Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A DVR Security System That Isn't Based on Windows?

Cliff posted more than 8 years ago | from the antivirus-unfriendly-systems dept.

383

Brady J. Frey asks: "For months, I've had a client that has been looking for a Linux or Mac alternative for their DVR Security systems. They are a large Real Estate company with 200+ cameras world wide, and their Pelco PC DVR's are hubs for viruses. These systems cannot run anti-virus software at the same time they record -- but require internet inbound/outbound traffic through specific ports that leave some nice holes in the firewall for viruses to find their way in as needed. Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. Therefore we are looking for alternatives. Any suggestions?""We've tried looking at Ben's Security Spy for Mac, and running a Quicktime server, but it was not industrial enough for us and the developer has been elusive. We're looking at Endura by Pelco, but there's some questions unanswered for it.

What I want is a high end, professional DVR system for a large business that does not run Windows. Budget isn't really an issue at this point, since we are just looking for options.

To note, I'm hearing I could possibly do IP cameras, and host any ol' web server I want to download those files, but I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated. If you are an expert in this industry, we may have a need for your services and would welcome that too!"

cancel ×

383 comments

Sorry! There are no comments related to the filter you selected.

Traffic (2, Insightful)

dr_strang (32799) | more than 8 years ago | (#14813620)

Isn't the camera traffic limited to known IP addresses/MAC addresses? Just lock it down to only accept traffic from those...

Re:Traffic (1)

sam0737 (648914) | more than 8 years ago | (#14813658)

Usually it's the Boss's computer heavily infected (No one dare to go into their rooms to clean up the virus), and usually the rule allows all the Boss's computers to access that security cam website.

ipcameras (2, Interesting)

cookiej (136023) | more than 8 years ago | (#14813621)

Sad to say, SecuritySpy isn't even close to "industrial". They won't even support one of the newer D-Link cameras, the 6620G.

I have two D-Link 6620G cameras and have been looking for *any* solution, industrial or not, that would let me access my cameras via my Mac.

I am by no means an industry expert, I can tell you that the IP Camera solution is indeed viable. Several of them out there -- check out:

http://www.ipcamerademos.com/ [ipcamerademos.com]

and

http://www.ipcameraforums.com/ [ipcameraforums.com]

Also -- most of the IP cameras have their own software, access (and control) via a webserver built into the camera, or a client utility that allows multiple views (at least the D-link does, and I was led to believe that both Toshiba and Panasonic do as well).

There are some serious industrial IP cameras out there. Check out AXIS and I think Panasonic has some heavy-duty cameras as well.

Re:ipcameras (1)

yorugua (697900) | more than 8 years ago | (#14813651)

A place to start might be http://www.zoneminder.org/ [zoneminder.org] , maybe is not so "pro", but it does it job for smaller installations. Maybe is worth a try.

Re:ipcameras (1)

ThomaMelas (631856) | more than 8 years ago | (#14813916)

The D-Link Cameras are no where near pro quality. They are a cheap camera. Toshiba, Axis, Sony all have much better camera lines.

Open ports have applications linked (1)

LiquidCoooled (634315) | more than 8 years ago | (#14813623)

Don't the applications hosting those ports have no protection?

Last time I heard about a protocol problem it was the application and not the OS that was at fault.

Re:Open ports have applications linked (1)

bradyj (956287) | more than 8 years ago | (#14813705)

I'm sure it's the application -- but at the same time, this would be a mute issues on a linux/mac setup. The only protection those applications have are the routers we put in front of them, which some more high end ones can be unreasonable in remote locations. Since I submitted this a week ago, some alternative windows companies have submitted improved systems that do not have weaknesses Pelco seems to have, so we shall see!

Re:Open ports have applications linked (2, Insightful)

Zeinfeld (263942) | more than 8 years ago | (#14813831)

I'm sure it's the application -- but at the same time, this would be a mute issues on a linux/mac setup.

I think you meen moot.

For the application that you describe viruses should not be a threat on any platform. There should be no users on the box and if there are users they should not run using admin privs unless they are doing admin. Break those rules and you are in trouble regardless.

Your problem is going to come from worms. There are plenty of worms that attack UNIX boxes.

A network router box with port filtering can be bought for $50 or less. It is a good investment regardless of the O/S you run. A large number of security problems are the result of an admin reconfiguring the box.

Re:Open ports have applications linked (1)

bradyj (956287) | more than 8 years ago | (#14813884)

typing too fast indeed:), thank you The software from Pelco Requires admin privleges, and filtering via IP is questionable by some remote users. Do you have any PC software you recommend?

Re:Open ports have applications linked (1)

tomhudson (43916) | more than 8 years ago | (#14813855)

A few points:

1. While I hate Windows, I've assembled DVR systems (1.5 tb of raid storage, 16 channels video+audio @ 25fps, viewable/searchable over the internet) that don't have problems with anti-virus software. (now you can go up to 64 av channels per unit on the same system, btw).

2. I tested a few linux-based systems - they're "not there yet." Maybe in a couple more years.

Re:Open ports have applications linked (1)

bradyj (956287) | more than 8 years ago | (#14813909)

I've heard this from other developers -- noting that the Linux systems seem to be cheap home grown creations. Do you have a PC version you'd recoommend us to look?

Re:Open ports have applications linked (0)

Anonymous Coward | more than 8 years ago | (#14813816)

I don't have enough information about your setup to make an informed suggestion. Who connects to these machines? What protocols do they speak when they connect? You say 80-6099, what are these connections used for? What do you define as a high end router, or relatedly home much traffic do the routers in front of these things have to handle? I do appologize for the asshats on the board, civility seems to be in short supply. Anyways, I can't remember my /. login but if you think it's worth your time drop me a line at crapmail@follis.net(spam account used on boards) and I'll respond with my real address.

Thanks for your time, Follis

/. with the perfect timing (1)

Southpaw018 (793465) | more than 8 years ago | (#14813625)

I'm sort of the one man IT department for a small nonprofit that is dependent on technology for tons of different things. Recently, we've begun looking into security for our office (I'll spare you the grisly details.) A traditional CCTV system is completely out of the question. A network camera like the Axis 207 [axis.com] ($300 range) is doable in the hardware sense, but they want an additional $600 for DVR software. I have a spare box I could toss Linux on if there were a good F/OSS solution out there.

In short: it's not just the big boys that are looking for these things! :)

Re:/. with the perfect timing (1)

MrFreezeBU (54843) | more than 8 years ago | (#14813797)

Check out www.zoneminder.com [zoneminder.com] . I have been using it for a few months now with good results. I have been using the Axis 206 and the 206W IP cameras along with a bt878 based capture card for some older analog cameras that I have laying around. The software seems to support all the options that I need or can think of at the moment. Streaming, motion capture, PTZ, all worked out of the box for me. Sorry if this sounds like an ad, I've just been very happy with the software.

flexTPS (1)

Urgoll (364) | more than 8 years ago | (#14813859)

www.flextps.org is a GPL package that works really well with Axis video servers. Its main purpose is to stream video streams over the web, but it also has a DVR functionality where you specify which streams you want to record, the frame rate and the duration of recording. It's all perl-based and you could probably use a cronjob to start a 24h recording every midnight.

um... (0)

Anonymous Coward | more than 8 years ago | (#14813627)

mythtv?

YES, there is a low-cost solution (0)

Anonymous Coward | more than 8 years ago | (#14813628)


Our company, while seemingly not nearly as large as yours, has several MythTV boxes doing exactly what you described.

Viruses? (4, Insightful)

spun (1352) | more than 8 years ago | (#14813639)

Um, viruses don't just sneak in through open ports. Worms and trojans sneak in through exploits in programs running on those ports. Which exact ports are open? Look, I'm as big a linux zealot as the next guy, but this sounds like a scam. "See the, uhm, viruses are sneaking in through the, uhm, open ports in your windows. You need me to install all new Linux based stuff. See, linux doesn't have ports or windows, so the viruses can't sneak in!"

Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?

Re:Viruses? (2, Interesting)

bradyj (956287) | more than 8 years ago | (#14813694)

We are 100% Mac and Linux company, so my known system would not be a dated Windows box dumbed down to only run anti-virus when nothing else works:) It may very well be a weakness in the software -- the ports required are 80 and 9999, that's it -- Pelco themselves duplicated a virus popping into it with a router up top, and since many of these buildings are remote, the expense is not reasonable to have a high end firewall on most of these remote locations when I could just as easily disregard that mess and log in as a non-root enabled user.

Just tell your company... (0, Troll)

bwoodring (101515) | more than 8 years ago | (#14813724)

They you don't know a god-damned thing about Windows and that if they want you to administer their system, they will need to replace it with Unix. Or, alternately, you can just lie and tell them that Windows machines can't have ports open to the Internet. Let's just hope they don't figure out that something like 20% of all web servers run IIS and realize what a dumbshit you are.

Re:Just tell your company... (1)

bradyj (956287) | more than 8 years ago | (#14813752)

Wow. How did me asking a question denote this type of response? Good to know Slashdot is the place for attacking more than helping... never did I say we were pc gurus, but it's good to know this is the place to go for support without ridicule.

"denote" (1)

Schraegstrichpunkt (931443) | more than 8 years ago | (#14813808)

That word.... I do not think it means what you think it means.

Re:"denote" (1)

bradyj (956287) | more than 8 years ago | (#14813830)

"How did me asking a question 'indicate' this type of response?" Might be more inline, but it is the same definition, though it should have been 'denotes' I'll agree.

Re:"denote" (0)

Anonymous Coward | more than 8 years ago | (#14813927)

WRONG!

Why don't you just try the word 'justify'?
Oh, you really *are* that dumb.

Re:"denote" (1)

NiteShaed (315799) | more than 8 years ago | (#14813938)

elicit. How did your question elicit this type of response.
As for the question itself, I leave that to others....

Re:Just tell your company... (1)

Stephen Samuel (106962) | more than 8 years ago | (#14813932)

There are about a million people on slashdot. Given that your post made it to the front page, you can expect that at least one of those one million people is going to be an jerk with an axe to grind.

The best that I can suggest is to ignore the ignorant posts -- or at least ignore the ignorant part of those posts and mine the useful parts out of them.

Re:Just tell your company... (1)

ScottyH (791307) | more than 8 years ago | (#14813940)

Whoa there. A bit overboard, don't you think?

Seconded (1)

bwoodring (101515) | more than 8 years ago | (#14813702)

I agree, this sounds like big pile of horseshit to me. Really, it sounds like you're desperate to get Unix in there any way you can, so you're doing a crappy job and blaming Windows for it. Just because you're a shitty Windows administrator, doesn't mean Windows can't be well administered. How the hell are all those IIS web servers managing to stay up?

Re:Viruses? (1)

Rufus211 (221883) | more than 8 years ago | (#14813867)

> Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?

A lot easier said than done for a number of windows-based "solutions." I'm always amused by how often we kick the PoS (point of sale or piece of shit, take your pick) systems in our building offline because some new virus comes around and infects them all. As he pointed out you can isolate them through layers of external protection, but it's a hassle and it would be a lot nicer if they just didn't suck to begin with.

$29 Firewall Routers are your Friends (4, Insightful)

billstewart (78916) | more than 8 years ago | (#14813869)

I can't tell from the original posting whether the client is trying to replace the hub site or protect the remotes or both, and I can't tell if the remote-site equipment is being used for other applications or only for the camera, which makes a *huge* difference in your threat model.

Basic firewall routers cost $29, and you can set them up to only allow connections from your headquarters location, or even to do IPSEC tunnels if your video application doesn't get into PMTU-discovery problems. Installing them at existing locations costs significantly more than $29, but for new locations it's just an extra couple of minutes to plug in the box when you're plugging in the camera.

Basic PCs cost $250, so if you need a headquarters firewall or IPSEC tunnel server, that's basically free - certainly less than you'd charge your client for the amount of time you're reading Slashdot responses \\\\\\\ \\\\ \\\\\\\ researching solutions. And you can run ClamAV on it to protect outgoing traffic.

If your remote sites are using the video box as a general-purpose PC to surf the net and read email, then you need to run an anti-virus application on it and either run a basic firewall box (wimpy, but a good start), or use the firewall to tunnel all your browsing traffic back to a server at headquarters, where you're running Squid and ClamAV and some decent Linux firewalling, and give them an email server that does some anti-virus and spam blocking and an email client that doesn't come from Microsoft. (If this weren't a real estate company, I'd recommend a text-only email system like Pine, but realistically your real estate people need to send pictures to their clients.) Another choice would be to run VNC, in one of its tighter forms, and run any applications on the headquarters server, wiht appropriate anti-virusing there.

Re:Viruses? (1)

Jeff DeMaagd (2015) | more than 8 years ago | (#14813872)

Exactly. I am also very suspecting of software that won't allow unrelated software to operate. Any DVR that can't record when a firewall is scanning traffic is crap, or the scanner program is crap too. The firewall program should be able to allow exceptions for certain programs.

Re:Viruses? (1)

complete loony (663508) | more than 8 years ago | (#14813947)

Remember those RPC flaws? SQL Slammer? There are remotely exploitable problems with windows, especially if the boxes are unpatched, that could be prevented with a firewall. The submitter seems to suggest that there are exploitable ports open which the DVR software relies on. Given the mess that is RPC, DCOM, file sharing etc I don't have a hard time believing that.

That said, if you are thinking about hiring someone to help setup a linux solution, why not go open source? As another poster mentioned, Mythtv might be a good starting point.

Re:Viruses? (1)

ThomaMelas (631856) | more than 8 years ago | (#14813956)

He means a security system DVR for CCTV. Myth TV doesn't begin to do anything like the Pelco or any other unit on the market.

Re:Viruses? (1)

mcrbids (148650) | more than 8 years ago | (#14813969)

You need me to install all new Linux based stuff. See, linux doesn't have ports or windows, so the viruses can't sneak in!"

But, using a Linux/Unix custom distro cd (Think: RedHat Jump Start) can reduce the cost of administration by providing an easily setup, secure default. In other words, the install procedure gets reduced to

1) Install the O/S CD with minimal options
2) Install install script
3) Run a single command (eg: Setup) which sets everything for the O/S up.

I have something similar to this based on CentOS for setting up a porn-filtering Squid proxy server. Setup time for a server is reduced to 10 minutes per server, including applying all O/S updates, full configuration for DNS, squid, etc. and secure defaults. (firewall, etc)

I've been looking for something similar that's Linux based myself. The only thing I've found that might work is some hack of MythTV...

Lead you in the right direction... (1)

porkThreeWays (895269) | more than 8 years ago | (#14813643)

I don't know if they have a turn-key solution for you, but Axis Communications has some of the best cameras I've seen. They are linux based and very easy to write glue code for between systems (very open API's and development models). In general they are high quality cameras I would stake my job against.

I don't understand (0)

Anonymous Coward | more than 8 years ago | (#14813646)

Budget isn't an issue but something perhaps as simple as a monowall setup infront of it is prohibitive? What about a VPN, or a good old fashioned white list. Surely, they don't need to accept connections from any ip address?

I don't understand... (1)

artifex2004 (766107) | more than 8 years ago | (#14813648)

Can't you toss the PVRs on DMZs off your existing firewalls?
and the equipment outlay for new Linux boxes with supported PVR security software, if they do exist, is probably more per unit than the cost of little PIXs, if you couldn't set up DMZs for some reason.

Try motion (1)

wuzzeb (216420) | more than 8 years ago | (#14813657)

Have a look at this article [debian-adm...ration.org] . It describes how to use the motion program (home page [lavrsen.dk] ).

I don't care who does what with who (0)

Anonymous Coward | more than 8 years ago | (#14813659)

As long as they make a backup copy, I'm fine with it.

Solutions for Mac & Linux (1)

zfractal (170078) | more than 8 years ago | (#14813662)

For the Mac there's SecuritySpy [securityspy.com] , and for Linux there's Zone Minder [zoneminder.com] . I haven't used ZoneMinder - I can say that I've used SecuritySpy and it's a very nice solution. Not sure how well it would work out with 200 cameras though - but it can accept multiple inputs per machine so it might be worth looking into.

Re:Solutions for Mac & Linux (1)

AusIV (950840) | more than 8 years ago | (#14813763)

I'm in the process of setting up a zoneminder system, and the setup is fairly easy. It's extremely configurable for the knowledgeable, and for the newbies they have FC3 and Mandriva install CDs that install Linux and include Zoneminder, requiring only minimal configuration. For a relatively small price, there are even people willing to configure install CD's to your needs.

The system I'm setting up will be running only 3 cameras, but the whole project, computer, cameras, cabeling, etc. is looking like it will cost me under $1,000. I think zoneminder is a very good solution for security needs.

Re:Solutions for Mac & Linux (1)

IMightB (533307) | more than 8 years ago | (#14813823)

Indeed, I too have used ZoneMinder, however only with 2 camera's. I used it to monitor my house while I was in Malaysia and now, pretty much whenever I'm not around. It has a very nice webbased interface, and can do motion detection, streaming video, and timed stills and much more. It is very configurable and allows for different levels of access permission for users that are authorized to use it.

VPN? (1)

Lehk228 (705449) | more than 8 years ago | (#14813665)

are the DVR's capable of being configured to connect to a VPN?

if not is there any way to filter based on IP address or reverse DNS?

Very timely post (1)

Jason1729 (561790) | more than 8 years ago | (#14813668)

Apple is having a big media event to launch new products tomorrow. It's pretty much a given they'll be releasing the Intel Mini, and there's some strong speculation it will include a DVR and TiVo-killer software.

Re:Very timely post (2, Interesting)

jcr (53032) | more than 8 years ago | (#14813699)

Acting as home DVR isn't quite the same thing you need for surveillance. Still, that box may make a dandy jumping-off point for this kind of application.

-jcr

INstall linux, prolbem sovled (1)

RLiegh (247921) | more than 8 years ago | (#14813672)

hey, this is slashdot; what answer were you expecting?

Re:INstall linux, prolbem sovled (0)

Anonymous Coward | more than 8 years ago | (#14813693)

He intends to run linux, or some flavor of mac os, he just needs the PVR software for either.

I don't buy it (1)

dioscaido (541037) | more than 8 years ago | (#14813675)

Opening a port for the video network traffic shouldn't open you up to viruses, even on Windows. If these machines are 'virus hubs' then they are certainly being used for other purposes. First, restrict access to the servers so that they are only used for their intended purpose of capturing video, and not, say, surfing the web. If you are really concerned, you should run the capture process under a non-administrator account, so that even if the application consuming and generating network traffic is insecure, it cannot own the system.

security isn't cost effective until it is. (1)

cat6509 (887285) | more than 8 years ago | (#14813677)

"Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. "
You need to tie value to a firewall / router / vpn ( or all of the above even) so that you have a solution not just a band-aid. You can find a DVR that isn't windows-based, but it doesn't get you out of the mess you have in design.
I assume the cameras are used for security ? so it is not just worms that you need to protect against, you need to protect against some one deliberately attacking and or altering hte contents of these sytems, thieves are great inovators. ( excuse the spelling )

DVR w/ Firewall (0)

Anonymous Coward | more than 8 years ago | (#14813682)

Or look for a DVR system that uses a firewall. With the proper hardening of services and good firewall principles, one can be comfortable.
For Windows-based DVRs, look for one that is based on Windows XP Embedded (XPe) -- the developers can more easily customize and restrict exactly what is on the system.

VMWare? (1)

SigNuZX728 (635311) | more than 8 years ago | (#14813683)

Have a VM running the recording software and let the host machine filter the traffic and viruses.

zoneminder (1, Informative)

Anonymous Coward | more than 8 years ago | (#14813690)

I suggested mythtv earlier but a friend pointed to http://www.zoneminder.com/ [zoneminder.com]

Dear Slashdot (1, Funny)

Anonymous Coward | more than 8 years ago | (#14813692)

We are a wealthy real estate company getting hit with a lot of viruses. Could you please post a phony news story about our plight, that way your zombie hoard of misanthropic programmers will code a free solution for us; for free! Ooops, gotta go, just sold another $8,000,000.00 house in La Jolla and we have to pick up our 8% commission.

Thanks,

Your Friends in the real estate business.

Re:Dear Slashdot (1)

bradyj (956287) | more than 8 years ago | (#14813796)

:) I'm a Creative Director, I was asked to help in their search for an alternative. Pelco has verified the DVR's have been known to have this issue, and have not posted an alternative. As a note, they don't want a free job, they want a pay service -- I'm happy to find it for them... and they don't sell buildings, buy only.

VPN (1)

citizenr (871508) | more than 8 years ago | (#14813696)

Put VPN tunels between those poot crap boxes and your main server. Problem solved. It will be $1K for consulting, I do checks and money transfer.

DVR (1)

kawabago (551139) | more than 8 years ago | (#14813714)

Try Myth TV PVR software and modify it to meet your needs. You can have the project team do it for you.

Recommendation for windows then (1)

bradyj (956287) | more than 8 years ago | (#14813726)

Many people have posted that our experience in windows is probably questionable, and I don't doubt that - Since our servers here are mac/pc related, what do you suggest we do differently to protect our windows computers in a different manner?

Lock 'em up! (0)

Anonymous Coward | more than 8 years ago | (#14813804)

There are countless ways of securing Windows itself. But, one of the most straightforward solutions would be to wall off the Windows machines form the outside world. This means putting them behind firewalls and using secure means, such as VPN's, to access them remotely. This lets you in and keeps the bad guys/malware out.

There have been many good suggestions already. If you're not up to a roll your own solution like FreeBSD and M0n0wall, then perhaps an off the shelf firewall/VPN device would better suit your needs. If you are inexperienced with securing networks (no offense but, it sounds like you are) then hire someone who is experienced in that arena.

There are too many ways to "skin this cat" for you to get a silver bullet answer form Ask Slashdot. Have someone who knows what they are doing look at the problem and develop a solution that will work. It may have an undesirable up front cost but, in the end you and your client will be much happier.

Re:Recommendation for windows then (1)

yoDon (123073) | more than 8 years ago | (#14813860)

Wipe the machines and do a fresh install of Windows XP SP2 (SP2 = Service Pack 2). Don't even think about trying to clean the viruses off the machines, you'll never have any way to know if you got them all, which is why you have to reformat the drives and do a fresh install of the OS. And make very sure you have Service Pack 2 installed BEFORE you hook the machines up to any network connection of any kind, even your internal LAN. If you hook the box up to the net before SP2 is installed, it may well get infected with a virus before SP2 finishes installing (the mean-time-to-infection of an unprotected machine is frequently estimated at about ten minutes).

Turn on the firewall that is built into XP SP2.

Turn on automatic windows updates (also built into XP SP2).

Set up a password-protected account on the box and don't give the password to the property managers. Don't allow the property manager or anyone else to use the box for email, web surfing, anything.

Re:Recommendation for windows then (1)

bradleyland (798918) | more than 8 years ago | (#14813914)

1) Patch the OS religiously.
2) Remove/shutdown everything that is not being used. As others have noted, worms and viruses attack applications, not ports. If there's nothing listening on a port, you're pretty safe... assuming the attack isn't against the stack itself, but those types of worms aren't very common.
3) 80 through 9999 is a shitload of ports. I'd suspect that not all are being used by the DVR app, as there are ports between 80 and 9999 that are used for other services. Here's a list:

http://www.chebucto.ns.ca/~rakerman/port-table.htm l [chebucto.ns.ca]

I'd close everything that isn't absolutely being used and complain to the vendor about the lose recommendation. 80-999 open is asinine.
4) Disallow any use of the system for purposes other than recording. Period.
5) I suspect that the no-anti-virus requirement is a consequence of processing overhead. With a sufficiently powerful server, I can't imagine why you can't run anti-virus software and still record. Multi-processor would be a great idea.
6) Does the vendor have a usergroup or message board? Surely you're not the first person to encounter this type of problem. Ask the people who know.
7) Don't be too discouraged by the responses you receive here :) It's easy to be condescending when you're staring at a computer screen.

If replacing the system is a possibility, I'm a huge fan of Axis cameras:

http://www.axis.com/ [axis.com]

I have several clients running a range of their IP cameras, and they work fantastic. All you need to receive video from the camera is port 80 open and directed at the camera.

ZoneMinder Linux Project (1)

HmX (777154) | more than 8 years ago | (#14813743)

As others have said and according to my own research into this area, AXIS seems to have the best cameras out there, hands down. They support low lux captures better than most and their features are superb, as is their selection. For the software, I would take a look at the F/OSS ZoneMinder (http://www.zoneminder.com/ [zoneminder.com] ) project. This project seems to have a lot of momentum behind it and supports a wide variety of cameras.

DVR Security System (1)

e_feldhusen (59076) | more than 8 years ago | (#14813744)

I noticed that everyone got hung up on the DVR part of the post, not the complete post which is a DVR specifically made for a security system. My department is looking into this solution which looks pretty complete.

http://www.zoneminder.com/ [zoneminder.com]

DVR (1)

jimbob1859 (954480) | more than 8 years ago | (#14813749)

I've worked with the Divar System from Bosch Security. I don't believe they are windows based and seem to work quite well. They have some nice features and are pretty well scalable from what I've seen.

vpn (1)

philo_enyce (792695) | more than 8 years ago | (#14813777)

if you're really worried about cost over security, you could go with a vpn solution. get a pix 501 for each remote office and a concentrator for the main office then set up some static tunnels. it's not going to prevent infections from spreading from internal machines, but it will protect them from the outside world. additionally, it will encrypt the data you're sending over the internet. cisco has management tools that will let you easily manage the remote office firewalls from the main office, so you don't need to worry about having experts on site at small locations.

good luck with it.

philo

and in case you need help, i run an it consulting company, you can reach me at this name @yahoo.com

Smoothwall (1)

DarkMantle (784415) | more than 8 years ago | (#14813786)

Simple, use smoothwall. It blocks alot of worm propogation attempts, and if they have some old Pentium 1's or better kicking around your set.

Pay a bit for the enterprise license if needed. Then you can setup automatic updates so it recognizes new worms.

Solutions (1)

Worked2Hard (713224) | more than 8 years ago | (#14813787)

There are several options:
Software:
ZoneMinder [zoneminder.com] Welcome to ZoneMinder.com, home of ZoneMinder the top Linux video camera security and surveillance solution.
IPConfigure [ipconfigure.com]
Hardware:
Nuvico DVR's [nuvico.com] - advantage of being built on embedded Linux, with a good feature set.
Axis Video Servers [axis.com] I am presently in the process of installing and configuring a 300 camera system built utilizing IPConfigure and Axis 241Q video servers. I am finding my bigest hurdle is dealing with the corporate IT department for support. How I wish I had paid more attention to network design in school!

Supercircuits (1)

inKubus (199753) | more than 8 years ago | (#14813788)

Supercircuits [supercircuits.com] has a lot of camera and recording gear. The DMR3-CD-PW-16 [supercircuits.com] has 16 channels, up to 2500GB disc capacity, compression, built-in CD-R, etc. If you're using regular composite video sources, it would be possible to build one of these yourself with a bunch of 4 input video capture cards [webcamsoft.com] .

If you're using IP cameras that stream MP4 or whatever over ethernet, why not employ a VPN? You can get a nice hardware VPN endpoint such as one of those SOHO Sonicwalls (google for it) on each end, or a linux box on both end as a VPN endpoint.. Most of those cameras don't support VPN but you can easily put a router in between that will do the job.

Good luck

Anyone know how to connect DVR(Q-see) wirelessly? (1)

cj171 (687355) | more than 8 years ago | (#14813789)

I've got one of those network enabled Q-See DVR's...the 4 camera version... and I've been trying to use it with a wireless bridge. However, I swear I can't find DHCP on the thing...anyone have experience with Q-See DVR's or getting their other brands wireless?

Honeywell DVRs are Linux based (1)

hegemondave (412141) | more than 8 years ago | (#14813790)

Here's one I am considering right now for my own security project with 4 cameras.

Honeywell HRHD410C320
http://honeywellvideo.com/products/dvs/dvr/40256.h tml [honeywellvideo.com]

I'm also considering this series which can have 4, 8 or 16 inputs.

Honeywell HRHD4C160
http://honeywellvideo.com/products/dvs/dvr/40248.h tml [honeywellvideo.com]

Re:Honeywell DVRs are Linux based (1)

TinyManCan (580322) | more than 8 years ago | (#14813845)

From the linked pages:

The HRHD+ Series generates compact encrypted archive video clips as self-executable files. Honeywells minibank format produces an executable (.exe) file containing both the video clip and reader

Somehow, I don't think this solution would work for the author. Doesn't seem like he'd be able to use the video files on anything other than a PC running Windows.

Re:Honeywell DVRs are Linux based (1)

bradyj (956287) | more than 8 years ago | (#14813895)

That would be true:)

Dedicated Micros (1)

inicom (81356) | more than 8 years ago | (#14813793)

Their Sprite 2 is one of the best security recorders available. www.dedicatedmicros.com

Re:Dedicated Micros (1)

sid crimson (46823) | more than 8 years ago | (#14813829)

I second this... though I believe they are Windows based (something the submitter seemed to want to avoid).

We have several DS2s installed for years, and there have been two glitches... both caused by power spike/loss. Each time the DVR had to be reset, and though we lost our video archive (what little was not backed up) the DVRs reloaded and reinitialized themselves without issue.

-sid

Embeded DVR ? (0)

Anonymous Coward | more than 8 years ago | (#14813810)

I believe there are many embeded DVR systems over there, based on DSPs and OSes like pSOS, VxWorks, Linux.

Try this one: http://www.objectvideo.com/ [objectvideo.com] .

Consultants are welcome (1)

bradyj (956287) | more than 8 years ago | (#14813812)

I'm getting good quality responses -- more so than from Security firms I've talked with in the Bay Area. If you are a consultant experienced in this, I'm happy to connect you with this company, feel free to email me at brady at my website url.

Three words... or letters anyway (0)

Anonymous Coward | more than 8 years ago | (#14813818)

V P N

Others have suggested restricting your open ports to only those IP's that need access, and this is a good idea assuming you have static IPs. You should also look at using a VPN tunnel between your remote sites and your central DVR location. Check out OpenVPN for this.

And make sure you are solving the right problem. Your problem isn't Windows or viruses, it's your network setup.

Open ports != "Hubs for Viruses" (1)

WoTG (610710) | more than 8 years ago | (#14813820)

I don't understand, aren't these dedicated boxes? Just turn off unnecessary services, run the service packs, and use a firewall to restrict access by IP address (even the XP SP2 / W2K3 built in firewall can do this). Windows isn't that vulnerable with basic precautions. Especially dedicated and presumably mostly locked down machines.

Guess what? If you want remote access to the camera, every OS or hardware IP camera will require open ports! It's just a matter of working within that requirement - e.g. IP filters or VPN. For most folks, a $50 router with decent NAT + port forwarding + inbound IP address rules will be sufficient. For $100 you can probably get a VPN server (well, maybe 200?).

Re:Open ports != "Hubs for Viruses" (1)

bradyj (956287) | more than 8 years ago | (#14813851)

Hmmm, you might be right, though we have some floating users that will not be on a static IP but require access in remote locations... which is why we've avoided IP filtering, but I'm sure that can't ALWAYS be the case, and we can lock it down to only static users. VPN is a plausible solution, but has been passed by IT.

Contact the vendor (0)

Anonymous Coward | more than 8 years ago | (#14813824)

Are you using the the current product as it was intended to be used by the manufacturer ?

If so, then ask them to fix the problem.

If not, then whoever built the initial system is a mug.

Failing that, stick with the solution you currently have, but just lock it down. There are many resources on the Internet that can help you secure Windows - the inbuilt packet filtering (behind the 'Advanced' button) can help you significantly.

Install a reliable third party firewall - Zone Alarm will do what you need.

Home security system? (1)

cknudsen (891397) | more than 8 years ago | (#14813828)

Let's forget that this could be some well-funded company asking for help about this... I've been thinking about a camera system for my home. The prices of cameras at places like smarthome.com have dropped dramatically over the past couple of years. Most of the complete packages do require Windows. And, I don't use Windows, of course... just Linux.

Has anyone started a project like MythTV for security cameras? Something that will record video to my hard-drive. In a perfect world, it would only record when it detects motion. I'm assuming I would need to get as many video capture cards as there are cameras... It seems like this would be a great open source project. Anyone think someone should be working on this?

open solution (0)

Anonymous Coward | more than 8 years ago | (#14813838)

No problem! This [wikipedia.org] open solution has been used in prisons, hospitals and even elementary schools for over a hundred years!

Also bad... (1)

tktk (540564) | more than 8 years ago | (#14813840)

Windows based DVRs tend to also use ActiveX for remote access/viewing. I have one Windows DVR that works very well at my building. It records for 20 cameras and has remote viewing.

But unless I'm at a Windows computer, I can't log into my DVR security remotely to see what's going on. About once or twice a year, I get a call from my security company because an alarm has gone off. I can't check on my building from the comfort of my bedroom and my Mac laptop. I have to head downstairs to the office, and boot my desktop PC.

Security Consultant (1)

BraveHeart007 (682897) | more than 8 years ago | (#14813841)

Iam a DVR security consultant. I used to work for a major mfg that was Pelcos OEM. So I know alot about the industry and the right solutions. There are a couple of units I can think of that are Linux based and harware compression that will fit your need. email me if you want some help Regards Erik research_gate@yahoo.com

DM (1)

aronschatz (570456) | more than 8 years ago | (#14813842)

Pelcos that run off of Windows are not what I call secure. I constantly work with DVRs (I'm in the IT dept, but I know all the Integrated Systems people) and Dedicated Micros provide top notch REAL DVRs. Don't piddle around with Pelco.

i do this using linux ... (1)

Zurk (37028) | more than 8 years ago | (#14813858)

i use mini-itx based systems with bt848 boards using debian.
contact me for further details. zurktech AT gmail DOT com

Windows isn't your problem (1)

briancnorton (586947) | more than 8 years ago | (#14813878)

Windows isn't your problem. Having crappy systems is.

Why are these systems exposed to viruses or worms or whatever? Why are they networked at all? If you need remote monitoring, you can get a one-way connection that will completely isolate your system.

Enterprise Solution (1)

Waffle Iron (339739) | more than 8 years ago | (#14813883)

(For some definition of enterprise.) Here you go:

$ for cam in camera{1,2,3,4,5}
> do ssh "$cam.example.com" 'cat /dev/video' > "$cam.mpeg" &
> done

HyRTK (1)

cve (181337) | more than 8 years ago | (#14813893)

Smart Network Device's Embedded Network Operating System - HyNetOS.

Security DVR's are plentiful at Vegas Show (1)

jqk575 (957689) | more than 8 years ago | (#14813898)

There are tons of different security DVR's out there and everybody has their favorite. I personally like Dedicated Micros. If you really have worldwide cameras you might consider going to the ISC west show in Vegas. International Security Conference and Expo http://www.iscwest.com/ [iscwest.com] There will be at least 50 different DVR sellers there and you can find one that will work well for your application. Besides that its a trip to Vegas.

Clarity Visual Intelligence (1)

jsherrah (957690) | more than 8 years ago | (#14813901)

Check out our product: http://www.clarityvi.com/ [clarityvi.com] a distributed network video system running under linux that performs distribution, recording, analysis and visualisation of surveillance video. Runs on standard PCs and supports IP, analog, firewire and PTZ cameras including joystick control. This is a very feature rich high-end product with a high tech UI for viewing real-time alerts and video streams, as well as reviewing past data. For review the Clarity product has a multi-resolution time line that allows activity and other analysis results to be viewed at a glance for ranges from years down to seconds. Some of the analysis functions we offer are: adaptive activity detection, people counting, behaivour analysis (e.g. running, left objects), face detection, face recognition, car number plate detection. We can definitely advise you on this space, and give you a presentation on our product. Regards, Jamie Sherrah

embedded systems (1)

outtaspace (957682) | more than 8 years ago | (#14813905)

Check out DVRs based on an embedded OS.

A friend of mine works for http://www.dedicatedmicros.com/ [dedicatedmicros.com] . They sure make some neat products :)

their sales dept. can send a case of beer to PO Box 55, Fort Washington.

ZoneMinder (0)

Anonymous Coward | more than 8 years ago | (#14813924)

Have you looked at Zone Minder [zoneminder.com] for this? It's open-sourced and it works very well with a wide variety of cameras. We use it to monitor our exterior sites and our data center. The really nice features for us include being able to zone out sections of the camera's view so that motion of plants or motion past door windows won't set off an alert. I don't know if this is industrial enough for your needs, but its probably at least worth a look.

Try Speco DVRs or KALATEL (2, Informative)

labeey (649558) | more than 8 years ago | (#14813937)

Speco DVRs (www.specotech.com) are very reliable.... i've been installing cctv systems including DVR's for 6 years. From my experience you should try non-PC based DVRs..they're more secure, reliable and dont crash at all.. you dont need a firewall to protect the dvr from viruses and they work with dynamic IPs too... .... Speco has a great line of DVRs that are based on an embedded linux kernel....they're cheaper than Kalatel (GE) dvrs....

Avermedia (1)

ShavedApe (754129) | more than 8 years ago | (#14813943)

Avermedia has a linux based system, as well as windows based. http://www.aver.com/ [aver.com]

This is why I make over $100/hour (0)

Anonymous Coward | more than 8 years ago | (#14813949)

I have no problems locking down Windows. Seriously, wtf is wrong with everyone? From reading /. you would think that Windows is constantly being taken over by malware of all kinds. I have still never had a windows virus or spyware or anything else. How the fuck do you people get all this stuff? I have a pretty solid porn habit, so I travel in all sorts of places (running IE, not FF). I'm using Windows right now, somebody point me to a website that will install all sorts of nasties on my PC auto-magically when I go there. Where is this mythical site that loads IE with trash, because I bet I won't have any problems with it.

Anyhow, back to the topic at hand...

If you can't lock down Windows, tell your boss to replace your sorry ass with a competent worker. You are the type of dumb ass that runs around complaining about not being able to find work in IT. You can't even do basic security for the OS that covers more than 90% of destops, you are incompetent.

Quicktime... (1)

manowarthegreat (884657) | more than 8 years ago | (#14813950)

Oh...yay...quicktime...whoo... ò_ó

Some Ideas (0)

Anonymous Coward | more than 8 years ago | (#14813952)

I have to agree with alot of the posts here... I use 13 something windows based DVR's, and although I have had virus problems, they are very securable. Video is almost always stored on a different partition (usually another hard drive), so just patch the windows partition up, and freeze it. Its usually a good idea to reboot any static continuous-duty piece of equipment once a day, and the DVR's I have let you do schedule that, so any changes get nuked at 10 pm.

However, I have two DVR's I cant readily get to (one in NY, one in Coronado CA), and there I installed an EasyProtect [digitalvideorecorder.net] and DedicatedMicros [dedicatedmicrosus.com] DVR. The Easyprotect is linux based, and the DM runs its own in-house concoction. The DM is bulletproof, and I would recommend it to anyone. Its a little pricey, but way worth it. On the EasyProtect Linux one, you are pretty locked out of linux unless you boot something like a gentoo LiveCD.

One last thing... are you looking to MAKE your own hardware/software? IP cameras are one thing, but surely you arent going to replace ALL 200 cameras just because you are switching DVR's!

changeover costs = a lot (1)

mattb47 (85083) | more than 8 years ago | (#14813955)

First of all, I think you should just look at keeping the existing system, just improve it. Changeover cost in hardware/software is going to be high, even if it's free software. Here's what I'd do to try to stay with Windows 2k or XP (throw this all out if you're on 98/ME and get a real OS!):

1. Antivirus
First of all, why no antivirus? Any reasonable Win2k/XP system should be able to run one. If you want something with very low cpu impact, try Eset's Nod32. Also exclude the directory that the DVR uses to write the videos from virus checks. The videos are unlikely to get infected, and virus checking on those directories will just muck things up. (I'm assuming that this is why you aren't using antivirus.) But everything else then can be protected.

If you have licenses for *any* antivirus product, try it again with excluding the videos directories. Any antivirus product worth more than a warm bucket of spit should be able to do that.

2. Disable services.
Disable every unneeded service on these machines. A *lot* of them shouldn't be on. These systems should be doing practically nothing but writing video files (ok maybe some backups, or transferring files to another server for backups). A decent guide to this is here: http://www.theeldergeek.com/services_guide.htm [theeldergeek.com] .

3. Consider turning off Windows networking.
Disabling SMB/Netbios calls should stop most viruses/worms/etc. If you need to transfer data for backups and such, use SSH and SFTP instead. SFTP is what you'd use on a Linux/Unix system, and is *much* more secure.

Free Win32 SFTP client:
http://winscp.net/eng/index.php [winscp.net]

Free Win32 SFTP server:
http://itefix.no/copssh [itefix.no]

Nice, and not too expensive pay SFTP client (Tunnelier) and server (WinSSHD):
http://www.bitvise.com/ [bitvise.com]

(And you shouldn't be getting email-borne viruses -- these systems shouldn't be used for email.)

You can also use SSH on this to restrict all kinds of other access as well, while providing VPN-style access. Very, very nice. (e.g. you can only Remote Desktop or VNC through SSH)

4. Block ports and such, and firewall it.
Setup a firewall between these systems and the outside world. Restrict ports to *only* those needed (e.g. SSH on port 22). If possible, restrict outgoing data to *only* those IP addresses that need access. Yeah, IPs can be falsified, but it's an extra layer of defense.

You could do this through a software firewall, or even just some cheap $20 hardware firewall boxes.

The XP firewall is better than nothing, but it's only incoming. Much better incoming/outgoing freebie firewalls are available from these companies:
http://www.wyvernworks.com/firewall.html [wyvernworks.com]
http://www.jetico.com/ [jetico.com]

(I'd probably do the hardware firewall, but if you're cash is tight, or the time/cost of installing all these extra hardware boxes is high, at least deploy a software firewall.)

5. Other Windows hardening options
You can also try these two freebie Windows hardening programs. They probably aren't perfect, but they help:
Harden-it: http://www.sniff-em.com/hardenit.shtml [sniff-em.com]
Secure-it: http://www.sniff-em.com/secureit.shtml [sniff-em.com]

And decent googling should turn up lots of different hardening guides to Windows as well.

After these you should have antivirus, you're blocking ports, you've disabled almost all virus vectors, and should have systems that are reasonably secure and stable.

Yeah, you have Windows and not sexy or politically correct OSS. But it's what you have. If you can make it work, use it. Fixing up your Windows boxes is probably a lot less time and money than swapping over to a completely new system.

- Matt Borcherding
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>