Recommendation 1
Overview
In the diagram below you can see that there is a network consisting of 2 VLANS. These VLANS have different routing and firewall configurations. By separating out these networks, this configuration can add additional layers of security to your system.
Note: If you use this recommendation, the Auto Detect function within the portal to detect your cameras may not detect your cameras, and they will have to be added manually.
Diagrams
VLANs
Notes
INTERNET: VLAN 1 → Internet should have a ruleset applied to limit the inbound and outbound traffic.
VLAN 1 & 2: VLAN1 ↔ VLAN 2 communication can also have its routable traffic limited this will depend on the camera needs but typically port 80/443 and 554 would be the only ports required.
VLAN 2: Can only access VLAN 1 and should not need direct internet access.
Layout
Recommendation 2
Overview
In the diagram below you can see that there is a single network.
Diagrams
VLANs
Notes
INTERNET: VLAN 1 → Internet should have a ruleset applied to limit the inbound and outbound traffic.
Layout
Other Networking Requirements and Notes
IPs & DNS
We recommend that you provide an IP address through a DHCP server in order for our device to get its network configuration. It must also pass the DNS servers IP/s in the DHCP assignment so that our device can resolve internet addresses. To set a specific IP for an Arcules appliance you can either set a DHCP record or Manually configure the IP locally on the device.
Appliance Access
At Arcules we follow several architectural practices including security by design, for security reasons the appliance only runs and serves ports required to function. None of the open ports need any kind of special rules or routing to ensure they are accessible from the internet. The restriction of ports also includes common device access protocols such as SSH which is not enabled on the device.
Firewall Configuration
Configuration should be based upon the Gateway Security Guide(please contact Arcules Support for the Security Guide Document). Not all companies are able to do hostname based firewall rules. We have some alternatives methods.
Limiting the type of traffic by port
Our appliance only needs utilize port 443 to transmit information and an ICMP ping to validate a service is live.
Network Hardware Configuration
Video data is a high bandwidth application and can wreak havoc on a network if not configured correctly. When working with high bandwidth applications it is important that the flow of data between devices is fully understood to ensure traffic does not unnecessarily get passed through additional switches to get to its destination. The OSI model helps explain what certain networking devices can achieve and if the devices are configured correctly can ensure that you intelligently utilize your networks capacity.
Layer 3 Switch
Layer 3 Switches can route traffic which when configured correctly can limit the amount of uplink from a device if its attached gateway is on the same switch on a different network.
Layer 2 Switch
Layer 2 Switches cannot route traffic but are able to pass traffic on to the same network.
Unsupported Functionality
Proxy Servers
We currently do not recommend or support the use of proxy servers or "Captive Portals". This is due to the amount of traffic that might be generated by our device depending on your setup as well as speed of packet flow to ensure the best viewing experience.
Glossary
DHCP
Description:
DHCP is a central way of distributing IP addresses on a network. You can set reservations that enable you to manage a static IP's without needing access to the device itself this is done utilizing the devices MAC address.
Why:
On large networks if an IT admin needs to migrate a subnet there is limited impact on the device
IT departments can retain control of the network without requiring root access to a device
Centrally assigning reservations for IP management
Further Reading:
See more here on wikipedia: https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol
Static IP
Description:
Static IP address is a concept in which you set the IP address manually. This should be set when DHCP services are unavailable for use on the network or stated to do so by a Network Administrator.
Why:
When DHCP services are unavailable for use on the network.
As directed to by a Network Administrator
Further Reading:
See more here on Wikipedia: https://en.wikipedia.org/wiki/IP_address#IP_address_assignment