I have a friend who runs a small business and needs to maintain PCI compliance. He also wants to allow remote access to his security camera DVR which is on the network, but doing so would break his PCI compliance because it would open up a port (80, I believe).
How can my friend easily make it so that an external scan of his network shows no open ports, while also having the ability to access the DVR remotely somehow?
The best solution would be to implement a VPN which users can connect to remotely, thereby gaining access to systems inside the LAN. If that's not an option, you can create a NAT port forward for the DVR, but configure the firewall rules such that traffic on that port is limited to only one public IP. It goes without saying that this solution would require that requests for the DVR from outside always come from the same IP address.
Note: Traffic to/from the DVR is completely unencrypted. This is not ideal. Consider implementing HTTPS on that machine to protect the credentials and data that are exchanged with the system. If that's not possible, then the above VPN solution is really the only viable option security-wise.
In this way most of the time from most of the sources all ports will be closed
