have really expensive analogue cameras, just replace them - adaptors are expensive * Analogue has the advantage of longer cable lengths * Picture quality is not as good as IP * Must power analogue cameras separately though cable usually is paired, coax for video and power (shotgun cable) --- # System Design * What do you want to achieve? / What are you protecting against - Ask this about the system as a whole and each camera * Theft * Personal safety - assaults etc * Personal safety - high risk environments / remote sites / lone workers * Statistics - vehicle / people counting * Number plate (ANPR) / facial recognition * Monitoring of industrial equipment - eg thermal monitoring * Sensors for automation * Many/All of the above * What are the key locations to cover? * How will you account for physical security of the cameras in those locations? * Do you want constant recording or event-based recording? * Where do you want to record your footage? * How much recording history do you need? * HikVision Tools - https://tools.hikvision.com/ * Axis Site Designer - https://sitedesigner.axis.com/ --- # Power Over Ethernet * Works with standard Ethernet cable * Doesn't require an electrician * Can go up to 100m (theoretically) * Power should traverse patch panels, sockets etc * Switches can have PoE capability * Can also use injectors * There are also "midspans" (multiple injectors in one unit) --- # Switches * In most circumstances edge ports do not need to be gigabit * Uplink should be gigabit+ where possible * Ideally you need managed switches for VLAN support * Best choice - Used Cisco etc from ebay * Catalyst 3560 * Catalyst 2960 * NOT Meraki * NOT Cisco Small Business * Lots of cheap Cisco on ebay due to corporate refreshes * Very robust hardware * Widely used - lots of support available * IOS allows for easy remote config and scripting * Lots of support for monitoring platforms eg Icinga/Nagios, Cacti * HP Procurve / Aruba * More features than Cisco * Lifetime warranty * Less available on ebay / higher prices * Mikrotik * Less POE options than other manufacturers * Powerful OS with good CLI or Web options * Small sized hardware but still good quality --- # Switches * Ubiquiti * Expensive * Hardware quality isn't the best * Poor warranty * Ask me for pricing * Netgear * GS110TP - 8x gigabit POE "Smart Switch" ~£100, or with 2x SFP ~£120 * 3Com * HP bought 3Com * Some switches were given new firmware and re-badged * Often available cheap on ebay * 3Com 4800G is one example, gigabit with POE variant available --- # Methods Of Recording * NVR / DVR hardware devices * Not recommended from HikVision, Dahua etc as likely to be compromised * Cheap and dedicated device * Usually interface with apps for viewing from phones * Many now rely on cloud features for logging in * In-camera SD Card ("Edge Recording") * Need to consider physical security of cameras * SD Cards don't last forever * Self-hosted software - Zone Minder, Shinobi * Free/Open Source Software * Allows you to view, record and playback * Processes events eg motion detection * Android App available * Can run on a Pi or other low-powered device but not with many cameras * Scales easily - add new drives * Can expose only the server to the Internet rather than the cameras --- # Zone Minder * Configured almost entirely within a web frontend * Linux only * C++ / Perl / PHP * Supports a large selection of IP cameras (every camera that I'd recommend is included) * Also supports USB webcams * Has an Android and iOS app available * Motion detection features * Docker image available --- # Shinobi * Newer project than Zone Minder - more activity in the project * Node.js * Linux, MacOS and Windows versions * Mobile-ready web interface rather than app * Docker image available - no ARM support --- # MotionEyeOS * Designed for SBCs, eg Pi (supports others too) * Can be used as an NVR or a DIY camera * Supports hub mode - stream everything to a dedicated SBC for access and storage * Supports server mode - stream everything to a server for access and storage * Frontend to Motion * Motion records images to a folder * Docker image available --- # Phone Apps --- # Edge Recording * Some cameras allow for recording of footage onto an SD card inside the camera * If recording continuously, SD card won't last as long * Not as insecure as you think if cameras are mounted properly * Footage can be backed up via email/ftp etc in addition * Edge recording can be done alongside NVR as additional backup * Good for home setups recording on motion detection to avoid having an NVR --- # Home Assistant Integration * Currently Home Assistant supports the following sensor/event types: * Motion * Line Crossing * Field Detection * Video Loss * Tamper Detection * Shelter Alarm * Disk Full * Disk Error * Net Interface Broken * IP Conflict * Illegal Access * Video Mismatch * Bad Video * PIR Alarm * Face Detection * Scene Change Detection --- # WiFi Cameras * I also sell WiFi... * ...I very rarely connect cameras to the network using WiFi * Ideally you would need an enterprise grade WiFi system (eg Ruckus, Cambium, Aruba, Meraki) * Even then there's still problems... * WiFi Interference can affect your recording * Security issues - De-authing, password cracking * You still need to power the camera, PoE is usually the easiest way to power it so going WiFi is usually more hassle --- # Alternative To WiFi * Wireless point to (multi) point links * PTMP links are more reliable and secure than WiFi * Be aware that cheaper links use WiFi technology with directional antennas - still better than AP with omni * Ubiquiti NanoStation is a cheap solution with reasonable performance - though it is WiFi-based .center[] --- class: center, middle # Security --- # What are the threats? * Privacy threats from camera manufacturers / government * Privacy threats from the Internet due to exploitable cameras * Cheap cameras (including Hik) can be risky with firmware updates * Threats from intruders on site (usually low probability in most situations) * You want to view your cameras but don't want other people to view them --- # What are the solutions? * When placing a camera always assume that it could be compromised * Assume all cheap cameras have exploits * Standalone system (Run it like analogue) * Segment with VLANs * Segment with multi-homed NVR * VPN / SSH Tunnelling * Keep physical security in mind for cameras, especially outdoor --- # VLANs * Use a VLAN with ACLs to segment your cameras into a separate network * Allows you to have multiple networks running on the same switches .center[] --- # Testing your security * Nessus - Commercial but has free features * OpenVAS * https://www.openvas.org/ * https://hub.docker.com/r/atomicorp/openvas/ * Metasploit * NMAP