Running two subnets over the same physical LAN
One of our remote offices has given a security contract to a company that came in and set up IP security cameras and a server in our office. They clearly didn't know anything about integration of their system into an existing network, as they completed the job without talking to anyone in our team.
Our internal network is running on 10.6.n.0/24. They set up their equipment to use 192.168.1.0/24. It's all plugged into the same network infrastructure - the same broadcast domain. Of course, all their equipment can talk to each other, so the security system works, internally at least.
If we have no requirement for external access to or from the security system, are there any issues that would necessitate proper integration with our network? Or can I safely leave the equipment set up as it is?
Solution 1:
There are several reasons to separate the two:
- One broadcast domain equals one failure domain. If something goes wrong, and you VLAN gets flooded, both subnets are down. IP cameras can flood links very easily, or a hardware or configuration fault can do the same,
- Malicious software or users can access your cameras unchecked, and as mentioned before, vulnerabilities abound in IP camera's
- Your network becomes confusing to any third party coming in for a project or troubleshooting, making any work longer and more prone to mistakes. This increases your cost of operation, or worse: prolongs downtime.
Separating the two is easy: Make two VLAN's on all you switches, make sure all the new devices are in one VLAN and all the rest is in the other and all links between the switches have both. (If you don't have any switches that can handle VLANs, you have to use physically separate switches and then invest in some proper switches.) If you need connectivity between the two networks, have one layer 3 switch, router or firewall with interfaces in both networks and voila.
NB: Best practice is to not use VLAN 1. You can choose any VLAN number you want, so just pick any number except 1.
Added bonus: once your network grows more complex, you are already set up to separate out other things in your network, since the basis is there already.
Solution 2:
It's happened to me. I'm working to undo it at one site. Ideally, the ports would be VLAN-separated, which should be easy to do at the switch level without total reconfiguration of the camera equipment.
The main issue I have is the bandwidth and congestion that affects a couple of applications, but the setup does work as-is.
Don't you need access to the cameras? Maybe from an internal PC client? I find that people who install these solutions also tend to want external access. That's a good enough reason to work to fix this. But again, in my case, the setup is stable enough that there's no urgency on my part to undo the bad work...
Solution 3:
If you are not responsible for the software running on the security equipment, I'd go ahead and isolate the network, unless you're 100% sure that they have no need (even in the future) for access, there's always a risk with network cameras that they're not updated with the latest firmware. There are no shortage of vulnerabilities, a little work now means that issues of that sort would be less worrying..