Introduction
In order to keep with advancing network security trends, our 4.0 Interface for IC Realtime recorders now introduces a Cyber Security section, featuring a suite of services to help keep your device and records safe from cyber attacks and vulnerabilities. This documentation will give a brief overview of the security services featured. Note that some of the services explained here may not be available depending on the model of the actual recorder.
Security Status
You can navigate to this section by going to Main Menu > Advanced Settings > Network > Cyber Security. You can click the "rescan" button to detect any potential security issues.
User and Service Detection
These services detect whether the current recorder configuration is to recommended standards. The color of the icons reflects their current status.
Green= Configuration is to recommended standards
Orange=In good standing, but with several issues.
Red= Configuration has issues to be addressed.
 |
User Status |
Status regarding security strength of user credentials. It is encouraged to use complex passwords. It is not recommended to use simple passwords such as "admin123". |
 |
Configuration Security | Various security configurations can be enabled such as HTTPS. |
 |
Login Authentication | Detects whether the current login mode is within recommended security parameters. |
Security Modules
 |
Audio/ Video Encryption Transmission | Steaming Protocol Authentication (Private is recommended, although Basic can be enabled, but with less security) and encryption on RTSP over TLS. |
 |
Trusted Protection | Secured Bootup, execution (real-time monitoring), and Firmware upgrade protection. |
 |
Security Warning | This will trigger a warning when a security exception is detected, such as Illegal Login. |
 |
Attack Defense | This covers SYN and ICMP Flood attack defenses, Firewall, and Account lockout services. |
 |
Firmware Encryption | Firmware storage on the device is encrypted. |
 |
802.1x | IEEE 802.1X provides protected authentication for secure network access. |
 |
Secure Shell | Multi-factor authentication is utilized to restrict user permissions, operate in the system background, and prevent illegal operations. |
 |
Configuration File Security | Configuration file storage is encrypted and encryption is supported when exporting configuration files |
 |
CA Certificate | CA certificates contain a public key corresponding to a private key. The CA owns the private key and uses it to sign the certificates it issues. |
 |
Log Security | Supports recording logs by levels to track system operations and events. |
 |
Session Security | Supports Auto Logout after inactivity, Brute Force Access Prevention, and Anti-hijacking (prevent session data leakage) |
System Service
| Basic Services | Toggle services such as: mobile Push Notifications, CGI commands, ONVIF, NTP server, SSH, Network discovery, and CGI Authentication (Digest, Basic). note that making changes to CGI settings will affect integration platforms such as Savant, Crestron, etc. |
| 802.1x | Configuring NIC Name, Authentication Mode, and CA certificate management |
| HTTPS | Toggle HTTPS, TLSv1.1 compatibility, and HTTPS certificate management |
Attack Defense
| Firewall | MAC/ IP Filtering. You can input MAC or IP addresses that are only allowed access (Whitelist) or block access (Blacklist). If not configured properly, this can cause login issues with different devices. For example, if setting an AllowList (Whitelist) you will need to make sure all the IP/ MAC addresses are input for every single device that needs to connect to it. |
| Account Lockout | Configures the number of login attempts before lockout and time duration. The recommended setting is default (5 attempts, 30 minute lockout). |
| Anti DDOS Attack |
Toggles SYN and ICMP Flood Attack defenses. An attacker might send out repeated SYN messages to the device, leaving many half-open TCP connections on the device, which will make the device crash. When hit by an SYN flood attack, the device will defend itself by discarding the first message. An attacker might send out an abnormally large number of ICMP packets to the device, which will use up all computing resources and thus make the device crash. When hit by an ICMP flood attack, the device will defend itself by using the ICMP message filtering tactic. |
| Sync Time- Allowlist | Configures allowed IP addresses for the time sync server. This is typically not configured unless the client is hosting their own secured time sync server. |
CA Certificate
| Device Certificate | CA Certificate creation, CA Application, and Certificate Importing. |
| Trusted CA Certificates | For installing trusted CA certificates. |
A/V Encryption
| Audio/ Video Transmission | Toggles stream transmission using the private protocol (Recommended to leave turned off). Modifying this may affect viewing platforms such as Mobile and Desktop Apps, Browsers and integration platforms such as Savant, Crestron, etc. |
| Toggles RTSP over TLS encryption, this is typically disabled by default. Configure at your own discretion. Enabling this may affect RTSP streaming using integration platforms. |
Security Warning
| Security Exception | Toggle triggers when a Security exception is detected such as Alarm-out ports, Buzzer, or E-mail alert. |
| Illegal Login | Toggle triggers when an illegal login is detected such as Alarm-out ports, Buzzer, or E-mail alert. |
For a more detailed breakdown of the Security Menu, please see the White Paper in this link.
Comments
0 comments
Please sign in to leave a comment.