CHeKT’s world-class proactive video alarm monitoring solution gives command centers and alarm monitoring centers instant access to video from a protected location. While our design team has focused on ensuring the fastest and most intuitive experience for monitoring center agents, the engineering team focused on the security of network connections, and data privacy for those we serve.
Remote video monitoring is an essential security service for many customers. Instant live video sent to the alarm monitoring center when unauthorized access is detected has tremendous value in protecting property. With the accuracy of alarm systems, video analytics, AI, and video quality in low-light situations, cameras give agents the visual situational awareness needed to be proactive for securing a customer’s property.
But does providing remote video monitoring open security companies and customers to cyber security risks? When a network video system is made accessible for agents in a remote video monitoring center, it’s essential to understand what cyber security risks are exposed. There are several technical methods used to enable remote access to a camera system and not all follow cyber security best practices or use trusted service providers. Understanding how these remote connection methods work, allows you to make the best decision when remote video monitoring is needed.
The information below details common methods of establishing remote access and how the CHeKT platform maintains cyber security measures by encrypting communication from the protected site to the remote monitoring station.
Port-Forwarding & DDNS
For many security companies, the battle between protecting a client’s network and providing interactive video services is an internal struggle of convenience vs security. Unfortunately, in many situations, the choice comes down to convenience, both for the dealer and the customer.
While port-forwarding a video system can compromise the security of the customer’s network, often installation companies feel they have few alternatives. They’ve installed a video system, and the customer wants access to video away from the home or office, and they want remote video monitoring services.
For many video brands, the port-forwarding method is the only way to provide customers with remote video monitoring services. However, adding the CHeKT solution to these sites allows security companies to close the port-forwarding rules and eliminate the risks associated with port-forwarding.
What should you know about Port Forwarding?
Port-forwarding a video system involves allowing access to the internal network video device(s) from outside of the customer’s router or firewall. The risk associated with port forwarding is a cyber attack on the video device, which can in turn open access to the whole network. Port-forwarding external internet traffic to an internal device for remote access not only allows the IP camera or video system to be accessed but for customers, unknowingly shifts the security of the network from the firewall to the video device. Making the client’s network security only as good as the internal security of the video device, and these systems are not designed to handle security attacks and have a high likelihood of being compromised.
Is DDNS an Alternative to Port-Forwarding?
DDNS (Dynamic Domain Name Services) is not an alternative to port forwarding but a simpler method for accessing devices using port forwarding methods. Simply put, DDNS is a simple way to remember how to access your port-forwarded video device(s). DDNS also assists installation companies in overcoming dynamic public IP Address changes at a protected site.
DDNS assigns a name to an IP address. So instead of memorizing a list of numbers for accessing cameras, you can use a name like mysecuritysystem.com that is dynamically directed to the public IP Address for the site.
So, while DDNS services can simplify the method for remembering how to access cameras remotely, it does not improve the security of the access. In some cases, may lead to increased attacks because an easy-to-remember name is now assigned to the IP Address.
Does CHeKT Require Port-Forwarding or DDNS?
No. When installing the CHeKT, all port-forward rules associated with your video devices can be removed. Any DDNS names created for remote access can also be removed. The CHeKT solution allows security companies to provide remote video monitoring and add access to on-site video systems securely without port-forwarding. Additionally, with the CHeKT, security companies do not need to pay for static public IP Addresses for a site. The CHeKT solution overcomes these challenges.
P2P & Cloud Relay Services
Some camera brands will use an onboard Peer-to-Peer (P2P) or cloud relay service to enable remote access to their video devices. Utilizing a manufacturer’s P2P service has the potential of being more secure than port forwarding devices. When using a manufacturer’s P2P or Relay services, it’s important to know if their development and software services have a reputation of integrity and trustworthiness.
P2P and Relay connections are managed by a remote cloud of the manufacturer and are not typically regulated. With P2P solutions, the security of the customer’s network is impacted by the quality and integration of the P2P or Relay service.
Things to consider when evaluating a company’s P2P or Relay technology.
Does the company have a history of cyber incidents?
Is the manufacturer trusted by third-party cyber security experts?
Does the manufacturer routinely test and patch for newly discovered software vulnerabilities?
Are the cloud services compliant with government regulations, like GDPR?
In what country are the cloud servers located?
How does a Peer-to-Peer (P2P) connection work?
Peer-to-Peer (P2P), as its name implies, is a direct connection between two devices. The camera or video system and the remote viewer of the video have a directly connected “peer” relationship, and since the connection is established by the camera’s outbound connection, it is a direct device-to-device connection and is not easily compromised. In most cases, these peer relationship connections are managed by the manufacturer’s cloud servers. These cloud services allow remote users to connect to remote video devices through a “pin-hole” method in which the video device is making its port and address known to the cloud for when access is needed. When a remote user needs to access a video system, the cloud provides the connection and location details. Once the two devices have established the known connection path, the devices communicate directly, and the cloud infrastructure is not involved.
What is a Cloud Relay connection?
Relaying is similar to a P2P connection, except the connection is maintained in the manufacturer’s cloud infrastructure. The connection from a remote user to each video device is maintained and relayed through the cloud infrastructure.
Is P2P or Cloud Relay More Secure?
Using P2P and Relay services to connect to global IP communication devices has gained significant popularity over the last 10 years. The reason is that both methods have a good balance of convenience and security. However, there are still cyber risks associated with each that you should understand.
If either solution is poorly developed or the integrity of the company is of concern, the connections could be manipulated and compromised. Security companies and customers should be mindful of the manufacturer and their adherence to cyber security updates and best practices.
When using P2P connections, the connection details are discoverable in the cloud infrastructure, and the security and access levels are granted at the device level. So things like cloud server integrity, known or default passwords, and device security patches can significantly degrade the cyber security of a customer’s network. If the pathway for connecting to a P2P device is discovered, then access to the device can be gained by knowing the video device username and password. Managing and updating these remote video device passwords can be difficult with P2P service providers because it is typically done on each device individually. Additionally, in many P2P solutions for video devices, the video stream from the device to a remote user is transmitted in an unencrypted protocol making the video stream susceptible to interception.
With Video Relay services, device access and security is managed through the service provider’s cloud infrastructure. With video relay services, password strength and security measures are managed and maintained in the cloud data center, and therefore, cyber security policies for access to all video devices are updated and enforced in a centrally managed environment. When using a video relay method for relaying video, the cloud service provider has the capability of adding enhanced cyber security measures that cameras and devices may not inherently support.
Does CHeKT Use P2P or Relay Services?
CHeKT uses the Relay method for providing access to video devices. Using this method, CHeKT creates a secure encrypted TLS connection from each of the CHeKT Video Bridges to the CHeKT Cloud for 2-way communication to and from a protected site. This ensures access to all video devices in the CHeKT ecosystem communicate with encrypted security from the CHeKT Bridge to remote users viewing the video, including encrypted and secure authentication.
In instances where video devices are using insecure passwords or an employee’s access needs to be modified or revoked, this is completed centrally in the CHeKT cloud. Or, when a security company may not have changed a default password of a video device, the device is still unreachable without authenticating through the CHeKT cloud infrastructure.
CHeKT also adds an additional layer of security by ensuring all video streaming uses an encrypted protocol. When needed, CHeKT can provide customers with our patented privacy mode feature, which limits a monitoring agent’s access to live video while providing video monitoring services. Read more here about our privacy mode.
When the CHeKT solution is used on a site, the P2P services of an untrusted video device can be disabled, and all access to the video devices can run through CHeKT’s secure communications.
CHeKT’s cloud solution is hosted in Amazon’s AWS cloud environment and is GDPR compliant.
VPN Services
Using a VPN (Virtual Private Network) may be the most secure way to deliver video from one location to another. However, in many cases, it is the most challenging to deploy and limiting in how the video services can be accessed. Deploying a VPN solution requires a dedicated internal machine or hardware for managing the secure private network connection on both ends of the connection. These types of installations often require a high level of technical expertise and require more and more hardware as additional parties need access to the video devices from different locations.
Some manufacturers sell dedicated boxes or server hardware specifically designed to simplify the installation and management of a VPN solution. These devices often come with a service fee to the installing company but provide the best level of security to the customer’s network.
Does CHeKT Use a VPN Solution for Client Access?
CHeKT’s encrypted TLS protocol to and from a protected site is not VPN architecture but with each Video Bridge creating this secure communication channel, CHeKT is leveraging a similar method of creating a secure channel for a remote user to access their video devices in an encrypted TCP protocol.