Mac filtering

Super glue?

Dumb POE so whatever gets plugged in gets 48v with no negotiation.

Mac address filter?

You want to get an IP camera and a switch/router/firewall that supports 802.1x - Port Authentication, along with a VLAN for segregation and MAC filtering because more is better.

With 802.1x the camera has to authenticate / re authenticate using EAP for the port to remain active. If someone rips off the camera and figures out its MAC address to spoof it’s still not going to pass the EAP challenge.

Mac filtering is not real security. It is very easy to bypass it that filtering macs is almost as secure as not doing it. Your best options are :

• placing the connection port in a hard to reach location
• place that port in a isolated vlan coupled with some firewall rules so that all the outgoing connections are dropped
• if your switch can, play with ACL’s to further lock it down
• if you really want to get serious about port security, you will need a RADIUS server. But most of the ip cameras won’t be compatible…

1.) Ensure the camera is securely installed and the ethernet port is not exposed. Use tamper/security screws.

2A.) Enable MAC address filtering on your switch… but if someone is doing all this work they’re going to know to spoof the camera’s MAC address.

2B.) Setup 802.1x authentication if your camera(s)support it, this is more work but more work.

3.) Segment external cameras to their own vlan and use ACLs to restrict access.

4.) Monitor your network! Setup monitoring to see new devices are joining, switchport/camera going offline randomly. Then ensure all of these events go somewhere of your choice.

5.) Monitor you camera! You should definitely be getting alerts for motion if someone is close enough to disconnect the camera(s). Also you should have cameras watching each other’s back in terms of coverage.

With a VPN. MAC filtering is trivial to work around.

I crazy glue the cables into the cameras, but I’m willing to reterminate cables if I replace the cameras. I’d also note that a wired cable outside is susceptible to lightning strike, which can damage any other devices inside directly wired in. I isolate my cameras on a dedicated switch, and connect that via fiber. And use a surge protector. This lightning damage has happened to 2 family members.

I do also use Mac filtering, and for switches for this stuff I buy old Cisco 8 port 2960s off eBay for like 50 bucks.

I’ve used some switches from Zyxel, that closes the port down if the cable is detached. Then you have to log into the switch to enable the port again. It is simple and works great.

Omfg I remember when I was doing system controls some weird vendor tried to be fancy and say to only use their special wired ethernet cable. We discovered when we went to repair the machine that the device was just using a regular ethernet but they crossed 4 wires and the cable when connected corrected that which made changed it back to a standard ethernet. (think of the machinery that does things in factories that make stuff)

In a professional setting you would create s zone/vlan for the camera(s) then set up rules that allow only acces from the ln to thst vlan but not the other way around. +mac filtering for good messure

802.1x

Is this connecting to a managed switch? If so, you need to see if it supports port security. That way you can lock the port to the MAC of the camera.

VLAN (assuming the camera is plugged to your LAN infrastructure) + a firewall (to block the MAC + every kind of traffic except the one expected from the camera; down to the IP + PORT + Protocol)

Most extreme way I can think of…. Using a good router like PFSense or OpnSense you make a VLAN for the camera only. Create a firewall rule allowing only that camera to access the other network via specific needed ports only. Even if they spoofed the MAC they would also need to route traffic through the associated ports as well and would take a while for anyone mother then an expert to figure out wtf is going on.