Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 21400 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Securing web camera access by only allowing connection through SSL VPN (Port forwarding/DNAT Rule)

alan weir

I have a Foscam IP camera that I like to connect to remotely. The problem is that the free Foscam Viewer app for Android does not support HTTPS logins which means that the password could be transmitted over the network in plain text.

I discovered a solution that is sort of complex and time consuming but works.

After following the this guide on setting up a remote access VPN connection and logging into the user portal to download the encryption certificate and install it on your Phone or tablet or even laptop, do this: This posts assumes you have correctly setup your camera with a username password and the appropriate webcam viewer app. This could probably be used with any method to log into a web camera.

What the goal here is: to have a secure way to port forward into your IP camera, and prevent access to the camera over a non-encrypted tunnel. It won't be possible to access the camera without being connected to the VPN. After the proper DNAT rul is in place, the ports the camera is listening on will be stealthed, and Sophos will drop the packet unless the person is connected to the VPN server first.

 

Create (or edit the pre-existing) NAT rule:

Rule type: DNAT

Traffic from: VPN Pool (or VPN username)

Service: The service you created prior, based on the static IP address of the camera, that states the port to be forwarded to.

Going to: External (WAN)

Action: Change the Destination to the Network Definition related to the static IP address of the camera.

Automatic firewall rule: enabled

 

Result: all connections to your IP camera will be encrypted through your VPN connection even when using an HTTP login credential. Port forwarding to the camera will not be allowed until a VPN connection has been established.

 

Verification: after the DNAT rule is successful, connect to the internet normally and head to What's my IP and enter the port the camera is listening on. If all went well, the result should be stealthed.



This thread was automatically locked due to age.
Parents

  • I think what you did is partially okay (creating VPN tunnels), but the part of the DNAT is completely unnecessary (and very strange too).

    What you can do, is to configure in the VPN-settings that VPN-users are allowed to access your internal  network (or just the IP-address of the camera if that's all that is allowed to be reached).

    Then if your camera is already pointing to the UTM as default gateway, your VPN-users should be able to reach the camera instantly without DNAT and still the camera is not reachable from outside without using a VPN-connection.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • in reply to apijnappels

    I have tried your suggestion and nothing else works.

    I disabled the DNAT rule and created a blanket firewall rule allowing any network using the camera's port, to the camera... and the firewall blocks all connections to the camera. Even using the Foscam app on my phone when connected to the wireless guest network, will not work.

     

    The firewall live log shows Default DROP UDP/TCP from the VPN pool (or IP address of my phones LTE connection, or Wireless guest network) to my WAN interface with the target port being the port the camera is listening on. With the DNAT rule disabled, and the firewall rule allowing all networks access to the camera, the port still appears as closed when performing a port scan from the internet.

     

    I currently have Web Filtering and IDS turned off, yet the firewall still blocks all connections to the camera when DNAT is disabled.

    Firewall rule.........

    Source: Any IPV4 (Or External, Internal, VPN Pool, wireless guest network)

    Service: (the IP camera's port)

    Destination: The IP camera's IP address

    Action: Allow

     

    Does not work unless the DNAT rule is enabled which makes any firewall rule insignificant.

Reply
  • in reply to apijnappels

    I have tried your suggestion and nothing else works.

    I disabled the DNAT rule and created a blanket firewall rule allowing any network using the camera's port, to the camera... and the firewall blocks all connections to the camera. Even using the Foscam app on my phone when connected to the wireless guest network, will not work.

     

    The firewall live log shows Default DROP UDP/TCP from the VPN pool (or IP address of my phones LTE connection, or Wireless guest network) to my WAN interface with the target port being the port the camera is listening on. With the DNAT rule disabled, and the firewall rule allowing all networks access to the camera, the port still appears as closed when performing a port scan from the internet.

     

    I currently have Web Filtering and IDS turned off, yet the firewall still blocks all connections to the camera when DNAT is disabled.

    Firewall rule.........

    Source: Any IPV4 (Or External, Internal, VPN Pool, wireless guest network)

    Service: (the IP camera's port)

    Destination: The IP camera's IP address

    Action: Allow

     

    Does not work unless the DNAT rule is enabled which makes any firewall rule insignificant.

Children
  • in reply to alan weir

    Ah, now it makes more sense; seems like your app is trying to reach the camera from inside your own network but it's trying to access it from the outside public IP-address. This will require a Full-NAT rule:

    Yours should look about the same and you may need additional Full NAT rules, one for every network (Guest WLAN, VPN) and of course your service may be different then the one in my example.

    What this does is remapping all traffic coming from inside the UTM going to its own public address (External WAN  (Address)). It's basically redirecting the traffic so it's coming from the firewall itself (Internal (Address)) and it's going directly to the desired host.

    By ticking the Automatic firewall rule the traffic will be automatically allowed once the NAT rule is switched ON (don't forget to switch it on after creating it). By 'Log initial packets' you will be able to see that the traffic is allowed in the firewall log.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • in reply to apijnappels

    I just realized...I'm trying to connect to the camera through my dynamic DNS URL instead of the LAN IP address of the camera. That's why it's trying to connect to the camera on the WAN interface.

  • in reply to alan weir

    Yes, but you can overcome this by creating a Full-NAT rule like I showed you earlier.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Unfiltered HTML