The Network Video Recorder journey

I'm paranoid.  I had high resolution IP cameras installed around the house before we even moved in - literally. 

The part of me the worries about Cyber Security though has an issue with this technology - and it's simply that they're a whole heap of little computers that are network connected and eventually they aren't updated by their manufacturers any more, so they become insecure. 

Professionally, when hardware does that, we replace it. At home - I'm not so keen. In a street full of Bunnings grade Swann TVI cameras, I have high resolution.. mostly Hikvision.. IP cameras. There are entire systems in our street that cost what I spent on one camera. 

The NVR - the recorder, is Internet facing. It, along with my cameras are isolated on the network, allowing only certain parts of the network in, and it's blocked from going out to any of the network. 

That device wasn't cheap - some $700 at the time. And it hasn't seen a security update in the past 4 odd years. It's also an 8 channel, and I have currently 11 cameras running. 

I'd been debating trying to put aside the cash to replace it with a 16 port. They can be had cheaper, but I'll wind up in the same boat - with a device that will sooner or later be completely insecure sitting open to the Internet. 

I can't say I'm terribly keen on respending money to wind up in the same situation. It simply doesn't sit well with me. 

I've known about some software called ZoneMinder. It's been around for a long time. I tried it a few years ago and really couldn't take to it. It has a bit of a learning curve and at the time, it was really geared towards low resolution cameras. 

I ran it up on a virtual machine the other day on a fresh Ubuntu install. I gave it a lot of CPU and RAM and a good sized extra disk for storage. 

Following a couple of online guides, I got it installed easily, and started adding cameras. 

Using the default settings, I had a few cameras in at 4-6MP, and had it doing motion detection and analysis. I noted quickly that the processing was falling way behind, the memory usage was insane and the CPUs were being smashed. I might add, I'd allocated 16 CPUs and 24GB RAM - so this virtual machine has more power than most PCs. 

Eventually, I discovered that I was better off splitting the streams up - having high resolution recordings running all of the time, and having a second "monitor" (camera stream) using the camera's substream at a low resolution to do motion detection and provide a "live view".

In that discovery period, what I had noticed was that the "Decoding" function that allowed live view to work on the high resolution streams was the cause of high resource utilisation and ultimately the processing getting behind quickly. That was what lead me to running a pair of streams for each camera. During that time, I was essentially running a pair of ZoneMinder servers with the cameras configured differently to assess exactly what was burning resources.

It took me around 24 hours from starting out to getting to a point where I've got a reliable looking NVR replacement. I can even trim back the allocated RAM to possibly 8GB (maybe 12 for good measure). 

I've since added an NFS share to my NAS, and adding a second network card to the zone minder server, I was able to hook it into my "storage network" so it has the ability to access a dedicated disk for the video recordings.

I need to nail down the access around that second NIC a little more given it's currently a hole between an isolated network and an internal, non-routed internal network. Still, the Zoneminder server itself has been nailed down fairly tight and will do frequent updates.  The old NVR will stop being accessible from the Internet soon, but I'll keep it as a redundant copy of "the cameras that matter". 

Instead of allowing the ZoneMinder server to be directly accessible to the Internet, I've created a "reverse proxy" in my server subnet. Effectively the outside will hit that and it will then handle the interface between the Internet and the applications web server. This method has a bit going for it - the subnet it's on is highly restricted and doesn't allow access from there into my network - except to allow web traffic from the reverse proxy to the ZoneMinder server. 

The reverse proxy doesn't have a lot of "moving parts" - there aren't a massive number of modules loaded that need to be maintained that increase the attack surface. The webserver that ZoneMinder is running on does. Adding the reverse proxy just helps keep things a bit safer. 

There's also a lot less negative impact on being aggressive with the patching on the reverse proxy given that doing so doesn't actually impact the operation of ZoneMinder. It just affects my ability to access it externally. 

In this case, the reverse proxy is just a simple FreeBSD installation. Nice, simple, lightweight, and does nothing else. Initially I was going to use Ubuntu as well, but in the time it took the Ubuntu installer to get about 3/4 way through, I'd uploaded FreeBSD to the datastore, spun up a VM, had it running and updating. That's simply why its running FreeBSD.. it's just "better". 

The "old" NVR - I'm not sure I want to loose it yet. It does feed a monitor in our front hall, and it's pretty reliable. That monitor actually has an embedded Android module. If I can get ZMNinja to work on it, perhaps I'll consider trying that to replace the live view.. which could lead to the old NVR going away. I may also consider trying to get ZMNinja to work on a Raspberry Pi to feed that screen. There'll be a bit of work to find the best option that provides us a reliable view before I go changing anything. 

A lot of the value to us comes from the ability to look at that screen and see what's going on - whether it's the Uber Eats driver pulling up, the meth head trying the car doors in the middle of the night or the kids trying to sneak into the shed, so that'll be one to get right.