Question
How can you secure access and manage ports for Bosch IP video devices?
Overview:
General network port usage and video transmission:
HTTP, HTTPS and video port usage:
Video software and port selection:
SSH tunneling:
Answer
All Bosch IP video devices come with built-in multi-purpose web pages. The device-specific web pages support both live and playback video functions, as well as some specific configuration settings that may not be accessible via a video management system. The built-in user accounts act as the access to the different sections of the dedicated web pages. While the web page access cannot be completely disabled via the web page itself - the Configuration Manager could be used for -, there are several methods to cloak the presence of the device, restrict access, and manage video port usage.
General network port usage and video transmission:
All Bosch IP video devices utilize Remote Control Protocol Plus (RCP+) for detection, control, and communications. RCP+ is a proprietary Bosch protocol which uses specific static ports to detect and communicate with Bosch IP video devices - 1756, 1757, and 1758. When working with BVMS, or another 3rd-party vendor video management system that has integrated Bosch IP video devices via the Bosch VideoSDK, the listed ports must be accessible on the network for the IP video devices to function correctly. Video can be streamed from the devices in several ways: UDP (Dynamic), HTTP (80), or HTTPS (443).
The HTTP and HTTPS port usage can be modified (see HTTP, HTTPS and video port usage, page 17). Prior to making any port modifications, the desired form of communication to a device must be configured. The Communication menu can be accessed using Configuration Manager. 1. In the Configuration Manager, select the desired device. 2. Select the General tab, then select Unit Access. 3. Locate the Device access portion of the page. 4. In the Protocol list, select the desired protocol: – RCP+ – HTTP (default) – HTTPS If selecting HTTPS communications, communication between Configuration Manager and video devices will utilize HTTPS (TLS) to encrypt the payload with an AES encryption key up to 256 bits in length. This is a free basic feature. When utilizing TLS, all HTTPS control communications and video payload is encrypted via the encryption engine in the device.
HTTP, HTTPS and video port usage:
HTTP and HTTPS port usage on all devices can be altered or turned off. Encrypted communication can be enforced by disabling RCP+ port as well as the HTTP port, forcing all communication to use encryption. If HTTP port usage is turned off, HTTPS will remain on and any attempts to turn it off will fail. 1. In the Configuration Manager, select the desired device. 2. Select the Network tab, then select Network Access. 3. Locate the Details portion of the page. 4. In the Details portion, modify the HTTP and HTTPS browser ports and RCP+ port using the drop down menu: – HTTP browser port modification: 80 or ports 10000 to 10100 – HTTPS browser port modification: 443 or ports 10443 to 10543 – RCP+ port 1756: On or Off
Video software and port selection:
Adjusting these settings will also affect what port is utilized for video transmission when using video management software in your LAN.
If all IP video devices are set to HTTP port 10000, as an example, and the BVMS Operator Client is configured for "TCP tunneling", then all video transmissions on the network will be made across HTTP port 10000.
SSH tunneling:
For a remote device access with BVMS Operator Client via public networks, BVMS provides Secure Shell (SSH) tunneling to ensure secure (encrypted) communication. SSH tunnelling constructs an encrypted tunnel established by an SSH protocol/socket connection. This encrypted tunnel can provide transport to both, encrypted and un-encrypted traffic. The Bosch SSH implementation also utilizes Omni-Path protocol, which is a high performance low latency communications protocol developed by Intel. For more information on how to configure the SSH service in BVMS, refer to the BVMS documentation. For more information on how to configure DIVAR IP systems for a secure remote access with BVMS Operator Client, refer to the DIVAR IP documentation.
Nice to know:
Cybersecurity guidebook for Bosch IP video products
Secure by default - Increasing the default level of IP camera security
... View more