Main PC and security camera sharing same ethernet cable - is there an issue?

[gonegreynow]

Morning all
Long time windows PC user but aware there are still gaps in my knowledge.
Just acquired first Security camera (Reolink 520a) and will power over Ethernet. Currently testing using discrete 12v supply. To begin with, will rely on built in storage (micro SD card) to record footage before deciding if to acquire NVR or try something DIY (Raspberry Pi).
Had planned to buy POE switch and to connect both security camera and main PC to the switch - which would share one cable back to router.
Have read some comments (not on OC) suggesting possible security issues with this type of arrangement but must confess that I don’t have knowledge or expertise to determine if these are real issues or theoretical.
Have also tried to get my head round managed and unmanaged switches in an effort to determine if a managed switch would help overcome any issues.
Must confess to being a bit lost and not knowing if I should be concerned or not.
Very grateful for any help, not matter how basic.
Would like to try and understand issues before committing any more cash to new hardware (switch, NVR, 2nd camera, etc).
Thank you.

 

[andy_mk3]

Not a security issue at all. It’s no different to a separate cable, anything on your LAN is open to other devices on your LAN. You don’t need a managed switch either.

 

[Mcnumpty2323]

Yeah can't really see an issue
A WiFi camera would probably be more vulnerable

Without knowing what comments you saw
Said about why it was an issue
It's hard to say that's not the case

End of the day
Anything at all connected to the Internet
Is vulnerable to some degree
Though the risk may be minute

 

[Lunar_Fox]

The switch doesn't care if its a security camera, pc, server or any other ethernet device.

What people do get anxious about is sharing same IP network between security cameras and the rest of the home network. If somebody hacks the camera, they can access the rest of the devices on your home network.

Also if your home network gets hacked then they can see your camera footage if its not locked down.


You could set up a VLAN for the cameras but I would say the main thing is don't allow incoming ports to the camera and make sure you keep the firmware up to date and ensure you have a userid and password for connecting, don't use the default one.

 

[gonegreynow]

The switch doesn't care if its a security camera, pc, server or any other ethernet device.

What people do get anxious about is sharing same IP network between security cameras and the rest of the home network. If somebody hacks the camera, they can access the rest of the devices on your home network.

Also if your home network gets hacked then they can see your camera footage if its not locked down.


You could set up a VLAN for the cameras but I would say the main thing is don't allow incoming ports to the camera and make sure you keep the firmware up to date and ensure you have a userid and password for connecting, don't use the default one.

Thanks.
The reason I was thinking about a managed switch was because I’d read that it was possible to set up a VLAN and although a bit above my head, I thought it would be straightforward to read up and learn now to set one up.
It’s at times like this I realise how many gaps there still are in my knowledge (particularly about routers. firewalls, ports and networking), so rather than not bother with security cameras at all, this was my attempt at going slow; buying the hardware in stages and take some time reading up on those issues I’m not clear about.

 

[gonegreynow]

Yeah can't really see an issue
A WiFi camera would probably be more vulnerable

Without knowing what comments you saw
Said about why it was an issue
It's hard to say that's not the case

End of the day
Anything at all connected to the Internet
Is vulnerable to some degree
Though the risk may be minute

Thanks for taking the time to reply. I’ve a few more thoughts above.

 

[gonegreynow]

Not a security issue at all. It’s no different to a separate cable, anything on your LAN is open to other devices on your LAN. You don’t need a managed switch either.

Thanks for your thoughts. It’s at times like this I realise there are still large gaps in my knowledge.

 

[gonegreynow]

I think spending some time reading up/watching videos of ports, firewalls, VPNs etc could be time well spent. Thanks for all replies received so far.

 

[Mcnumpty2323]

Probably the place to start reading up
Would be your router capabilities
Or any router you plan to purchase if not
Already got one you plan to use

Reading up never hurts
Though can give you a headache
You may be overthinking it/worrying too much
But as we don't know what was originally said
About security risk
We can't really tell

Networking beyond slightly above basic stuff
That I have used for myself
Isnt really my strong point though
There's definitely network experts in here
Who do this sort of stuff for a living
But they would probably still not be able to say
Without seeing original comments about security risk

Though they would be able to advise hardware etc

 

[gonegreynow]

Probably the place to start reading up
Would be your router capabilities
Or any router you plan to purchase if not
Already got one you plan to use

Reading up never hurts
Though can give you a headache
You may be overthinking it/worrying too much
But as we don't know what was originally said
About security risk
We can't really tell

Networking beyond slightly above basic stuff
That I have used for myself
Isnt really my strong point though
There's definitely network experts in here
Who do this sort of stuff for a living
But they would probably still not be able to say
Without seeing original comments about security risk

Though they would be able to advise hardware etc

Thanks again for your thoughts. Much appreciated.
Re your comment about over thinking/worrying too much - that/s me down to a tee!! Can’t help it.
I have had one more thought - possible workround. My router has a guest wifi network. Am wondering if I either get hold of a WAP with ethernet ports or re-purpose an old router, that I could plug the camera(s) into the RJ45 sockets and then have them communicate with the main router via the guest wifi network. I am thinking this would then isolate any cameras from my main PC.
Not looking for an answer to this - just something that I’ll keep in the back burner for now.
Thanks again.

 

[Mcnumpty2323]

Thanks again for your thoughts. Much appreciated.
Re your comment about over thinking/worrying too much - that/s me down to a tee!! Can’t help it.
I have had one more thought - possible workround. My router has a guest wifi network. Am wondering if I either get hold of a WAP with ethernet ports or re-purpose an old router, that I could plug the camera(s) into the RJ45 sockets and then have them communicate with the main router via the guest wifi network. I am thinking this would then isolate any cameras from my main PC.
Not looking for an answer to this - just something that I’ll keep in the back burner for now.
Thanks again.

That's sounds doable
Depending on router capabilities
I use a few hauwei ax3 routers
Really cheap to play around with mesh and access points
Only cost me £30 each
Still wifi 6 and pretty sure can have a guest network
But they work as router,mesh,access points
And think what you're saying would work

But if your back haul to the router is over wifi
Then the wifi is a point of vulnerability
Whats the odds of someone in range of it wanting to bother?
Who knows
But from personal experience with a neighbour from hell
I can tell you a homemade biquad antenna can
Pick up wifi from a lot further away
Than most people think
And can cause havoc to their network using linux
Like I said before though anything connected to the Internet
Has some degree of vulnerability
Air gapped systems are built for a reason
It's likely to be something like one in ten millions
Or even more that someone would bother to put time into
Messing with a random person's network anyway
But it's not zero chance
And that's me overthinking things too

Though I do still have that home made biquad
But nowadays I have nice neighbours

 

[Lunar_Fox]

Don't get too hung up on WiFi security. Nobody should be using WEP. WPA2 is still consider secured for domestic use, WPA3 is more secure but not all devices support it so until everything on your home network does then make sure you are using WPA2.

More import then that is make sure you keep your firmware updated. Bit tricky with some ISP as they lock down the firmware but if you have your router keep it updated. Asus, netgear, TP link etc, generally have monthly releases and a lot are security patches.

And it goes without saying to change passwords, especially admin ones. And unless you have a specific reason, switch off remote admin and to be honest port forwarding or any external access.

By a huge distance, the biggest cause of issues are devices,.be they PC, CCTV, or anything using the internet.

FYI, VLAN basically separate network traffic. Its done at switch level, its the same switch and cable but virtual separation. If misconfigured it doesn't add any extra security.

 

[Mcnumpty2323]

I wouldn't go as far as to say
Wpa2 is secure for domestic use
I would still say it's more a case of is anyone
In range of your wifi actually wanting to specifically
Spend some time trying to hack it
Wpa2 still has the issue of the handshake just as one example
Once captured no further connection is needed
It comes down to how complicated a password you used
To defend against brute force or dictionary attacks
Especially since gpu acceleration can be used

As lunar fox said though
Update router firmware whenever possible
Problem is a lot of people use isp provided routers
And isp aren't always very good at doing this
Long time ago now but sky even gave people routers
Where the mac address was used to generate the wifi password
Far as I know sky didn't even recall the routers
So using an isp router I would also advise against
Change default passwords
Disable remote access

Most importantly and this is the bit people find inconvenient
Use a very complex password
Yes it's a pain when friends or family want to connect
But should still do it
Also disable wps
Hide your said
Create a whitelist of allowed mac addresses

Still won't prevent someone determined and knowledgeable
Hidden ssid can still be found if know how
Mac addresses can be spoofed

It comes down to a numbers game
If there's say 50 million wifi networks
The odds of yours being attacked are better
Than winning the lottery
And the other factor is if anyone near you
Has a specific reason to pick you out
And the knowledge or willingness to learn this stuff

Being a neighbour from hell for example using wpa2
Didn't save them