WebCCTV Installation Manual 706.2.4.4 FirewallA critical element in WebCCTV security is the firewall. A firewall is a piece of software thatbasically allows only a limited number of applications to use the network.WebCCTV uses Microsoft firewall, which is enabled by default in the operating system. It is abasic firewall with limited functionality, but non the less effective for our goals.By default, only the following applications are allowed: Web server needed for the web application (IIS, TCP port 80) WebCCTV video server software (OPServer and OPVWSYS, TCP port 1518 and UDPports 4096-4223) Remote desktop needed for remote administration and supportThis is only valid for connections that are made to WebCCTV. For outgoing connections(connections made from WebCCTV to another machine) there is no restriction. However,please follow the guidelines for proper use to prevent problems.For support issues where Quadrox support technicians take remote control to theWebCCTV TCP port 3389 must be opened. If VNC is used, this will become port5500.In some exceptional cases it might be necessary to allow more applications (open more ports).This is technically possible; however, Quadrox strongly advises against this practice and willnot give support on this functionality or any problems that originate from it.6.2.4.5 Allowing only known clientsIf you have a set-up with a fixed number of known clients, there is a possibility to only allowthese clients, based on their IP address. No other clients will be allowed to access WebCCTV.This would further limit the number of possible connection points and thus increase security.This is only usable in a limited number of scenarios and can give rise to a number of logicalproblems. Please contact Quadrox support for more information.6.2.4.6 Securing the applicationsWhen applying the restriction on applications with the firewall as explained above, theattackable points are effectively limited to those applications. In the next step we should makesure that those applications themselves are secure.Remote desktop doesn’t have ways of automation. This implies that only a human operator canuse it, not a piece of software like a virus. The risk of a human operator performing maliciousactions is limited to the access he has. The security of this falls back to the security of thepasswords, for which a policy is outlined above.The WebCCTV server is an unlikely point of attack, since it is not a wide spread applicationlike a web server. This means that very few people would be interested in designing an attackVersion 4.3 Series