Hi,

We have a Vigor 2300 (v2.3.6) set up with a fixed IP range as supplied by our ISP. We then use fixed IPs for internal computers also (10.0.0.2, 10.0.0.3, etc).

I want to set up a Edimax IC-7000 IP camera, to be accessed from the outside. It needs HTTP port 80 for picture and UDP port 1500 for sound.

What's the most secure way of setting this up? If I go into NAT setup and open port 80 on the Draytek it obviously becomes scan-able from the net - checked with grc.com. I then forward the port to the internal IP address of the camera (e.g. 10.0.0.98) and the camera becomes visible to the outside.

However, as we were running with absolutely NO ports open before I'm nervous opening ports 80 and 1500 to the world - are there real security problems with this?

Alternatively, what may be a better way of setting this up?

Many thanks for your help!!

Florian

welcome to the world of servers!
when you open a port as such, the security is namely down to the listening app, in your case an ip camera.
anything designed as such will usually have some sort of security eg password protection, access rights etc.
your firewall can also limit connections from certain ip addresses eg your house etc if they are static ip's.
now the big problem comes when you want access to your internal network or camera in your case, from any computer.
you are then at the mercy of the server (your camera) and the software to provide security. generally, these are fine and you really shouldn't have a problem.
but there are numerous other ways in which you can tighten things up, namely vpn's etc but that is another subject.

Hi louis-m and thanks for your reply.

I already use VPNs at all our sites and the easiest way would obviously be to run the cam(s) within that. This, however, wouldn't allow me to access them from the outside, i.e. from the 'road'. This is a real requirement, hence the need to open a route to the camera through the firewall.

I guess I need to speak with EdiMax about the security of the camera's internal web server. My main worry is that, if it has a weakness, somebody could gain access to the rest of the network via the camera's web server.

By using port forwarding in my Vigor2300 to the specific IP address of the camera only, am I protected from this threat? I guess not!

Many thanks
Florian

you are protected in the fact that port 80 will only be forwarded to the camera. but the security is then down to the listening server. i would have a word as you say to see just how secure the camera can be, perhaps on their forums etc.
can it run over https? if so, then it's as secure as you are going to get it.
the alternative for clientless access is to use a https vpn. the 2930, 2950 etc does allow this or you could use something like sslexplorer if you have a spare pc or run vm's.

I don't think it can handle SSL, unfortunately - but will confirm this with the manufacturer.

Clientless access won't work with our routers, I think - they're too old and out-of-date

Thanks again for your help with this, much appreciated!

Regards
Florian

Best way would be to set up port forwarding in the router:

example
http://www.cam1.com:8081

in the router set up port forwarding:
\nat\port redirection
public port 8081
Private IP 10.0.0.2
Private port 80

Steve