2 connecting guardnvr to the internet, 3 limiting the number of protocols, 4 firewall – Quadrox QGuard Installation Manual User Manual

GuardNVR Installation Manual

61

Version 4.4 Series

6.2.3.2

Connecting GuardNVR to the Internet

When GuardNVR is in a LAN, the number of network nodes from which an attack can
originate is at most a couple of hundred. When GuardNVR server is connected to the Internet,
this number rises to millions instead. Connecting GuardNVR to the Internet dramatically
increases the chance on an attack.

The choice of putting a unit on the Internet depends on the needs of the end user, but if you do
so, please pay extra attention to the security issues mentioned in this document.

6.2.3.3

Limiting the number of protocols

By default, the Windows operating system supports multiple network protocols. An example is
NetBios which is, among other things, the protocol used to share folders across the network.

To increase security Quadrox recommends disabling these protocols on a GuardNVR server.
Only one protocol is recommended to be enabled: TCP/IP. This is the main protocol used on
most of the current networks, including the Internet, and the only one needed for GuardNVR
functionality.

Disabling other protocols prevents attacks that use them and it is in that sense a good measure
to increase security. Furthermore it prevents the unit from broadcasting, or in other words
constantly yelling its position to the rest of the network. This makes it more difficult for an
attacker to find the unit on the network, which again increases security.

In some exceptional cases it might be necessary to enable these protocols again, e.g. to backup
video through shares. This is technically possible: the protocols are disabled, not removed.
However, Quadrox strongly advises against this practice and will not give support on this
functionality or any problems that originate from it.

6.2.3.4

Firewall

A critical element in GuardNVR security is the firewall. A firewall is a piece of software that
basically allows only a limited number of applications to use the network.

GuardNVR may use Microsoft firewall, which is enabled by default in the Microsoft XP SP2
and Vista operating system. It is a basic firewall with limited functionality, but none the less
effective for our goals.

Only the following applications are recommended to be allowed:

Web server needed for the web application (IIS, TCP port 80)

GuardNVR video server software (OPServer and OPVWSYS, TCP port 1518 and UDP
ports 4096-4223)

Remote desktop needed for remote administration and support

This is only valid for connections that are made to GuardNVR. For outgoing connections
(connections made from GuardNVR server to another machine) there is no restriction.
However, please follow the guidelines for proper use to prevent problems.