DigiFlower Demo Site

[DataAve 0]

Please don't say you have SP2 installed-that is secure.

[rory 0]

you say a prayer over it before you leave the site

 

I sell both stand alones and the PC DVR now ... 4 years selling stand alones made no money ... got to sell what the clients want .. to some degree. I explain all the differences to them, its actually pretty simple, though most dont care for features and just want the cheapest thing on earth once it records at least 24 hours ..

 

As for XP, its SP2, all none DVR used services are turned off which leaves very little, all remote access, remote this that and everything else, turned off, just enough to leave the DVR running properly for local and remote access. All themes, graphics, etc are turned off, its tweaked to the max. No IE or anything else that isnt needed. XP SP2 Firewall enabled and Router Firewall also turned on.

 

Thats all can do ... I wish I could only sell GE DVRs, but yah know ...

 

Im still new to the PC DVR world so i dont have all the answers for you, i still prefer my stand alones, for the stability, security, and strength. The new founded features in the PC based are very entertaining though.

[Marcusl 0]

Why don't you secure your XP dvr's by only allowing the ports open that the dvr needs to function in the TCP/IP filtering options in the network config?

 

Like this:

 

 

So for whatever card you use, just open the ports for what you need... that way it will also stop the customer from screwing it up themselves by surfing the web on it also... That way this stops the spread of a lot of worms & viruses too. You are only opening yourself up for what you need instead of the world.

 

-Marcus

[rory 0]

using Shields up at www.grc.com to test open ports, all ports but what are opened in the router are in stealth mode, though there could be some less common ports open that arent shown. I uninstall internet explorer so unless they know they can use the address location in my computer, etc, to browse, its generally okay. But ill look into what you suggested also as the more the better .. thanks, ill definately look at this ..

 

I saw that before wasnt 100% sure what it was for .. now we know

[Marcusl 0]

This method is easy and effictive. It is a quick fix instead of spending a lot of time doing a lot of tweaks that no one will know about or wasting your time by uninstalling IE.

 

I had to put a public IP on a dvr and the customer wasn't willing to spring for even a cheapy router for it(but they will spend a buttload on cameras), so I did this and never had a problem.

 

-Marcus

[rory 0]

YEah But i do the tweaks for speed as well as XP is a slow OS with default settings loaded.

[Marcusl 0]

What I said mostly applied to the uninstalling/installing of software, that is what I find a waste of time. These are the main tweaks that seem to work the best for improving system performance that I have found. After I get a base system the way I want it, I ghost it and make sure I buy the same systems over and over and install the base image and add anything i need to from there and use a key changer to update the product key.

 

 

Is there anything else that should be added? We should make a thread for all this instead of tacking it onto the end of this thread.

 

-Marcus

[rory 0]

http://www.bahamaswriter.com/forum/topic.asp?TOPIC_ID=878

posted a couple months ago for some home users: but its gone much further since then ... on the Iview DVR i have a couple more services turned off also ... ill turn off more on the eclipse as I play with it more .. and see what it needs and doesnt need, its only really been up since last night. If its a super fast PC then its not such an issue, bet remember im dealing with older PCs at least for my demos ... and this is what works best. We should start a thread on this .. then i can delete this one ..

 

-uninstall any programs not required, clean up desktop and all other folders.

-bascically i do all updates then turn it off.

-take off all start up programs.

-close out all unneeded services and disable them.

-what you posted above plus ..

-theme to windows classic.

-screen saver off.

-effects turned off in appearence.

-tweakui all effects turned off, active desktop disabled, mouse speed to fast.

-power - monitor off in 20 minutes or whatever, hdd always on, hiber & standby off.

-windows components - leave on windows media player, accessories

-after all windows updates uninstall MSN messenger, disable in program access, and uninstall again using sysoc.inf in the windows INF folder .. delete HIDE, then uninstall again in windows components.

-turn off access to all windows programs except windows media player.

-turn off all services not needed in msconfig and services, restart then go in admin and services and turn off others.

-and i dont install antivirus or spybot S&D or any other software besides the DVR server, on the DVR PC.

-also the more services you can turn off the faster it will run, especially if they are set to automatic and running.

 

Download Screen Shots here ..

http://www.bahamassecurity.com/uploads/xptweakDVR.zip

 

I may have missed some out .. let me know

[DataAve 0]

I don't know "fellers", when I think of security, Micro$oft is the last company that comes to mind. Anyone ever have a DVR broken into?

[Marcusl 0]

I have seen one broken into before we did the filtering. We usually buy our dvrs premade and the company that makes them puts Win 2K on them and their default image used to only have SP2, even when SP4 was available. Now this wouldn't be such a big deal if everyone used a proper firewall, but no one wants to shell out for such things... They pop for a $40 dollar dlink or something, which still wouldn't be the worst thing if they configured it properly. These people asked what ports needed to be forwarded so I gave them a list, and they claimed not to get it to work so instead of trying something else, they just put the dvr outside the dmz. The dvr was infected with some sort of trojan in less than 24 hours and it ended up that I had to go and find out why it had some strange error saying something about "ftp". So I get onsite and look at it and it has become somebody's IRC bot and serving warez in some channel on Undernet. So I immediately take it off the network and reformat it, apply all updates, install drivers, install dvr program and then lock down the filtering options and then do the port forwarding in the router properly.

Then end of problem.

 

But I have used just the port filtering on 2K and XP systems and that locks it down pretty good cause it only allows the ports you want.

 

I don't think of MS as the most secure OS either. I prefer hardware firewalls, give me Cisco Pix any day of the week, but if it is my only option, this is the only effective way that I have seen to lock it down and I don't have to install some crappy software firewall.

 

-Marcus

[rory 0]

i got a client now with cisco things, not sure what they are. but i have to email them what ports to forward. The guy was asking me why i just dont VPN or something. I imagine VPN is going to be slow, like PC Anywhere right?

[Marcusl 0]

The speed of the VPN depends on the speed of the connections between sites. There are a lot of different applications that VPNs can be used for. So it doesn't necessarily mean that a VPN will be slow. I have 3 VPNs setup for remote offices that we do toll bypass of phone lines over(even for alarm traffic), as well as it being the link for our IP office telephones. We have a 1.1mbit conneciton at each remote office that is synchronus and tied to our NOC. At our main site we have 2 T-1's combined on our main router then a pix behind that for the local network. The T-1's are not typical either they are a full duplex type. We can send and recieve up to 3mbit each direction simultaneously.

 

Now with that being said, we have a pix at each site that does the vpns and firewalls the remote sides. So our VPNs are constantly active, they are not the kind where people login with some sort of client software, the pix handles all of the vpn login and such for them. When everything is finished, I can sit at my desk and connect to a shared folder at a remote site hundreds of miles away as if it were part of my local network. Transferring that file will take a while, but for our 1.1mbit connections, I end up taking about 850kbits of it, but I set voice data to have the highest priority, so I am just taking the remainging bandwidth all over the vpn.

 

Our VPN isn't slow, but it will depend on how they want to do their vpn configs. If they want to do it like setup a vpn server at the main site and then people from their various broadband connections login with client software, there is no way to say that it will perform well because you will only be as fast as your slowest link. Like if I were to setup a vpn with a remote office that was on a cable modem, then if I have to go through 15+ hops to get to that network, it isn't going to be very fast more than likely.

 

So it may be fast or it may be slow, but if they do the port forwarding they can connect from anywhere not just within their own VPN'd network. And since they are only forwarding the ports required, they should be very secure if that is their main concern.

 

-Marcus

[rory 0]

Thanks .. that sums it up better. Basically its just a faster more secure form of PC anywhere?

 

Anyway, they only have normal cable at the shops, probably max 512 up, and the remote locations would be 1-1.7MB down, so no its not that fast. I emailed them to port forward the ports for me anyway, if they want to give me desktop access using VPN and dont forward the DVRs admin port then thats fine, its up to them. I told him if I have to come down though if it doesnt work, then its a service call, as thats not my job I can only support what I installed.

 

They have the VPNs installed, some Cisco units, are these routers also? And do we connect as normal with other routers? Do you program it the same way you program any other router, as using IE it wouldnt connect to the IP range..?

 

Thanks

 

Rory

[Marcusl 0]

I have never programmed a cisco router or firewall with a GUI, even though some models have them. They don't spend a whole lot of time on their GUI's so I just use their CLI (Command Line Interface). The CLI can be accessed through several different ways, local at the router with a cisco cable(light blue wire with serial port on one end and RJ45 on the other), remote with telnet, or remote with ssh.

 

I would say that if they give you some sort of VPN access, it won't exactly be a PCAnywhere type connection(although you can use PCAnywhere on a vpn), it would actually be more like making the computer you are on, think it is part of their network. So with a vpn access on, you would type in the internal ip of the dvr on whatever program (like the dvr client or admin prog) you are trying to access it with instead of a public.

 

A vpn basically just makes 2 separate networks think they are on the same network.

 

VPN can be installed on a cisco router or a firewall depending on models. Some of the products do both (kinda). Like their Pix 501, it's a cheap firewall (around 600USD, that's cheap for cisco) can act as a very basic router for doing NAT and it's a VPN device. It can do most everything a Linksys, or Dlink can do, and everything they can't. Plus, cisco products are a ton more reliable.

 

Sorry I keep rambling, but when you ask a quesiton, I want to answer it fully and give the reasoning why I am answering the way I am.

 

-Marcus

[rory 0]

ok thanks, keep rambling I think im getting it now

 

Do you have to do anything on say, my computer, so I would be able to connect to the other .. do i have to install VPN or anything like that on my remote PC?

[Marcusl 0]

For your computer to connect, it can be done one of 2 ways.

 

A. They can give you a copy of the Cisco VPN client software and make sure you are setup to access it. That would make your computer think it is tied direct to their network. The vpn client basically logs in and can take an internal ip of their network in itself. So then your desktop acts as if it were sitting right next to the dvr on the same lan. You have full access to all ports on it, effectively you would be bypassing their outside firewall all together. Unless they are very good at cisco, you probably would have access to all of their internal network as well such as file servers and the like. Not to say you would do anything with it, but ya know...

 

B. They can setup access for you to VPN in with a router or some sort of device on your side. A lot of the linksys routers and such will do vpn, but may or may not work very well. I always make sure if I have cisco on one end to have it on the other... I know linksys is owned by cisco, but that doesn't mean they are the same thing or will work togther properly.

This is probably a more concrete way to have a connection and then you don't have to put any software on a pc and deal with that.

 

Now being a person who keeps a network secure as well as central station databases protected and off the internet. I would not give anyone who is not part of my company either of these options. I would just do the port forwarding in the firewall/router. From a security standpoint, it is the safest option in the current scenario. An even safer option would be to statically map a separate external ip to the unit and port forward only the dvr ports. Then you could cut off communication by putting the dvr in it's own separate internal network(this can all be done on one cisco pix btw) by itself and with a separate dmz you can stop it from talking to the rest of the network, so in the unlikely event that someone could gain control over the dvr, they still would not have access into the network. A firewall within a firewall, so to speak.

 

So for you, I would tell them just to port forward what you need and to keep their vpns confined to their own employees. That way also, you can sort of limit your liability of being in their network, cause say what if one of your systems got hacked(not to say that it would) it could spread to their network through the vpn and then they are infected with whatever you have too.

 

-Marcus