Table of Contents
Advertisement
IP Camera Hardening and Cybersecurity Guide | Secure Configuration and Operation
Feature Description and Hardening Decisions
HTTP
HTTP is enabled by default, but unencrypted, so credentials or settings are transferred unencrypted if used.
Recommendation: Plain HTTP should be disabled in favor of the encrypted HTTPS, especially if the network is
untrusted.
HTTPS
HTTPS is encrypted and should be the default choice for accessing the web interface or access the web-based
RCP API. Using own PKI and certificates is recommended.
Recommendation: HTTPS is the default secure protocol used for configuration and should remain enabled.
RTSP
RTSP is used for video streaming, but normally unencrypted. If the software receiving the video stream is capable
of using RTSPS, it is recommended to disable plain RTSP. When using other Bosch components (e. g. decoders /
BVMS / VRM / DIVAR IP) a Bosch proprietary encryption for RTSP can be enabled, making transmission secure.
Recommendation: Risk based approach if video can be transmitted unencrypted or via Bosch encryption. If
possible, use encrypted RTSPS.
RCP
The Bosch proprietary "remote control protocol plus" is the configuration protocol for Bosch IP cameras. Plain
is unencrypted, so settings are transferred unencrypted.
for some time, but it might be needed for 3
Recommendation:
SNMPv1
SNMP is the common network monitoring protocol used to query health information of a device or send out trap to a
remote receiver, but unencrypted.
Recommendation:
if possible.
SNMPv3
SNMPv3 is successor of SNMPv1 and can also be used encrypted.
Recommendation:
iSCSI
Disables the internal iSCSI server which is used to make internal recordings on the camera accessible via iSCSI.
iSCSI is an unencrypted protocol.
Recommendation:
UPNP
Making the camera discoverable via UPNP protocol.
Recommendation:
NTP Server
Enable an NTP server on the camera to allow other devices or cameras to synchronize time. If possible, a
dedicated device should serve time to the camera network allowing separation of services. If no other device is
available, time can be served by a camera.
Recommendation: NTP server should be disabled if not needed.
Data subject to change without notice | August 22
party integration tools or scripting tools still relying on this protocol.
rd
Disable RCP if not used by 3
Keep disabled if not required for health monitoring or other compatibility reasons, use SNMPv3
Recommended if SNMP monitoring must be implemented.
Disable iSCSI server if not used on the camera.
Disable UPNP if not needed.
All Bosch tools now use RCP over HTTPS communication
party tools or legacy systems.
rd
5 | 14
RCP
Security Systems / Video Systems
Advertisement
Table of Contents
