An Ethernet network, unlike a collection of analog video cables in a security system, is an intelligent data network. This makes it a potential point of entry for those who wish to gain an organization’s data network for malicious purposes.

Video surveillance cameras are, by necessity, often installed in publicly accessible locations. Their data connections present publicly accessible opportunities for connecting into a data network. Unplugging a camera and replacing it with a Wi-Fi access point can provide a criminal the opportunity to steal data, or launch Denial of Service (DoS) attacks to create a diversion, or otherwise disrupt the surveillance network.

Because of this, the switch ports that cameras are attached to must be afforded the highest level of protection. This goal can be achieved in the following three ways:

Configure Authentication on Ports

The best protection against malicious entry into a network via a camera’s data connection is port authentication. Switch ports should never allow data exchange with a connected device until that device has provided authentication credentials. Video cameras support high-security authentication via encrypted digital certificates, which, unlike simple password authentication, cannot be guessed or discovered by data eavesdropping.

Configure Switches to Send Alarms

Standard network management protocols provide alarm messages that are sent to port state changes (ports being plugged or unplugged). Network Management Stations (NMS) receive and display these alarms—immediately alerting staff to any attempt to tamper with camera connections.

Ensure Unused Switch Ports are Shut Down

Any ports that are not in use should be shut down, so there is no chance of them being hijacked in any way. Alternately, these ports can be assigned to an unused VLAN that is not included in uplinks to the core of the network.