Firewall & Network Security working with Luxriot EVO :

Network security and security of your system is an important aspect of any design. Traditional analogue CCTV systems afforded natural security at camera location as there was no real method of image data connectivity to your recording server. Modern IP systems although offering many benefits do also present greater risk to your data from unwanted external access. Videcom Security always recommend designing a system with multiple networks configured [EVO cameras][EVO monitor clients][internet] and then restrict activity on each network to the minimum that is required. For example a Camera Network does not need to have client monitor software or mapping access so these services (ports) can be disabled on these network ports.

WARNING !!! Windows Firewall provides the basic tool set required to better secure your network, before making any changes to your firewall we recommend you seek permission from your system administrator. Making changes to your firewall may affect other services and programs running on your computers or server. The example below is designed to ONLY allow Luxriot EVO products and cameras to work along with TeamViewer remote access. And is shown as an example to highlight the need to properly manage your network.

Luxriot EVO Firewall Setup

Ports Described

We describe in our article about the Mobile App about ports, these are like rooms in your computer where programs and services can be found. A Firewall can be configured to restrict access to these ports from outside, by locking the doors.

Luxriot EVO uses certain predefined ports and requires these ports to be reachable from external network devices.

Luxriot EVO Port Numbers

Ports Numbers

Server Ports

VMS Port : 60554 & Streaming Server : 8080

External Devices Ports

Cameras RTSP : 554, HTTP(s) 80 or (443)

Maps: 443

We also recommend TeamViewer for Videcom remote support: 5938

Luxriot EVO Ports Allow

Firewall Setup

Firewall rules typically work from top to bottom ending with a Block-All rule with the rules above the Block allowing traffic depending on match. You can also use additional rules restricting IP addresses (other network devices) or programs.

Below we describe an aggressive firewall setup only allowing the minimum services.

Firewall Rules for Luxriot EVO S

Inbound to Server

Port 60554 : Allow from all

Port 8080: Allow from all

Port 5938: Allow from all (TeamViewer)

Outbound to Cameras

Port 554 : Allow

Port 80 : Allow

Port 443 Allow

Port 5938: Allow from all (TeamViewer)

Further Tips on your Firewall

If you only have a single network port for cameras and viewing clients then consider also creating rules by IP Address, Configure your firewall to allow allow connection from know IP devices as well as create the rules opposite. Where you can configure network adapters individually DO NOT allow client connection port 60554 on your camera Network.

Always set-up your system first with standard firewall rules, make sure everything is working before you make any changes to your network. Always clearly name your firewall rules and also remember your rules will need to be placed above any existing rules in your Firewall.

By carefully designing your CCTV IP Network you can better ensure the integrity of your digital data, strong UAC; Usernames and passwords are also very important.

Why do we need to consider firewalls with EVO ?

All modern IP network based CCTV systems by their design pose a greater risk of unauthorised data access compared to older traditional CCTV systems. Our first line of defence is strong UAC username and password management. When you buy Luxriot EVO you are investing in a well designed and thought through software solution for the recording and display of digital video (VMS) and part of this is a device by device user Account Control (UAC) allowing restriction to devices and parts of a devices configuration such as recording and/or camera control (PTZ).

Often with cameras external to our building and CCTV control rooms we need to further consider intrusion risk at these points. Physical Security, UAC, VLANS and wireless network encryption is our first line of external defence and adding Firewall restrictions at point of entry to our core networks is bolt and braces good security practice. A firewall can either be software firewall inside each EVO Server and Client or a centrally managed hardware firewall(s).