Your Cameras Are on Your Network -- and That Is a Problem
Most IP camera installations put the cameras on the same network as everything else in the building. Some cameras actively phone home to manufacturer servers. Here is how a properly installed system keeps your cameras isolated -- and why it matters more than most operators realize.
IP cameras are small networked computers, and many of them -- especially budget and mid-range brands -- contain firmware that reaches out to manufacturer servers. If those cameras share a network with your computers, POS system, or tenant data, a compromised camera becomes a door into everything else. The fix is network isolation: cameras live on their own dedicated subnet, managed by a DHCP server on the NVR, with no path to the internet. They record. They cannot reach out.
Key Takeaways
- 1IP cameras are network-connected devices with firmware that can -- and sometimes does -- initiate outbound connections to external servers
- 2Cameras on your main business network can expose tenant data, payment systems, or internal files if the camera is compromised or phoning home
- 3The US government has banned several camera brands from federal use specifically because of data exfiltration concerns
- 4Network isolation using a secondary NIC on the NVR creates a camera-only subnet with no internet route -- cameras physically cannot phone home
- 5This architecture still supports full remote access for the operator; only the cameras are isolated
When a technician installs an IP camera system, the simplest path is to plug the cameras into whatever network switch is already in the building. The cameras get IP addresses from the building's router. They show up on the same network as the office computers, the POS terminal, the Wi-Fi that tenants connect to. Everything is online, the NVR can see the cameras, and the job is done.
This is also exactly the wrong way to do it.
IP cameras are not passive devices. They are small networked computers running embedded firmware. That firmware can -- and in many documented cases, does -- initiate outbound connections to servers outside your building without your knowledge or consent. When a camera sits on your main network with full internet access, it has everything it needs to do this.
What phoning home actually means
"Phoning home" refers to a device making outbound network requests to an external server -- typically the manufacturer's infrastructure -- without the user initiating it. Sometimes this is benign: checking for firmware updates, syncing a clock, sending a health status ping. Sometimes it is not.
Several major camera manufacturers -- Hikvision and Dahua among the most prominent -- have been the subject of US government scrutiny for exactly this reason. The National Defense Authorization Act (NDAA) Section 889 prohibits federal agencies from purchasing or using equipment from these manufacturers. The concern is not hypothetical: security researchers have demonstrated that certain firmware versions establish persistent connections to servers in China, transmitting data about the device and in some cases the video feed itself.
For a self-storage operator, the exposure is real. Your cameras cover your facility, your tenants' units, and depending on placement, your office. If those cameras are phoning home, someone outside your organization potentially has access to your video. If those cameras are on the same network as your management software or payment terminal, a compromised camera is a foothold into the rest of your operation.
The isolation architecture: two NICs, one DHCP server
The solution is to give cameras their own network that has no route to the internet. This is what we do on every installation: the NVR is configured with two separate network interface cards (NICs). Each NIC connects to a different network.
The first NIC connects to your building's main network and has access to the internet. This is how you reach the NVR remotely -- from the management app on your phone, from a browser in the office, from our technicians when something needs attention. This side of the NVR is just another device on your network.
The second NIC connects to a dedicated camera switch. No other devices are on this switch -- only cameras. The NVR runs its own DHCP server on this interface, assigning IP addresses to every camera directly. The cameras get an address. They have no default gateway. There is no route from this subnet to the internet.
From the camera's perspective, the NVR is the only device it can talk to. It sends video to the NVR. It receives configuration commands from the NVR. If it tries to reach an external server -- a manufacturer's update endpoint, a cloud relay, anything outside the subnet -- the packet has nowhere to go. It is not blocked. There is simply no road.
Why DHCP on the NVR matters
Running a DHCP server on the NVR rather than your main router does two things. First, it keeps the camera subnet entirely self-contained -- your main router does not know the cameras exist and cannot accidentally route traffic between the two networks.
Second, it gives the NVR authoritative control over the camera network. When a camera comes online, the NVR assigns it an address and can immediately begin managing it. New cameras are discovered automatically. If a camera goes offline, the NVR knows exactly which address stopped responding. The NVR has full visibility into every device on its private network without any dependency on your IT infrastructure.
This also means your camera network is not affected by changes to your main network. If you change your router, swap your ISP, or reconfigure your office network, the cameras are completely unaffected. They live in their own world, managed by the NVR.
What you lose -- and do not lose -- with isolation
The common concern with network isolation is that you lose remote access. You do not. The NVR itself still has internet connectivity through its first NIC. You can still pull live footage from your phone, review recordings remotely, receive alerts, and give access to a monitoring center or a technician. All of that traffic flows through the internet-facing NIC.
What you lose is the risk. The cameras themselves -- the devices most likely to contain questionable firmware, the devices that are rarely updated, the devices you bought from a third-party supplier without vetting every line of code -- those devices have no internet access. They cannot exfiltrate video. They cannot be used as a pivot point into your internal network. They record, and they send that recording to the NVR. That is the full extent of what they can do.
How to know if your current system is isolated
Look at the back of your NVR. If it has one ethernet port connected to your main network switch -- the same switch your computers and Wi-Fi router are on -- your cameras are not isolated. They are on your main network, with full access to whatever else is on it.
A properly isolated installation has two distinct cable runs from the NVR: one to a PoE switch that feeds only cameras, and one to your main network. If you only see one cable, or if your cameras show up alongside your computers when you scan your router's device list, the work has not been done.
Cameras that cannot reach the internet cannot leak what they record. That is the whole architecture.
Your Checklist
- Count the ethernet ports on the back of your NVR -- a single port means your cameras are on your main network
- Log into your router and check the device list -- if camera IP addresses appear there, they are not isolated
- Verify whether your NVR has a built-in DHCP server setting for the camera-side interface
- Confirm your camera PoE switch connects only to the NVR, not to your main network switch
- Ask your installer to document which NIC handles the camera subnet and which handles remote access -- this should be in your system documentation
Common Mistakes to Avoid
Plugging cameras into the same PoE switch as office computers and access points
This puts cameras on your main network with full internet access. A compromised or exfiltrating camera can reach every other device on that network. Cameras need their own dedicated switch connected only to the NVR's secondary NIC.
Assuming the camera brand you chose is safe because it is not a banned brand
NDAA restrictions apply to specific manufacturers but the underlying risk -- firmware that makes outbound connections -- exists across many brands. Network isolation protects you regardless of brand. Trusting the brand and skipping isolation is betting on firmware you have not audited.
Relying on router-level firewall rules to restrict camera traffic instead of true isolation
Firewall rules can block known destinations. They cannot block connections to new or unknown endpoints, and rules can be misconfigured or accidentally changed. A camera with no gateway has no outbound path to block -- there is nothing to misfire.
Frequently Asked Questions
Does camera network isolation affect my ability to access footage remotely?
No. The NVR has two network interfaces -- one isolated camera-side, one internet-facing. Remote access -- through the manufacturer's app, a browser, or a monitoring center -- goes through the internet-facing interface. The cameras feed video to the NVR internally; you reach the NVR from outside. The path for remote viewing never goes through the isolated camera network.
Can my existing NVR support a secondary NIC?
Many enterprise and prosumer NVRs have two ethernet ports built in -- one is often labeled "LAN" and the other "PoE" or "camera." If your NVR only has one port, it cannot natively support the two-NIC architecture without additional hardware. We can assess your current setup and tell you whether it supports isolation or whether an upgrade is warranted.
Is this only relevant for certain camera brands?
No. The isolation architecture is brand-agnostic and should be applied regardless of who made the cameras. Even reputable manufacturers release firmware updates that phone home, use cloud relay services that route traffic through third-party servers, or have vulnerabilities that have not yet been patched. Isolation removes the risk at the network level rather than trying to evaluate each firmware version.
What does it cost to retrofit an existing installation with network isolation?
For most installations, the main costs are a dedicated PoE switch for the camera subnet and a service visit to reconfigure the NVR's second NIC and DHCP settings. If the NVR does not support dual NICs, a replacement NVR may be required. In most cases this is a straightforward half-day job. We can give you a specific estimate after a site assessment.
Not sure whether your cameras are isolated from your main network?
We assess existing installations and can reconfigure or upgrade the network architecture to properly isolate your cameras. Licensed in NY and NJ.