Educause Security Discussion mailing list archives

Re: Share with us a copy of your Security Cameras Policy

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Tue, 27 Mar 2012 15:45:27 -0400

On 3/27/2012 3:06 PM, Carlos Lobato wrote:


Hello All,

 

NMSU is currently having some discussion about the possibility to install "Security
Cameras" at various places throughout campus such as parking lots, etc., but would
like to inquire from those of you who have already installed cameras to share with us
a copy of your policies and/or other feedback that would be helpful.


We don't have a formal "policy" but there have been some reactive practices that have
developed over the years.  Not sure if you are after network, security, policy, access,
or other guidelines, but I can address the networking concerns.

The initial camera deployment was in a housing unit (reactive to an incident) under some
special funding.  It was contracted out, cameras run back to our communication closets,
contractors supplied PoE switches and/or injectors, and NVRs for recording.  After a few
hundred were deployed, we were finally asked "Where do we plug these in to the network
so we can watch them".  :(

To make a long story as short as possible, the NVRs have two NICs as standard, one side
for vendor video (camera-facing), and the other side on the campus network in a private
VRF.  Only authorized "viewers" can actually reach the NVRs.

In some cases, we have backhauled the camera video as well over our network, using
another vlan in the same private VRF.

You will want to keep this off the campus network as much as possible - the devices, the
vendors, the other equipment, were all designed for a closed network...

It sounded good on paper, but in practice, if there is any issue with the cameras,
video, etc., the blame goes on "our network" and we're guilty until proven innocent. 
For that reason we have tried to go back and add some passive visibility to our network
management, e.g., management interface on the camera-side switches.

In general, the "separation" works well, but you will end up inheriting more of the
responsibility for ongoing operation that you might imagine.  If I had it to do over
again, and the opportunity to provide some insight in advance, I would have preferred
getting things setup better under our control and oversight to begin with (e.g., IP
ranges, subnetting, address assignments, management, etc done by the vendor on "their"
network can/will come back to haunt you).

Jeff

Current thread:

Share with us a copy of your Security Cameras Policy Carlos Lobato (Mar 27)
- Re: Share with us a copy of your Security Cameras Policy Valdis Kletnieks (Mar 27)
- Re: Share with us a copy of your Security Cameras Policy Jeff Kell (Mar 27)
- Re: Share with us a copy of your Security Cameras Policy Davis, Thomas R (Mar 28)
- <Possible follow-ups>
- Re: Share with us a copy of your Security Cameras Policy Geoffrey Steven Nathan (Mar 28)