beautypg.com

4 firewall, 5 allowing only known clients, 6 securing the applications – Quadrox WebCCTV Installation Manual User Manual

Page 63: Webcctv installation manual

background image

WebCCTV Installation Manual

63


Version 4.4 Series

6.2.4.4

Firewall

A critical element in WebCCTV security is the firewall. A firewall is a piece of software that
basically allows only a limited number of applications to use the network.

WebCCTV uses Microsoft firewall, which is enabled by default in the operating system. It is a
basic firewall with limited functionality, but non the less effective for our goals.

By default, only the following applications are allowed:

Web server needed for the web application (IIS, TCP port 80)

WebCCTV video server software (OPServer and OPVWSYS, TCP port 1518 and UDP
ports 4096-4223)

Remote desktop needed for remote administration and support

This is only valid for connections that are made to WebCCTV. For outgoing connections
(connections made from WebCCTV to another machine) there is no restriction. However,
please follow the guidelines for proper use to prevent problems.

For support issues where Quadrox support technicians take remote control to the
WebCCTV TCP port 3389 must be opened. For Q-Monitor service TCP port 5666
has to be open.

In some exceptional cases it might be necessary to allow more applications (open more ports).
This is technically possible; however, Quadrox strongly advises against this practice and will
not give support on this functionality or any problems that originate from it.

6.2.4.5

Allowing only known clients

If you have a set-up with a fixed number of known clients, there is a possibility to only allow
these clients, based on their IP address. No other clients will be allowed to access WebCCTV.
This would further limit the number of possible connection points and thus increase security.

This is only usable in a limited number of scenarios and can give rise to a number of logical
problems. Please contact Quadrox support for more information.

6.2.4.6

Securing the applications

When applying the restriction on applications with the firewall as explained above, the
attackable points are effectively limited to those applications. In the next step we should make
sure that those applications themselves are secure.

Remote desktop doesn’t have ways of automation. This implies that only a human operator can
use it, not a piece of software like a virus. The risk of a human operator performing malicious
actions is limited to the access he has. The security of this falls back to the security of the
passwords, for which a policy is outlined above.

The WebCCTV server is an unlikely point of attack, since it is not a wide spread application
like a web server. This means that very few people would be interested in designing an attack

See also other documents in the category Quadrox Video surveillance systems: