network security hardening guide v1.2 final...
TRANSCRIPT
![Page 1: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/1.jpg)
1
NetworkSecurityHardeningGuide
v1.2 June 2017
![Page 2: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/2.jpg)
2
AboutThisDocumentThisdocumentprovidesinformationandexplainsmeasuresthatuserscantaketosecurenetwork
devicestoimprovenetworksecurity.
TrademarksAcknowledgementHikvision®andotherHikvisiontrademarksandlogosarethepropertiesofHikvisioninvarious
jurisdictions.Othertrademarksandlogosmentionedbelowarethepropertiesoftheirrespective
owners.
ContactInformationNo.555QianmoRoad,BinjiangDistrict,Hangzhou310052,China
Tel:+86-571-8807-5998
Fax:+86-571-8993-5635
Email:[email protected];[email protected]
TechnicalSupport:[email protected]
HSRC(HikvisionSecurityResponseCenter)Email:[email protected]
![Page 3: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/3.jpg)
3
TableofContentsIntroduction............................................................................................................................................4
Passwords.....................................................................................................................................................4Whatisafirewall?.........................................................................................................................................5
StandardConfiguration...........................................................................................................................6Activatethedevicebysettingastrongpassword.........................................................................................6Systemrestoringandupgrading.................................................................................................................12Enableencryption.......................................................................................................................................15Useraccesscontrol.....................................................................................................................................16DisableUPnP...............................................................................................................................................17DisableQoS.................................................................................................................................................18Disablemulticastvideo...............................................................................................................................18SetIPaddressfilter.....................................................................................................................................19LockillegalloginIPaddress.........................................................................................................................19DisableSSH..................................................................................................................................................20ChooseSNMPV3.........................................................................................................................................20Firewallsetuponrouter..............................................................................................................................22Portforwarding...........................................................................................................................................23
Conclusion.............................................................................................................................................27
![Page 4: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/4.jpg)
4
Introduction
Hikvisionnetworkdevices,likeanyothernetworkdevices,maybeexposedtocybersecurityrisks.To
protectthenetworkfromtherisk,HikvisiontakesmeasuressuchasdisablingtheTelnetandFTP
interface,andadoptingthesecurityactivationmechanism.
Note:Thisdocumentiswrittenasageneralguideline.Measurementsshouldbetakeninto
considerationdependingontheapplicationscenarios.
Passwords
Howtocreateastrongpassword?Weallknowthecommonguidelinesforchoosingastrongpassword:
• Includenumbers,symbols,uppercaseandlowercaseletters.• Passwordshouldbemorethaneightcharacterslong.• Avoidanypasswordbasedonrepetition,dictionarywords,letterornumbersequences,usernames,
relativeorpetnames,orbiographicalinformation(birthday).ThePasswordPhraseMethod:Thephrasemethodisaneasywaytoremembercomplicatedpasswordsthatarehardtocrack.UsethePasswordPhraseMethod:
• Chooseaphrasethathasnumbers.• Useonlythefirstletterineachword.• Usethepropercaseforeachletter,justasitappearsinthephrase.• Useactualnumberswheneverpossible.Use“2”for“two”or“to”and“4”for“four”or“for.”• Includepunctuation.
Let’stakethefollowingphraseasanexample:"MyflighttoNewYorkwillleaveatthreeintheafternoon!"UsingthePasswordPhrasemethodexplainedabove,thepasswordbecomes:"MftNYwla3ita!"
![Page 5: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/5.jpg)
5
Somegeneralpassword/securitytips
• Avoidusingdictionarywordsinanylanguage.• Avoidsequencesorrepeatedcharacters.• Changeyourpasswordonaschedule.• DonotallowInternetExplorertostorepasswords.• Donottypepasswordsoncomputersthatyoudonotcontrol.• Neverprovideyourpasswordviaemail.• Neverrespondtoanemailaskingforpersonalinformation.(Bankswillneveraskyouforyour
personalinformationinanemail.)• Patchandupdatethesoftwareyouuseonaregularbasis.• Usecautionwhenopeningemailattachments.• Limittheamountofpersonalinformationyoupostaboutyourself.
Whatisafirewall?
Theshortansweristhis:AfirewallinterceptsallcommunicationsbetweenyouandtheInternet,anddecidesiftheinformationisallowedtopassthroughtoyou.Mostfirewalls,bydefault,willblockalltrafficbothinandout.This iswhatwecall“DenyallbyDefault.” Inthisdefaultstate,itisasifyourcomputerisnotevenconnectedtotheInternet.Whilethisisaverysafestatetobein,itisnotveryuseful.So,wehavetocreateasetofrulestotellthefirewallwhatweconsidersafe..Everythingelseis,bydefault,considerednotsafe.Asyoucreaterulestoallowtrafficinandout,youarecreatingtinyholesinyourfirewallforthetraffictoflowthrough.ThatiswhymanyInternetuserscall“creatingrulespinholingyourfirewall.”Themorepinholesyoucreate inyourfirewall, the lesssecureyournetworkbecomes.Youshouldonlycreateasmanypinholes,orrules,asyouneed.
![Page 6: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/6.jpg)
6
StandardConfiguration
Thisisthestandardconfigurationforhomes,officeorsmallbusiness.
Configurationswillbedifferentbasedonthenetworkthesizeofthesystemyouareinstalling.
Thisistheminimumrecommendedforsmallmonitoringsystem.
Activatethedevicebysettingastrongpassword
Youarerequiredtoactivatethedevicefirstbysettingastrongpasswordforitbeforeyoucanuse
thedevice.
Activationviawebbrowser,ActivationviaSADP,andActivationviaclientsoftwareareallsupported.
ActivateviawebbrowserSteps:
1.Poweronthedevice,andconnectthedevicetothenetwork.
2.InputtheIPaddressintotheaddressbarofthewebbrowser,andclickEntertoenterthe
activationinterface.
Notes:
l ThedefaultIPaddressofthedeviceis192.168.1.64.
l ThedeviceenablestheDHCPbydefault,theIPaddressisallocatedautomatically.Itisnecessary
toactivatethedeviceviaSADPsoftware.PleaserefertothefollowingchapterforActivationvia
SADP.
![Page 7: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/7.jpg)
7
3.Createapasswordandinputthepasswordintothepasswordfield.
4.Confirmthepassword.
5.ClickOKtosavethepasswordandentertheliveviewinterface.
ActivateviaSADPsoftwareSADPsoftwareisusedfordetectingtheonlinedevice,activatingthedevice,andresettingthe
password.
GettheSADPsoftwarefromthesupplieddiskortheofficialwebsite,andinstalltheSADPaccording
totheprompts.Followthestepstoactivatethedevice.
Steps:
1.RuntheSADPsoftwaretosearchtheonlinedevices.
2.Checkthedevicestatusfromthedevicelist,andselecttheinactivedevice.
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthree of the following categories: upper case letters, lower case letters, numbers, andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
![Page 8: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/8.jpg)
8
3.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.
4.ClickOKtosavethepassword.
Youcancheckwhethertheactivationiscompletedonthepopupwindow.Ifactivationfailed,please
makesurethatthepasswordmeetstherequirementandtryagain.
5.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP
addressmanuallyorcheckingthecheckboxofEnableDHCP.
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
![Page 9: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/9.jpg)
9
6.InputthepasswordandclicktheSavebuttontoactivateyourIPaddressmodification.
ActivateviaclientsoftwareTheclientsoftwareisversatilevideomanagementsoftwareformultiplekindsofdevices.
Gettheclientsoftwarefromthesupplieddiskortheofficialwebsite,andinstallthesoftware
accordingtotheprompts.Followthestepstoactivatethedevice.
Steps:
1.Runtheclientsoftwareandthecontrolpanelofthesoftwarepopsup,asshowninthefigure
below.
![Page 10: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/10.jpg)
10
2.ClicktheDeviceManagementicontoentertheDeviceManagementinterface,asshowninthe
figurebelow.
3.Checkthedevicestatusfromthedevicelist,andselectaninactivedevice.
4.ClicktheActivatebuttontopopuptheActivationinterface.
![Page 11: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/11.jpg)
11
5.Createapasswordandinputthepasswordinthepasswordfield,andconfirmthepassword.
4.ClickOKtosavethepassword.
6.ClickOKbuttontostartactivation.
7.ClicktheModifyNetinfobuttontopopuptheNetworkParameterModificationinterface,as
showninthefigurebelow.
8.ChangethedeviceIPaddresstothesamesubnetwithyourcomputerbyeithermodifyingtheIP
STRONG PASSWORD RECOMMENDED– We highly recommend you create a strongpassword of your own choosing (using a minimum of eight characters, including at leastthreeofthefollowingcategories:uppercaseletters,lowercaseletters,numbers,andspecialcharacters)inordertoincreasethesecurityofyourproduct.Andwerecommendyouresetyourpasswordregularly.Resettingthepasswordmonthlyorweeklycanbetterprotectyourproduct.
![Page 12: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/12.jpg)
12
addressmanuallyorcheckingthecheckboxofEnableDHCP.
9.InputthepasswordtoactivateyourIPaddressmodification.
Systemrestoringandupgrading
Firmwareisthesoftwarethatenablesandcontrolsthefunctionalityofnetworkdevices.Alwaysuse
thelatestfirmwaresothatyougetallpossiblesecurityupdatesandbugfixes.
Checkthecurrentfirmware
Checkthecurrentfirmwareversioninpage:Configuration>Maintenance>Upgrade&
Maintenance
Upgradethedevicetoacertainversion
Steps:
1.SelectFirmwareorFirmwareDirectorytolocatetheupgradefile.
Firmware:Locatetheexactpathoftheupgradefile.
FirmwareDirectory:Onlythedirectorytheupgradefilebelongstoisrequired.
2.ClickBrowsetoselectthelocalupgradefileandthenclickUpgradetostartremoteupgrade.
Note:Theupgradingprocesswilltake1to10minutes.Pleasedon'tdisconnectpowerofthedevice
![Page 13: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/13.jpg)
13
duringtheprocess.Thedevicerebootsautomaticallyafterupgrade.
Restoredefaultsettings
Ifyouarenotsureaboutwhathasbeenchangedtothedevice,youcanalwayssetittothedefault
settingstomakeitinaknownstatus.
Steps:
EntertheMaintenanceinterface:Configuration>System>Maintenance>Upgrade&
Maintenance.
l Restore:Resetalltheparameters,excepttheIPparametersanduserinformation,tothedefaultsettings.
l Default:Restorealltheparameterstothefactorydefault.
Note:Afterrestoringthedefaultsettings,theIPaddressisalsorestoredtothedefaultIPaddress,
pleasebecarefulwiththisaction.
Configurebasicnetworksettings
Steps:
1.GotoConfiguration>Network>BasicSettings>TCP/IP.
2.SpecifytheIPaddress,subnetmaskandDefaultGateway.
3.Saveparameters.
![Page 14: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/14.jpg)
14
![Page 15: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/15.jpg)
15
Enableencryption
HTTPSprovidesauthenticationofthewebsiteanditsassociatedwebserver,whichprotectsagainst
man-in-the-middleattacks.PerformthefollowingstepstosettheportnumberofHTTPS.
E.g.,Ifyousettheportnumberas443andtheIPaddressis192.168.1.64,youmayaccessthedevice
byinputtinghttps://192.168.1.64:443viathewebbrowser.
Steps:
1.EntertheHTTPSsettingsinterface.Configuration>Network>AdvancedSettings>HTTPS.
2.CheckthecheckboxofEnabletoenablethefunction.
3.Createtheself-signedcertificateorauthorizedcertificate.
• Createtheself-signedcertificate
(1)SelectCreateSelf-signedCertificateastheInstallationMethod.
(2)ClickCreatebuttontoenterthecreationinterface.
(3)Enterthecountry,hostname/IP,validityandotherinformation.
(4)ClickOKtosavethesettings.
Note:Ifyoualreadyhadacertificateinstalled,theCreateSelf-signedCertificateisgrayedout.
• Createtheauthorizedcertificate
(1)SelectCreatethecertificaterequestfirstandcontinuetheinstallationastheInstallation
Method.
(2)ClickCreatebuttontocreatethecertificaterequest.Fillintherequiredinformationinthepopup
window.
(3)Downloadthecertificaterequestandsubmitittothetrustedcertificateauthorityforsignature.
![Page 16: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/16.jpg)
16
(4)Afterreceivingthesignedvalidcertificate,importthecertificatetothedevice.
4.Therewillbethecertificateinformationafteryousuccessfullycreateandinstallthecertificate.
5.ClicktheSavebuttontosavethesettings.
Useraccesscontrol
Setpermissionleveltousers
Whenyouaddandmodifyusersettings,youcansetthepermissionlevelforeachusertoset
limitationsonthedevicecontrol.
Steps:
1.GotoConfiguration>System>UserManagement.
UserManagementInterface
2.ClickAddorModifytoaddauserormodifyauser.
3.SetUserName,LevelandPassword.
4.Checkoruncheckthepermissions.
5.ClickOKtofinishtheuseraddition.
![Page 17: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/17.jpg)
17
DisableUPnP
Universal Plug and Play (UPnP™) is a networking architecture that provides compatibility among
networkingequipment,softwareandotherhardwaredevices.TheUPnPprotocolallowsdevicesto
connect seamlessly and to simplify the implementation of networks in the home and corporate
environments.Ifthedeviceisnotconnectedtoahostedvideoservice,disableUPnP.
Steps:
1.GotoConfiguration>Network>BasicSettings>NAT.
![Page 18: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/18.jpg)
18
2.UncheckthecheckboxtodisabletheUPnP™function.
DisableQoS
QoSissuggestedtobedisabled,ifQualityofServicesisnotbeingused.
Steps:
1.GotoConfiguration>Network>AdvancedSettings>QoS
2.TodisableQoS,enterthevaluezerointheQoSDSCPSettingsfields.
Disablemulticastvideo
Ifmulticastisnotbeingused,itshouldbedisabled.
Steps:
1.GotoConfiguration>Network>BasicSettings>TCP/IP
2.ClearEnableMulticastDiscovery
3.ClickSave
![Page 19: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/19.jpg)
19
SetIPaddressfilter
EnablingIPfilteringforauthorizedclientswillpreventthedevicefrombeingaccessedbyanyother
unauthorizedclients.
Steps:
1.GotoConfiguration>System>Security>IPAddressFilter
2.CheckthecheckboxofEnableIPAddressFilter.
3.SelectthetypeofIPAddressFilterinthedrop-downlist,ForbiddenandAllowedareselectable.
4.SettheIPAddressFilterlist.
Steps:
(1)ClicktheAddtoaddanIP.
(2)InputtheIPAddress.
(3)ClicktheOKtofinishadding.
LockillegalloginIPaddress
TheIPaddresswillbelockediftheadminuserperformssevenfailedusername/passwordattempts
(fivetimesfortheoperator/user)
1.GotoConfiguration>System>Security>SecurityService.
![Page 20: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/20.jpg)
20
2.CheckthecheckboxofEnableIllegalLoginLock,andthentheIPaddresswillbelockedifthe
adminuserperformssevenfailedusername/passwordattempts(fivetimesfortheoperator/user).
Note:IftheIPaddressislocked,youcantrytologinthedeviceonlyafter30minutes.
DisableSSH
Hikvision’sdevicessupportSecureShellandisdisabledbydefault.Makesureitisdisabledby
checkingthesecurityserviceconfigurationinterface:Configuration>System>Security>Security
Service.
Note:Fordeviceswithoutthisconfigurationinterface,SHHisdisabledbydefault.
ChooseSNMPV3
Steps:
1.GotoConfiguration>Network>AdvancedSettings>SNMP.
![Page 21: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/21.jpg)
21
2.CheckthecheckboxofEnableSNMPv1,EnableSNMPv2c,EnableSNMPv3toenablethefeature
correspondingly.
3.ConfiguretheSNMPsettings.
Note:ThesettingsoftheSNMPsoftwareshouldbethesameasthesettingsyouconfigurehere.
4.ClickSavetosaveandfinishthesettings.
Notes:
•Arebootisrequiredforthesettingstotakeeffect.
•Tolowertheriskofinformationleakage,youaresuggestedtoenableSNMPv3insteadofSNMP
v1orv2.
![Page 22: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/22.jpg)
22
Firewallsetuponrouter
Pleasekeepinmindthatallfirewallsetupsaredifferent.Theexamplesbelowareintendedtogivea
generalexampleandoverviewofwhatportsshouldbesetupinafirewall.
Setup:
1. GotoyourrouterIPaddress
2. Logintoyourrouter
3. Gototheportforwardingsection
![Page 23: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/23.jpg)
23
Findthesectionthatmentionsprotocols,internalandexternalports,andadestinationIPaddressor
ServerIPaddress,suchasthis:
Portforwarding
PortforwardingshouldonlybeusedwhendevicesneedtobeaccessedviatheInternet.Toensurepropersecurityconfiguration,pleasecarefullyfollowinstructionsbelow:
1. Minimize the port numbers exposed to the Internet. Port forwarding should only beconfigured when absolutely necessary. For example, to use web service, only port 443shouldbeforwarded.
2. Avoid common ports and reconfigure them to customized ports. For example, port 80 iscommonlyusedforHTTP.Itisrecommendedthattheuserchangetoacustomizedportonthe device other than port 80 for the designated service, following TCIP/IP port rule (1 –65535).
CreateaportforwardingrulePortsthatHikvisionuses,youcanchangetheseportstoanythingyouwant.• 80WebPort • 443SecureWebPort • 8000,10554forIVMSapplication
Tocreatetheportforwardingrule,firstlysetanamefortherule.It'sjustareminderofwhat
typeofserviceyouareforwardingtheportfor.
![Page 24: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/24.jpg)
24
In"protocol,"selectTCP,UDP,orBothdependingonwhichapplication(s)needportforwarding.
Forinstance,youneedbothTCPandUDPprotocolsforwarding.SomeroutersonlyhaveaTCPor
anUDPoption,notboth.Onthoserouters,ifbothprotocolsareneeded,tworulesmustbe
created,oneforTCPandoneforUDP.
Theexternalanddestinationportwillbethesame.Becausesomelower-numberedportsare
beingusedbythesystembydefault,orbyspecificapplications,it'sbesttochooseaport
between50000and65535.
Finally,onthedestinationIPaddress,selectthestaticIPpreviouslychosenforthePC.
Afterthat,savethenewrule.
![Page 25: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/25.jpg)
25
Onmostrouters,portforwardingactivatesimmediately.Somerouters,though,needareboot
toapplytherule.
CheckPortForwarding
TomakesurethatPortForwardingworkscorrectly,useoneofthemultiplefreeservicesonthe
Internet.
First,ensurethattheprogramordevicethatneedsportforwardingisupandrunning,anduses
theproperport.
Then,navigatetocanyouseeme.org
Addtheproperportandselect"CheckPort."
Thisisafreeutilityforremotelyverifyingifaportisopenorclosed.Itisusefultouserswho
wishtoverifyportforwardingandchecktoseeifaserverisrunningortodetermineifafirewall
orISPisblockingcertainports.
![Page 26: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/26.jpg)
26
CantwodevicesonthesameLANusethesameportforwarding?
PortforwardingissetuponauniqueIPaddress,andcan'tsetuparuleforthesameportwith
twoormoreIPaddresses.
Tosetupthesameprogramontwodifferentdevices,itisnecessarytocreatetworulesfortwo
separateports,oneforeachdevice.
![Page 27: Network Security Hardening Guide v1.2 FINAL Foresthikvision.com/ueditor/net/upload/2017-06-08/fde845a0-21d...Network Security Hardening Guide v1.2 June 2017 2 About This Document This](https://reader034.vdocument.in/reader034/viewer/2022051509/5ae1ae687f8b9a90138b6614/html5/thumbnails/27.jpg)
27
Conclusion
Thishardeningguideisintendedtobealivingdocumentandwillbeupdatedregularlytoreflectthe
mostup-to-datecybersecuritybestpractices.Itisoneofthemanyindustry-leadingcybersecurity
resourcesprovidedbyHikvision.PleasevisittheHikvisionSecurityCenteronourwebsite
http://www.hikvision.com/us/SecurityCenter_10636.htmltolearnaboutotheravailable
cybersecurityresources.Ifyouhavequestions,pleasecontactyourHikvisionrepresentativeor