5 allowing only known clients, 6 securing the applications, 7 vpn – Quadrox QGuard Installation Manual User Manual

GuardNVR Installation Manual

62

Version 4.4 Series

For support issues where Quadrox support technicians take remote control to the
WebCCTV TCP port 3389 must be opened. For Q-Monitor service TCP port 5666
has to be open.

In some exceptional cases it might be necessary to allow more applications (open more ports).
This is technically possible; however, Quadrox strongly advises against this practice and will
not give support on this functionality or any problems that originate from it.

6.2.3.5

Allowing only known clients

If you have a set-up with a fixed number of known clients, there is a possibility to only allow
these clients, based on their IP address. No other clients will be allowed to access GuardNVR.
This would further limit the number of possible connection points and thus increase security.

This is only usable in a limited number of scenarios and can give rise to a number of logical
problems. Please contact Quadrox support for more information.

6.2.3.6

Securing the applications

When applying the restriction on applications with the firewall such as explained above, the
attackable points are effectively limited to those applications. In the next step we should make
sure that those applications themselves are secure.

Remote desktop doesn’t have ways of automation. This implies that only a human operator can
use it, not a piece of software like a virus. The risk of a human operator performing malicious
actions is limited to the access he has. The security of this falls back to the security of the
passwords, for which a policy is outlined above.

The GuardNVR server is an unlikely point of attack, since it is not a wide spread application
like a web server. This means that very few people would be interested in designing an attack
on this software. Those people would have to know a lot about the internal workings of the
server, which is difficult. This being said, Quadrox engineers are working hard to keep the
number of possible security risks to an absolute minimum.

Only one application remains, namely the web server (IIS). Quadrox uses tools issued by
Microsoft like urlscan and lock-down to block any action that is not related to GuardNVR
functionality. To ensure security of IIS, please make sure that all necessary security updates
are applied (see above).

6.2.3.7

VPN

Setting up a virtual private network (VPN) can potentially increase security, similar to having
a dedicated network or limiting the clients on IP address. It uses encryption of data that goes
over the network to achieve this goal.

Setting up a VPN for your video surveillance equipment is outside the scope of Quadrox
support. Be aware that the encryption process can cause delays that might affect the
performance of the video system.