3VR Cybersecurity Capabilities

Owned by Anand Rajaraman
Last updated: Nov 13, 2019

Introduction

Cybersecurity is one of the major concerns for customers across the globe. With the proliferation of IoT devices across the network and the sophistication of cyber attacks, security is one of the top requirements when deploying IP- based surveillance systems.

3VR has invested heavily to ensure that all 3VR Video Management Systems (VMS) and appliances are as secure as possible against virus threats and external attacks. This document describes the hardened security measures 3VR has built into the product to address the IT requirements of today’s security buyers.

Security Industry Trends

In the past, physical security assets were primarily managed by security and facilities departments within companies. With the massive proliferation of Internet Protocol (IP)-based cameras across all vertical markets, the lines have blurred between IT and physical security. IT security teams are now involved in the acquisition and deployment of surveillance systems.

3VR System Architecture

3VR Appliance Architecture

3VR has created an integrated VMS appliance that is highly resistant to network-based attacks. The applications most commonly exploited by attackers are either severely restricted or are not present on 3VR systems.

3VR system is built upon a modular version of Microsoft Windows (Embedded Windows O/S). It is designed to severely restrict components that present security risks, such as Internet Explorer and other applications, which have historically exposed vulnerabilities. A minimal operating system and software stack on the appliance omits unnecessary services.

Examples of services not installed or enabled on the system include

  • Internet Explorer
  • Internet Information Server
  • File Transfer Protocol (FTP)
  • Telnet servers and clients

Since the system is highly restricted, not all Microsoft security patches need to be updated for 3VR appliances. The security team at 3VR watches the security patches released and creates patches that could be a threat to the system. This allows our customers to manage updates to the system effectively, reducing total cost of ownership (TCO).

Network Protocols and Encryption

The 3VR system provides security at the physical and network levels. Interconnects between all 3VR applications (client and server) are built on a proprietary protocol. All 3VR software applications communicate using an encrypted and secure proprietary messaging protocol that minimizes the risk of intruder access. To further protect the system, 3VR has a built-in software firewall that restricts traffic to only the allowed ports. With this set of security measures in place, the 3VR VMS appliance uses only one type of service: a 3VR proprietary protocol that supports authentication with one-way, hash-based encryption.

A symmetric AES 128-bit encryption key is negotiated using the Diffie-Hellman key-exchange algorithm. In addition, all communication between the 3VR components and client applications is renegotiated every hour. Encryption can be disabled using System Manager, but even when it is disabled, encryption is always used during user authentication, when user names and passwords are sent. The 3VR system is hardened against all attack vectors with fully secure data streams in and out of the 3VR server/appliance. In addition, 3VR servers/appliances use minimal bandwidth to prevent any disruption of existing business applications.

Email Services

3VR provides limited SMTP/SSMTP (Simple Mail Transfer Protocol/ Secure Simple Mail Transfer Protocol) support that is constrained to eliminate risk. 3VR provides outbound-only SMTP/SSMTP, and only provides it when a customer specifically configures it. 3VR does not allow SMTP forwarding. The software automatically determines the email content. Furthermore, the SMTP client is coded directly into the application and the 3VR applications do not contain any email receiving code.
Vulnerability Testing
3VR runs Tenable’s Nessus vulnerability test suite on every release it ships. These tests consistently show that the 3VR system is clean with respect to known vulnerabilities (detailed test results are available from 3VR on request). Network security personnel for various 3VR customers have run different suites with similar results.
Antivirus
3VR’s antivirus strategy focuses on lock down. 3VR servers/appliances do not currently perform antivirus scanning. In 15+ years of widespread commercial deployment, not a single 3VR system has been infected with a virus.

Recommendations

Customers should follow the same password standards for VMS applications as with other applications on their network. Customers should update the latest security patches as soon as they are available on the existing systems.

Appliances/devices that are out of compliance (i.e. EOL O/S and/or Application software) should be removed from the network if cybersecurity patches are not up to date on the system. Customers should follow best practices in cooperation with their IT, Cybersecurity and security departments for their VMS platforms.

Conclusion

Cybersecurity needs to be part of the deployment strategy for all VMS applications. 3VR servers/appliances are uniquely protected when it comes to cybersecurity. Only services and ports required by the 3VR application are enabled, making it difficult for vulnerabilities to be exposed on the VMS systems. 3VR applications also have the ability to push camera firmware (security patches) to cameras directly from 3VR client applications making it easy and simple to manage surveillance systems effectively.
Designing a system that does not compromise on usability while maintaining the highest cybersecurity is the focus of 3VR applications. This allows for customers to maintain and manage their systems following the standards and process set by their corporate IT teams.