Installing NVR software is a bit of a blackbox. In this post, we’re going to isolate the software, network and NVR via a VLAN and use the software in a Virtual Machine that has a separate dedicated interface to that VLAN.
To preface this, the software is Hikvision’s iVMS.
Firstly, if you’re the lucky one that has a motherboard that supports VLAN tagging, you can skip installing a dedicated network card. One PC has an Intel I211-AT, once installing the Intel Advanced network drivers allows VLAN tagging to be setup. How ever the other PC does not.
The Breakdown
Going from the diagram, with this setup we achieve:
- Not installing the blackbox software directly onto the users everyday PC with sensitive files
- NVR is isolated from the rest of the network via VLAN and firewall
- NVR has restricted access to the internet via a firewall(pfSense)
- NVR software can’t leak footage to the internet
- An expandable solution to also allow future computers to access the NVR via the VLAN
To begin:
- Create a CCTV VLAN on the firewall and switches
- Assign port on switch to the CCTV VLAN as an access port. Also assign the NVR’s port too
- Install NIC into PC and install drivers if needed
- Set the interface metric to a high number for the NIC (crucial step if you’re going to use DHCP)
- Settings > Change Adaptor Options > Properties > IPV4 > Advanced(bottom) Un-tick Automatic Metric, enter a high number, 350
- Set either DHCP or a static IP. Is using static, make sure NOT to assign a gateway IP. Ok to save
- Change Interface name to something descriptive. Eg: NVR Ethernet
- Connect cable to PC’s CCTV NIC we inserted earlier
- Validate by pinging the CCTV’s VLAN gateway IP address
- Install VirtualBox or any other virtual machine software and install a Windows 10 guest VM. Update and install guest additions. Also download the iVMS software but don’t install yet. Also a good idea to create a snapshot of the VM
- Once the Windows guest is updated, power off and reassign it’s network card to the CCTV NIC as bridged
- Power VM back on and validate it pulled the correct DHCP address and that it has no internet access
- Connect NVR to the CCTV VLAN port earlier and validate it has the correct DHCP/Static address
- Install iVMS software and configure connecting to the NVR
- Optional, add shortcut link to desktop for starting the VM. Right click menu in VirtualBox, Create Shortcut on Desktop
Hopefully that all goes smoothly. The only downside is Windows updates. You could try manually installing them via an offline method and then transferring the files to the VM from the host or destroy the VM every year or so and build it back up fresh with the latest updates. The threat surface is low keeping but it could still be a pivot point if a vulnerability in Windows is discovered. Again, should already be restricted access via firewall.
Similarly, if you want to export footage from the NVR, selecting the guest-to-host transfer and simply copy paste them or setup SCP/RDP in on the guest.
Troubleshooting goofs
The reason for setting a high metric is because when the CCTV interface pulls a DHCP address from the router, it will contain a gateway IP. Having more than one default gateway on the PC will confuse it and break connections as it tries to send traffic alternating between the CCTV and LAN. The metric keeps all traffic flowing out the desired LAN interface. If you’re using a static IP, just don’t include a gateway since the NVR is in the same network.