Beyond the basics: cybersecurity for video management software

We’ll be using examples from our own video management software (VMS) —Milestone XProtect^® —to demonstrate what these steps might look like. That said, the same principles apply no matter what VMS you’re using. 

Some of the many benefits of managed switches are that they let you:

• Integrate with XProtect. Like many other video management software (VMS) solutions, we require the use of managed switches. The rest of this list will explain why they’re mandatory. 
• Segment your network into virtual local area networks (VLANs). When you have separate VLANs, an unauthorized attacker who gains access to one VLAN cannot directly reach devices on another VLAN. We’ll talk more about this in “Step 2”. 
• Disable unused ports, which otherwise present potential entry points for unauthorized access to your network.
• Identify connected devices with 802.1x Network Access Control (NAC). This helps ensure that only authorized cameras and recording devices are allowed to connect to the network and communicate with the VMS.
• Monitor traffic and raise alerts on undesired network behavior. An example of undesired traffic is a broadcast storm, which can be used maliciously to flood an organization’s network and negatively impact their video surveillance system (among other problems).
• Mirror ports for deep packet inspection (DPI) with integrated third-party solutions. Port mirroring allows your VMS to copy video traffic from network switches or routers and redirect it to DPI-enabled security appliances that will check the video “packets” for suspicious activity, security threats and/or compliance violations.
• Manage OSI Layer 2, Layer 3 and/or Layer 7 functionality. Layer 2 switches are commonly used in VMS deployments at the local network level; Layer 3 at the multi-network and/or multi-location level; Layer 7 at the application layer (including, for example, third-party security services that integrate with your VMS).

So, what type of managed switches do you need? The answer depends on your specific requirements. For example, if you want to use Multicast, you’ll need at least one Layer 3 switch, but the rest can be Layer 2 switches.  

As mentioned in the previous section, segmenting your network into VLANs helps reduce the reach of an attacker that gains access to a single VLAN. Additional benefits of VLANs are: 

• Less hardware required, less overhead: Unlike physical segmentation, which requires separate physical network devices (e.g., switches or routers) for each segment, VLANs leverage existing network infrastructure to create virtual segments. This eliminates the need for additional hardware components, reducing upfront hardware costs and simplifying network management.
• Traffic isolation and optimization: Video surveillance systems generate significant network traffic, particularly when streaming high-definition video feeds. VLAN separation allows organizations to isolate video traffic from other network traffic, preventing congestion and optimizing network performance. By dedicating separate VLANs for video surveillance traffic, organizations can ensure that critical video streams receive sufficient bandwidth and low latency, minimizing delays and ensuring smooth video playback.
• IT delegation: If you’re working with a system integrator (or if you are a system integrator), they’ll likely need access to your VMS installation and connected security devices, but not your entire network. Having separate VLANs makes it possible to assign different access levels to internal versus external IT professionals. 

Okay, so how does separating the VLANs work when it comes to XProtect?

• In a simpler network, you could create a camera VLAN and an XProtect client VLAN with a single switch, allowing them both to communicate with the XProtect server. 

• In a more sophisticated corporate network, where the office network might be mixed with the same infrastructure as the security network, you should consider a third VLAN for some sensors, file servers and computers used by most of your employees. The physical infrastructure can be shared while the virtual separation serves as a security layer.

In a previous article, we talked about the very basic (but important) step of changing any default admin passwords on your cameras and sensors to a complex password. To maximize the strength of your device passwords, it’s a good idea to let your VMS generate a very long, complex password for each device. If you can remember a password, it’s probably not complex enough. 

You can update passwords one device at a time or in bulk. If you have a larger site or multiple sites with many devices, we naturally recommend the latter option. Here’s how both options work in XProtect. 

To update passwords one by one:

1. Open the Management Client.
2. Under “Servers”, click “Recording Server”. 
3. Right click on a specific device and select “Change Hardware Password”.
4. Select the “Generated Password” option.
5. Click “Next”. 

To update passwords in bulk:

1. Open the Management Client.
2. Click on “Maintenance” in the top menu.
3. Select the devices that need a password update. 
4. Select the “Generated Password” option.
5. Click “Next”.

Without encryption, anyone who gains access to the media database could potentially view or steal sensitive video content. Advanced Encryption Standard (AES) is widely regarded as one of the most secure encryption algorithms available today. AES encryption comes in different key lengths (128-bit, 192-bit, and 256-bit), with longer key lengths providing stronger security. It would take millions of years to break AES-256, which, unsurprisingly, hasn’t happened yet. So, if you’re shopping around for a VMS, AES encryption is something to look out for. 

With XProtect^® Expert and XProtect^® Corporate, you can choose between “Light” and “Strong” encryption. Both utilize AES-256; the difference is in how much data is encrypted. Light encryption only encrypts the first part of media data, but this is enough to make the rest of the data unreadable. Alternatively, strong encryption encrypts all of the media data, so it’s the more secure option.

Light encryption is less demanding when it comes to the CPU load of the computer running the recording server. That said, the CPU load is influenced by different factors (video codec, framerate, etc.). As long as the CPU isn’t maxed out, database encryption won’t negatively impact recording performance. You can learn about XProtect storage architecture in this guide.

Here’s how to choose “Light” or “Strong” encryption in XProtect Expert and XProtect Corporate:

1. Open the Management Client.
2. Under “Servers”, click “Recording Servers”. 
3. Go to the “Storage” tab.
4. Under “Encryption”, change the selection from “None” to either “Light” or “Strong”.
5. You’ll be asked to choose a password. You must remember this password. Milestone does not have access to any of the data in your system. So even if you were to give our support team or developers access to your servers, we still couldn’t recover your password.

Taking steps towards stronger security is a matter of blocking out the time to do the things you already know need to get done. Creating proper user role types and assigning permissions is one of those kinds of tasks. You want to limit users’ access to the devices and functions that they need to perform their tasks.

Let’s consider five types of users:

• An administrator who manages the VMS
• An external security provider who is contracted to monitor external cameras after normal work hours
• An internal security operator who is responsible for security during normal work hours
• The owner/head of your organization
• A VMS integrator who is contracted to maintain your security cameras

To assign appropriate user roles in XProtect:

1. Open the Management Client. 
2. Under “Security”, click “Roles”. 
3. Right-click to “Add Role”. 
4. Create the five roles listed above and assign permissions accordingly. For example, the external security provider would have access to the Mobile Client and Web Client for remote monitoring. 
5. Under the “Device” tab, you can choose which cameras each user role should have access to (e.g., outdoor cameras for your external security provider). 
6. Only consider the “Overall Security” tab for roles such as administrator or owner, where the job requires access to all VMS functionalities.
7. Under the “Users and Groups” tab, you can assign colleagues to the role you’re working on.

Another optional step is to remove Windows administrator access. By default, the Windows administrator is also the XProtect administrator, which you might not necessarily want. To remove the Windows administrator, go into “Roles”, “Administrators” and remove the user where the description is “built-in account”. 

Technical issues can indicate a potential cyber attack, and notifications can help you act fast. Even if there’s no attack, having notifications also helps nip any day-to-day operational issues in the bud. 

You’ll want to monitor:

• Communication issues between servers and cameras
• Service availability
• CPU and GPU loads on your servers
• Events supported by your security cameras
• Media database errors

To set up email notifications in XProtect:

1. Open the Management Client.
2. Under “Rules and Events”, click “Notification Profiles”.
3. Right-click and select “Add Notification Profile”. 
4. Give each new notification a name and description.
5. Add the notification recipients and other email details.
6. Add the rules that will trigger the notification. 

In the Management Client, you can also configure Webhooks and set up alarms to be sent to security operators.

While Milestone can ensure that our software has the most secure defaults, cyber-resilience comes with a lot of work outside of your VMS. Check out our hardening guide to learn more. We also hope that you’ll join our next cybersecurity training on May 2nd at 10 am Central European Time. We’ll dive into:

• Network segregation and monitoring
• “Strong” encryption of video data at rest
• Digital signing of video databases and exports
• How to apply certificates in XProtect

Can’t make it live? Please sign up anyway to get the recording.