Fortinet black logo

Administration Guide

Home FortiRecorder 7.0.3 Administration Guide
7.0.3
7.2.0
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.0
6.0.0
2.7.2
2.7.1
2.7.0
2.6.0

Hardening security

Hardening security

FortiRecorder is designed to manage IP cameras and store video. While FortiRecorder does have some security features, its primary focus is surveillance. It always should be protected by a network firewall, and physically kept in a restricted access area.

Should you want to protect the appliance from accidental or malicious misuse from people within your private network, this section lists tips to further enhance security.

Topology

  • To protect your surveillance system from hackers and unauthorized network access, install the FortiRecorder appliance and cameras behind a network firewall such as a FortiGate. FortiRecorder is not a firewall. FortiRecorder appliances are designed specifically to manage cameras and store video.
  • If remote cameras or people will be accessing the appliance via the Internet, through a virtual IP or port forward on your router or FortiGate, configure your router or firewall to restrict access, allowing only their IP addresses. Require firewall authentication for connections from network administrators and security guards.
  • Make sure traffic cannot bypass the FortiRecorder appliance in a complex network environment, accessing the cameras directly.
  • If you do not need remote access while traveling or at home, do not configure it. If you do, however, apply strict firewall policies to the connection, and harden all accounts and administrative access (see Administrator access, and Operator access, and Configuring the public port numbers and domain name). Keep the FortiRecorder software up-to-date, especially with security patches(see Updating the firmware).

  • Disable all network interfaces that should not receive any traffic. (Set the Administrative Status to Down.)

    For example, if administrative access is typically through port1, cameras are connected to port2, and network file storage and the Internet are connected to port3, then you would disable ("bring down") port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.

Administrator access

  • As soon as possible during initial FortiRecorder setup, give the default administrator, "admin", a password. This super-administrator account has the highest level of permissions possible, and access to it should be limited to as few people as possible. See Setting the "admin" account password.
  • Administrator passwords should be at least 8 characters long and include both numbers and letters.
  • Change all passwords regularly. Set a policy — such as every 60 days — and follow it.
  • Instead of allowing administrative access to the FortiRecorder appliance from any source, restrict it to trusted internal hosts (see Trusted hosts).
  • On those computers that you have designated for management, apply strict patch and security policies. Always password-encrypt any FortiRecorder configuration backup that you download to those computers to mitigate the information that attackers can gain from any potential compromise. If your computer's operating system does not support this, you can use third-party software to encrypt the file.
  • Do not give administrator-level access to all people who use the system. Usually, only a network administrator should have access to the network settings. Others should have operator accounts. This prevents others from accidentally or maliciously breaking the appliance's connections with cameras and computers. See Configuring administrator profiles .
  • By default, an administrator login times out if it is idle for more than 5 minutes. You can change this to a longer period in the idle timeout settings, but Fortinet does not recommend it. Left unattended, a GUI or CLI session could allow anyone with physical access to your computer to change FortiRecorder settings. Small idle timeouts mitigate this risk. See Configuring the public port numbers and domain name.

  • Restrict administrative access to a single network interface (usually port1), and only allow the management access protocols that you use.

    Use only the most secure protocols. Disable Access: PING, except during troubleshooting. Disable Access: HTTP, Access: SNMP, and Access: TELNET unless the network interface only connects to a trusted, private administrative network. See Configuring network interfaces .

Operator access

  • Authenticate users only over encrypted channels such as HTTPS. Authenticating over non-secure channels such as Telnet or HTTP exposes the password to any eavesdropper. For certificate-based server or FortiRecorder authentication, see Replacing the default certificate for the GUI .
  • Immediately revoke certificates that have been compromised. If possible, automate the distribution of certificate revocation lists (see Revoking certificates).
Previous
Next

Hardening security

FortiRecorder is designed to manage IP cameras and store video. While FortiRecorder does have some security features, its primary focus is surveillance. It always should be protected by a network firewall, and physically kept in a restricted access area.

Should you want to protect the appliance from accidental or malicious misuse from people within your private network, this section lists tips to further enhance security.

Topology

  • To protect your surveillance system from hackers and unauthorized network access, install the FortiRecorder appliance and cameras behind a network firewall such as a FortiGate. FortiRecorder is not a firewall. FortiRecorder appliances are designed specifically to manage cameras and store video.
  • If remote cameras or people will be accessing the appliance via the Internet, through a virtual IP or port forward on your router or FortiGate, configure your router or firewall to restrict access, allowing only their IP addresses. Require firewall authentication for connections from network administrators and security guards.
  • Make sure traffic cannot bypass the FortiRecorder appliance in a complex network environment, accessing the cameras directly.
  • If you do not need remote access while traveling or at home, do not configure it. If you do, however, apply strict firewall policies to the connection, and harden all accounts and administrative access (see Administrator access, and Operator access, and Configuring the public port numbers and domain name). Keep the FortiRecorder software up-to-date, especially with security patches(see Updating the firmware).

  • Disable all network interfaces that should not receive any traffic. (Set the Administrative Status to Down.)

    For example, if administrative access is typically through port1, cameras are connected to port2, and network file storage and the Internet are connected to port3, then you would disable ("bring down") port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.

Administrator access

  • As soon as possible during initial FortiRecorder setup, give the default administrator, "admin", a password. This super-administrator account has the highest level of permissions possible, and access to it should be limited to as few people as possible. See Setting the "admin" account password.
  • Administrator passwords should be at least 8 characters long and include both numbers and letters.
  • Change all passwords regularly. Set a policy — such as every 60 days — and follow it.
  • Instead of allowing administrative access to the FortiRecorder appliance from any source, restrict it to trusted internal hosts (see Trusted hosts).
  • On those computers that you have designated for management, apply strict patch and security policies. Always password-encrypt any FortiRecorder configuration backup that you download to those computers to mitigate the information that attackers can gain from any potential compromise. If your computer's operating system does not support this, you can use third-party software to encrypt the file.
  • Do not give administrator-level access to all people who use the system. Usually, only a network administrator should have access to the network settings. Others should have operator accounts. This prevents others from accidentally or maliciously breaking the appliance's connections with cameras and computers. See Configuring administrator profiles .
  • By default, an administrator login times out if it is idle for more than 5 minutes. You can change this to a longer period in the idle timeout settings, but Fortinet does not recommend it. Left unattended, a GUI or CLI session could allow anyone with physical access to your computer to change FortiRecorder settings. Small idle timeouts mitigate this risk. See Configuring the public port numbers and domain name.

  • Restrict administrative access to a single network interface (usually port1), and only allow the management access protocols that you use.

    Use only the most secure protocols. Disable Access: PING, except during troubleshooting. Disable Access: HTTP, Access: SNMP, and Access: TELNET unless the network interface only connects to a trusted, private administrative network. See Configuring network interfaces .

Operator access

  • Authenticate users only over encrypted channels such as HTTPS. Authenticating over non-secure channels such as Telnet or HTTP exposes the password to any eavesdropper. For certificate-based server or FortiRecorder authentication, see Replacing the default certificate for the GUI .
  • Immediately revoke certificates that have been compromised. If possible, automate the distribution of certificate revocation lists (see Revoking certificates).
Previous
Next