Hanwha Vision NVR Network Device Security Enhancement Guide
Version 1.2
Date: 2025.06
1. Introduction
In recent years, network surveillance devices, developed to protect customer assets and personal information, have paradoxically become a means to steal personal information. Network surveillance devices process and manage video footage, which can contain sensitive personal information. As they communicate over networks, they allow remote access from anywhere in the world. Due to this characteristic, network surveillance devices are constant targets of cyberattacks.
Hanwha Vision, valuing customer assets and personal information, has continuously strived to enhance cybersecurity. This guide aims to help users understand the security features implemented in our products and use them safely.
2. Cybersecurity Level Definition
This guide defines cybersecurity levels based on the following criteria, with each level presupposing the achievement of the previous level:
- Basic Level: Refers to the security level achievable with the basic functions provided by the device without any additional user configuration.
- Protection Level: Refers to the security level achievable with the default settings of the device in its initial state or after a factory reset.
- Safe Level: Refers to the security level that can be enhanced by the user disabling unnecessary features or services that could potentially weaken security.
- Top-tier Safe Level: Refers to the security level that can be enhanced by integrating additional external security solutions with the device's built-in security features.
| Cybersecurity Level | Cybersecurity Enhancement Features & Measures | Initial Setting | Recommended Setting |
|---|---|---|---|
| Basic Level | Enforce complex password settings | Default | - |
| Remove initial password | Default | - | |
| Limit input on consecutive password failures | Default | - | |
| Disable remote services (Telnet, SSH) | Default | - | |
| Encrypt environment settings | Default | - | |
| Encrypt firmware and ensure secure updates | Default | - | |
| Watermarking and encryption of extracted video formats | Default | - | |
| Retain logs upon initialization | Default | - | |
| HTML5 streaming-based NonPlug-in Web viewer | Default | - | |
| Encrypt important information | Default | - | |
| Individual device authentication | Default | - | |
| Protection Level | Disable unused multicast | Disabled | Disabled |
| Disable unused DDNS | Disabled | Disabled | |
| Disable unused SNMP | Disabled | Disabled | |
| Disable audio input function | Disabled | Disabled | |
| Safe Level | Check for and update to the latest firmware version | - | - |
| Set accurate date and time | - | - | |
| Use secure communication protocols (HTTPS) | HTTP+HTTPS | HTTPS+RTSP | |
| Use secure communication protocols (RTSP) | HTTP | HTTPS(Self-signed certificate) | |
| HTTPS (Self-signed certificate) | HTTP | HTTPS(Public certificate) | |
| Change default ports | Default | Change | |
| IP Filtering | Unconfigured | Configured | |
| Top-tier Safe Level | Securely use SNMP | Unconfigured | SNMP v3 |
| Change administrator account and create additional user accounts | Unconfigured | Configured | |
| Set access permissions | Unconfigured | Configured | |
| Log inspection | - | - | |
| 802.1X certificate-based access control | - | - |
Note: If the initial setting is 'Default', it means the option is provided as is and not selectable by the user. If it is indicated by a dash (-), it means the option is not available, and the activity needs to be performed.
3. Basic Level
Hanwha Vision devices are designed considering cybersecurity, ensuring safety with their basic functions or default settings upon purchase.
| Security Policy | Cybersecurity Feature | Brief Description |
|---|---|---|
| Password Policy | Enforce complex password settings | Requires passwords of at least 8 characters, using a combination of uppercase/lowercase letters, numbers, and special characters (3 types for 8-9 characters, 2 types for 10+ characters). This prevents weak password settings due to user carelessness and reduces the risk of unauthorized password theft. |
| Remove initial password | To prevent security vulnerabilities where unauthorized access is granted if the initial password is not changed, all Hanwha Vision products require users to change the password upon first access via the device's UI. | |
| Access Control | Limit input on consecutive password failures | To prevent brute-force attacks, the device limits input for 30 seconds after 5 consecutive failed password attempts. This blocks unauthorized connection attempts while maintaining existing authenticated connections, preventing Denial of Service (DoS) attacks. |
| Remote Access Control Security | Disable remote services (Telnet, SSH) | While remote services like Telnet and SSH offer convenience for customer support, they can be exploited by hackers. Hanwha Vision products eliminate this risk by disabling these services to enhance security. |
| Encrypt environment settings | The backup (Export) function allows downloading environment settings to a PC. These settings files contain sensitive information, so Hanwha Vision encrypts them using secure algorithms to protect user data. | |
| Firmware Security | Encrypt firmware and ensure secure updates | Hanwha Vision provides encrypted firmware for feature additions, bug fixes, and security updates. During firmware updates, the integrity of the firmware is verified to prevent the use of tampered firmware and ensure normal operation. This prevents hackers from analyzing sensitive information within the firmware or using it to gain control of the device for malicious purposes. |
| Watermarking and encryption of extracted video formats | Video files extracted in SEC format by Hanwha Vision NVRs cannot be opened with general playback/editing software, preventing unauthorized exposure. Watermarking allows for the detection of video tampering. The SEC format includes a built-in player, eliminating the need for separate installations. SEC files also ensure the integrity and legal admissibility of video evidence. | |
| Log Security | Retain logs upon initialization | This feature prevents malicious log deletion or log initialization through device reset, allowing for the analysis of intrusion attempts and the identification of intrusion paths. |
| HTML5 Streaming Standard | HTML5 streaming-based NonPlug-in Web viewer | Provides a seamless video streaming service using the HTML5 standard, eliminating the need for browser plug-ins like ActiveX, which can pose security risks. This ensures compatibility with modern browsers that are phasing out plug-in support. |
| Important Information Encryption | Encrypt important information | User authentication information (ID, password) for various network functions like web login, DDNS, FTP, SMTP, and SNMP is stored securely using robust encryption algorithms. This protects sensitive credentials from unauthorized access, even in the event of an unexpected data breach. |
| Individual Device Authentication | Individual device authentication | Hanwha Vision network devices support device authentication using certificates for encrypted communication. This verifies the authenticity of Hanwha Vision devices and prevents man-in-the-middle attacks. When connecting cameras to the NVR, the NVR verifies the camera's certificate to ensure a secure connection. |
3.1. Enforce Complex Password Settings
Hanwha Vision device passwords must be at least 8 characters long and meet complexity requirements (e.g., using a mix of uppercase letters, lowercase letters, numbers, and special characters). This feature helps prevent weak password creation and reduces the risk of unauthorized access.
3.2. Remove Initial Password
To prevent security vulnerabilities, Hanwha Vision devices require users to change the default password upon initial setup. This ensures that unauthorized users cannot access the device with the factory-set password.
3.3. Limit Input on Consecutive Password Failures
To prevent brute-force attacks, the device limits input for 30 seconds after 5 consecutive failed password attempts. This measure enhances security by blocking unauthorized access attempts while maintaining existing authenticated connections.
3.4. Disable Remote Services (Telnet, SSH)
Hanwha Vision products disable remote services like Telnet and SSH to enhance security, as these services can be exploited by malicious actors.
3.5. Encrypt Environment Settings
Environment settings are encrypted during the backup process to protect sensitive user information. This ensures that exported configuration files remain secure.
3.6. Encrypt Firmware and Ensure Secure Updates
Hanwha Vision provides encrypted firmware for secure updates. The firmware's integrity is verified during the update process to prevent the use of tampered firmware and protect against malware injection.
3.7. Watermarking and Encryption of Extracted Video Formats
Video files extracted in SEC format by Hanwha Vision NVRs are protected with watermarking and encryption, preventing unauthorized access and tampering. The SEC format includes a built-in player for easy playback.
3.8. Retain Logs Upon Initialization
Device logs are protected from deletion or reset, ensuring that security event data is available for analysis and forensic investigation.
3.9. HTML5 Streaming-Based NonPlug-in Web Viewer
The NVR supports HTML5 streaming for a secure and convenient web viewing experience, eliminating the need for vulnerable browser plug-ins.
3.10. Encrypt Important Information
User authentication credentials (ID, password) for network functions are securely stored using advanced encryption algorithms to protect sensitive information.
3.11. Individual Device Authentication
Hanwha Vision devices support device authentication using certificates to ensure secure communication between devices and prevent man-in-the-middle attacks.
4. Protection Level
Hanwha Vision devices are inherently secure with their default settings, providing basic protection even after a factory reset.
| Security Policy | Cybersecurity Feature | Brief Description |
|---|---|---|
| Factory Reset | Initializes existing data on the device | Resets all data stored on the device. |
| Service Protection | Disable unused multicast | Minimizes enabled services to prevent unauthorized access. |
| Disable unused DDNS | Minimizes enabled services to prevent unauthorized access. | |
| Disable unused SNMP | Minimizes enabled services to prevent unauthorized access. | |
| Disable audio input function | Minimizes enabled services to prevent unauthorized access. |
4.1. Factory Reset
Performing a factory reset on a used device restores its default settings, achieving the Protection Level of security.
4.2. Disable Unused Multicast
For RTSP protocol, multicast settings can be configured. If this service is not needed, disable it to enhance security.
4.3. Disable Unused DDNS
If DDNS and UPnP services are not required, disable them to enhance security. These services can be exploited if not properly secured.
5. Safe Level
Hanwha Vision devices allow users to enhance security by disabling unnecessary services and ports that could be exploited by external threats.
| Security Policy | Cybersecurity Feature | Brief Description |
|---|---|---|
| - | Check for and update to the latest firmware version | Verify and update to the latest firmware to address security vulnerabilities. |
| - | Set accurate date and time | Ensure accurate system time for proper log analysis and security event tracking. |
| - | Use secure communication protocols (HTTPS) | Protects personal information and video data transmitted over the web viewer. |
| - | Use secure communication protocols (RTSP) | Secures video streams transmitted via RTSP. |
| - | HTTPS (Self-signed certificate) | Enables secure connections using a self-signed certificate provided by Hanwha Vision. |
| - | HTTPS (Public certificate) | Allows users to register their own public certificates for secure connections. |
| Port Access Control | Change default ports | Modifying default port numbers makes it harder for attackers to scan and exploit services. |
| IP Filtering | IP Filtering | Allows or denies access based on IP addresses, enhancing network security. |
| Service Protection | Securely use SNMP | Disables default SNMP settings for enhanced security. |
| Change administrator account and create additional user accounts | Changing the default 'admin' account and creating user-specific accounts with limited privileges enhances security. | |
| Set access permissions | Assign specific permissions to users based on their roles to minimize potential security risks. | |
| Audit | Log inspection | Regularly review system logs to detect and investigate security incidents. |
5.1. Check for and Update to the Latest Firmware Version
Users can check for the latest firmware versions on the Hanwha Vision website and download them for installation. This ensures devices are protected against known vulnerabilities.
5.2. Set Accurate Date and Time
Accurate date and time settings are crucial for analyzing system logs and identifying security events. Users can configure the device's time settings to match their local time zone.
5.3. Use Secure Communication Protocols (HTTPS)
Hanwha Vision NVRs support both HTTP and HTTPS. HTTPS provides encrypted communication, protecting sensitive data transmitted between the NVR and clients.
5.4. Use Secure Communication Protocols (RTSP)
To secure video streams transmitted via RTSP, it is recommended to tunnel RTSP over HTTPS. This involves configuring both the IP camera and the NVR for HTTPS streaming.
5.5. HTTPS (Self-signed Certificate)
This feature allows secure connections using a self-signed certificate provided by Hanwha Vision, eliminating the need for users to obtain and install their own certificates.
5.6. HTTPS (Public Certificate)
Users can register their own public certificates and private keys to enable secure HTTPS connections. This provides an additional layer of security for data transmission.
5.7. Change Default Ports
Modifying default port numbers (e.g., changing HTTP from port 80 to 8000) makes it more difficult for attackers to scan for and exploit services. Users should ensure that any changes to port numbers do not disrupt connectivity with other devices.
5.8. IP Filtering
IP filtering allows users to create lists of allowed or blocked IP addresses, controlling network access and enhancing security. Users can configure rules for both IPv4 and IPv6 addresses.
5.9. Securely Use SNMP
It is recommended to use SNMP v3 for secure network device management. While SNMP v1 and v2c are supported, users should change the default community strings to enhance security.
5.10. Change Administrator Account and Create Additional User Accounts
Changing the default administrator account ('admin') and creating user-specific accounts with limited privileges is crucial for security. This prevents unauthorized access and reduces the risk of credential exposure.
5.11. Restricted Settings
Users can configure access restrictions for specific features and network access. This includes setting user access limitations and configuring automatic logout after a period of inactivity to enhance security.
5.12. Log Inspection
Regular inspection of system logs is essential for identifying security incidents, troubleshooting issues, and ensuring compliance with regulations. Logs provide valuable information about system events, errors, and potential security breaches.
6. Top-tier Safe Level
Hanwha Vision devices offer advanced security features and can be further enhanced by integrating external security solutions.
| Security Policy | Cybersecurity Feature | Brief Description |
|---|---|---|
| - | 802.1X certificate-based access control | Enhances security by implementing port-based access control using certificates. |
6.1. 802.1x Certificate-Based Access Control
Network devices can be secured with port-based access control using 802.1x authentication. This requires an 802.1x-compatible network switch, an authentication server, and device-specific certificates and private keys. Users can configure these settings through the NVR's interface.
