Blue Iris

I used both.
I use a sonicwall SOHO UTM. It has 4 LAN ports on it. I set up a separate VLAN for cameras and ran a connection to it. I call it the security VLAN. I run other security related items on this VLAN as well, like light controls, access control, etc.
I allow access for NTP, DNS, FTP to a different internal VLAN where those servers are running. All workstations are on another VLAN and the ROKUs and such are part of the guest VLAN.
I cut off access to internet for this network because it is not needed and to help control reboots of win10 for updates. I got tired of BI being down after an update reboot, sometimes I didn't catch it til the next day, which of course defeats the purpose of surveillance.

If I ever want remote access to BI, I will setup the sonic wall VPN(I will need to download their app to install on ipad/phone) feature. That way I don't have to open port 81 on the firewall to view BI.

This works well for me. On friday nights(usually) I enable internet access for this VLAN and check and install updates for win 10 and any other updates I need for other items on the LAN. Then I disable its internet access.

Say what! I haven't even turned it on in over 10 years.

Hi everyone. I did not want to start a new discussion as this one is very similar to what I'm trying to do, plus its my first post here.
I have BI and my cams on a TP-Link TL-SG1016PE Switch configured for Vlans 1,2,3. Vlan3 is my BI/cameras and vlan2 is my lan on a standard 24 port TP-link Switch.
BI server has two nics, one for vlan3 on a different IP/subnet with no dns entered. The second nic is configured for lan access to BI/cams and has my default gateway and no dns entries. BI Server/Cams has no internet access! My questions is that I can access BI/Cams on my local lan and over wifi as I connected the second nic the the 24 port switch. Is this a security concern? Seems like I'm not doing this correctly and someone could access vlan3, see the second nic and make changes to the nics and access the whole network.

Just want to add what my set up is:

[*]I have a dual-NIC set up, one NIC is camera LAN, the other NIC is general LAN + WAN.

[*]I have a camera VLAN (CCTV feeds + BI PC camera LAN NIC), nothing in my network can communicate to the camera LAN other than the cameras and BI PC NIC, and vice versa.

[*]I've also port isolated the camera feeds and BI PC such that the camera ports can only communicate with the BI PC LAN port and vice versa.

[*]I then have all of this under an SPI firewall.

[*]And the WAN connection to the BI PC is via a private VPN set up on the router.

This probably took around a full day of tinkering to set up and it does involve enterprise-class TP Link gear, but not really that expensive (especially compared to the likes of Ubiquiti); it was a bit of a learning curve but well worth it I think!

softtechs wrote: ↑Mon May 25, 2020 4:12 pm Hi everyone. I did not want to start a new discussion as this one is very similar to what I'm trying to do, plus its my first post here.
I have BI and my cams on a TP-Link TL-SG1016PE Switch configured for Vlans 1,2,3. Vlan3 is my BI/cameras and vlan2 is my lan on a standard 24 port TP-link Switch.
BI server has two nics, one for vlan3 on a different IP/subnet with no dns entered. The second nic is configured for lan access to BI/cams and has my default gateway and no dns entries. BI Server/Cams has no internet access! My questions is that I can access BI/Cams on my local lan and over wifi as I connected the second nic the the 24 port switch. Is this a security concern? Seems like I'm not doing this correctly and someone could access vlan3, see the second nic and make changes to the nics and access the whole network.

I didn't fully follow your layout as written. It sounded like vlan2 and vlan3 are BI/cams. Regardless, to answer your question, any time you have a connection between two networks, there is a security concern. Generally there should be a single point into/out of a network - via the default gateway and that should be a router of some sort (because it can 'route' between subnets). That router can absolutely be some sort of enforcement/inspection point like a firewall or a simple layer 3 device that just forwards packets. Having a sort of backdoor (2nd NIC), while possibly better for performance - especially for streaming content, bypasses that control. If that bridging host has sufficient security controls then the risk is probably mitigated and to be honest, my BI server does have a secondary NIC directly on my camera vlan.

Yes in theory if someone/something was able to get into your vlan3 and compromise notoriously insecure cameras, they could find that secondary NIC and use it as a pathway to the rest of your network. I'm not sure what controls you have in place but if you have this secondary NIC, your cameras should never (most likely, I don't have your cameras) need direct access to or from ANYTHING and therefore your vlan3 could have a default deny rule. Only your BI server needs to talk to your cameras and it can/should have controls that remove the possibility for vlan3 addresses to make it out the primary NIC.

Thank you! You did clear this up for me. Seems by having 2 nics on the BI server and using the second nic to access BI locally via vlan2 has created a "loop-hole" to the lan network. Should have got a 3 layer switch! Might have to put my old Netgear AC1200 router on VLAN3 and setup access rules.