Decreasing Device Visibility During Vulnerability Scans
All network and vulnerability scanners are designed to scan a specific range of ports and the protocols associated with those ports. By default, all unnecessary ports have been disabled in Bosch IP cameras, and certain protocols, such as Telnet, have been removed.
You can further reduce a device's presence on the network by choosing the following settings in the Network and Network Access menu in Configuration Manager 5.50.
HTTP Browser Port: OFF
Min TLS version: 1.2
HSTS: ON
You can also change the HTTPS browser port setting from 443 to an alternate port starting at 10433. This causes the device to be undetectable or unrecognizable as a valid device by most vulnerability test tools.
Note: If modifying devices that will be utilized in BVMS, the devices should be scanned and added to BVMS prior to network access modification. If not, they will need to be manually entered into the system.
The Network, Network Services menu in Configuration Manager also provides the opportunity to disable any remaining ports that are not needed in a particular installation.
In the example below, all ports have been disabled except for HTTPS, RCP, iSCSI, and Reset Password.
These basic adjustments leave network and vulnerability scanners with virtually nothing to scan.
Featured Guide
This technical brief provides easy step-by-step instructions for increasing the security of an IP camera installation as well for decreasing the devices' visibility during vulnerability scans. This is known as reducing the attack surface.
