3

I'm dealing with a proprietary, legacy VMS (Video Management System) that is connected to IP cameras for remote surveillance.

The system is exposed on the public Internet on port 8016 and users are accessing it over a non-encrypted connection (mostly on mobile devices, using an app called RAS Mobile I). The protocol used for the communication is proprietary, not based on HTTP. The server supports authentication, but it uses a short numeric code and everything is transmitted clear-text. Needless to say, this is a huge security issue.

I've been asked to make the system more secure, but I can't think of any way to achieve that without requiring a VPN. A VPN is not an ideal solution because users are accessing the cameras on mobile devices 99% of the times (all Apple devices), and using a VPN would require them to: open the VPN app, start the tunnel, go back to RAS Mobile I, then open the VPN app again to close the tunnel.

Is there another way to add some layers of security and encryption to the system, without requiring a VPN connection?

For example: for another system that was communicating via HTTP, I've added a Nginx reverse proxy in front and enabled SSL and HTTP basic auth in the proxy.

ItalyPaleAle
  • 455
  • 5
  • 18
  • 1
    Use stunnel. https://www.stunnel.org/downloads.html – Ipor Sircer Oct 11 '16 at 04:18
  • @IporSircer thanks, I'll try it but I don't think the application itself (on mobile devices) can support adding TLS. On a desktop, I would install a background process that does the decryption, but on a mobile phone that is not an option... – ItalyPaleAle Oct 11 '16 at 04:21
  • Just use a VPN. Mobile support is ubiquitous. – EEAA Oct 11 '16 at 04:28
  • @EEAA yes and that will work, but it has a really poor user experience as I described above. I'm looking for alternative, creative ideas (if any!) – ItalyPaleAle Oct 11 '16 at 04:29
  • 2
    Your choices are: 1) Use a VPN 2) Migrate to a reasonably modern application. Both will require user-facing changes. – EEAA Oct 11 '16 at 04:31
  • @EEAA I'm thinking maybe using a virtual desktop maybe? Sadly client applications are proprietary as well and can't be modified to add encryption... – ItalyPaleAle Oct 11 '16 at 04:38
  • If you think VPN is a bad user experience, how is VDI not considerably worse? – EEAA Oct 11 '16 at 04:39
  • @EEAA it would not require switching back and forth apps at least. Certainly it's not the nicest GUI. – ItalyPaleAle Oct 11 '16 at 04:40
  • 7
    Use a VPN. If the users get tired of it, replace the "security" cameras with ones which don't include any irony in their design. – Michael Hampton Oct 11 '16 at 05:19
  • `Needless to say, this is a huge security issue` - What's at risk? That an unauthorized user can view the feeds from the cameras? – joeqwerty Oct 11 '16 at 11:23
  • @joeqwerty yes, it's a matter of physical security. Beside the obvious privacy concerns, criminals might leverage the system to know who is in the building and when, putting at risk the safety of properties and of persons too. – ItalyPaleAle Oct 11 '16 at 12:52
  • Right, which would be resolved by a VPN. – EEAA Oct 11 '16 at 13:44
  • @EEAA fully agree, as I acknowledged in my question. I was hoping for alternatives... – ItalyPaleAle Oct 11 '16 at 13:51
  • @MichaelHampton not really surprised to be honest... wait until the Internet of Things becomes an actual "thing" and let's see how many devices are around without the most basic security features baked in... – ItalyPaleAle Oct 11 '16 at 13:52
  • 2
    ...which you've been given. You're asking for the impossible. You are going to have to compromise on some of your requirements. – EEAA Oct 11 '16 at 13:52
  • 2
    It's plain now that you have the wrong security camera system. It does not meet your needs. Implement a VPN for now, but go straight to shopping for a replacement. And be sure to tell the vendor that they're going to lose business because their product doesn't do what you need. That's the most important part. – Michael Hampton Oct 11 '16 at 14:34

0 Answers0