How Secure is DW Spectrum?

How Secure Is DW Spectrum®?

-----------------------------------

Affected Roles:  All Users

Related Digital Watchdog VMS Apps:  DW Spectrum® IPVMS

Last Edit:  December 4, 2020

-----------------------------------

Peace of Mind

Occasionally, our Sales and Support teams will be asked how DW Spectrum® is kept secure.  With the assumption that an attacker is intimately familiar with how the DW Spectrum® IPVMS platform operates, Digital Watchdog (DW) takes steps to include code reviews and automated testing to ensure that there are no known encryption keys, backdoors, or hidden hacks in our code.  This ensures that the security of a system is as secure as the user makes it.

This article will describe our security philosophy and how DW ensure that DW Spectrum® is as safe as possible from nefarious intervention.

Note:  It is recommended to consult with a Network Security professional if additional network and data protection beyond the services that is utilized by DW Spectrum® IPVMS is needed.

What Data Is Encrypted in DW Spectrum®?

The following components are either encrypted by default or can be encrypted by enabling settings within the Security section, found within the System Administration menu:

• Management of network traffic/data
• Video from camera streams
• User login authorization

What Encryption Technologies Are Used in DW Spectrum®?

The following encryption technologies are used:

• SSL/TLS AES-256
• HTTP Digest-MD5
• HTTP Cookie Sessions
• HTTPS

Why Are Some Connections Not Enabled By Default?

As much as Digital Watchdog strives to maintain secure connections between the DW Spectrum Server by default, the consumption of processing resources of the computer that hosts the DW Spectrum Server program is taken into consideration.  For example, enabling the Encrypt video traffic security option increases the CPU usage of that computer and can create processing issues if the hardware is not sufficient or is already being used for additional purposes.

Related:  Using A DW Spectrum Server As A Client

DW Spectrum® Security

The default security settings vary depending on the component that is being accessed (⮀  - signifies a connection between the two denoted components).

Related:  Cyber Security and DW Spectrum

Login Credentials

• DW Spectrum® Server local user accounts – utilizes a ‘salted’ MD5 hash to prevent malicious use of dictionaries containing common passwords
• DW Cloud™ user accounts – utilizes a complex multi-level hash to mitigate the abuse of retrieving cleartext credentials and the conversion back to the original user password

Email Notifications

Email Server options include TLS (Transport Layer Security) as the default option to protect Internet communication by creating a secure connection by encrypting the communication that is transmitted between a DW Spectrum Server and its clients.

Spectrum Server ⮀ Spectrum Server

• Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
• Video streams – not encrypted by default, but optional TLS encryption can be enabled (under System Administration Menu à General à Security)
• Authorization – utilizes HTTP Digest-MD5 cryptographic hashing

Spectrum WebAdmin ⮀ Spectrum Server

• Data Traffic – not encrypted by default, but can be forced to do so (found in the Settings menu under the System tab)
• Video Streams  – not encrypted by default, but optional TLS encryption can be enabled (under Settings à System à Traffic encryption)
• Authorization – HTTP Cookie Sessions

Related:  Accessing the DW Spectrum Web Client

Spectrum Desktop/DW Mobile ⮀ Spectrum Server

• Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
• Video Streams – not encrypted by default, but optional TLS encryption can be enabled (under System Administration Menu à General à Security)
• Authorization – utilizes HTTP Digest-MD5 cryptographic hashing

DW Cloud ⮀ Spectrum Server

• Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
• Video Streams – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
• Authorization – utilizes HTTP Digest-MD5 cryptographic hashing

Spectrum Desktop/DW Mobile ⮀ DW Cloud

• Data Traffic – always encrypted by HTTPS (Hypertext Transfer Protocol Secure)
• Authorization:  utilizes HTTP Digest-MD5 cryptographic hashing

3rd Party Integrations ⮀ Spectrum Server

• Data Traffic – not encrypted, but optional TLS encryption can be enabled
• Video Streams – not encrypted, but optional TLS encryption can be enabled
• Authorization – HTTP Digest-MD5, HTTP Cookie Sessions, or URL-parameter

Enabling Optional SSL/TLS Encryption

To enable the optional encryption options through an instance of the DW Spectrum® Client:

1. Open the Main Menu and click on “System Administration”.
2. To encrypt all system management traffic data (HTTPS redirect), enable the “Allow only secure connections” setting.
3. To encrypt RTSP traffic (video over TLS), enable the “Encrypt video traffic”.  Note that encrypting video traffic will increase the CPU usage of the DW Spectrum® Server.

OS Level Security and Advanced Settings

SSL Certificate

A 2048-bit SSL certificate with 256-bit encryption is used when installing the DW Spectrum® IPVMS software.  You can replace the SSL certificate with one provided by a Certification Authority (recommended for any public servers that you may have within the system).

Service Permissions

The DW Spectrum® Server software runs on the server computer as a service and has administrator permissions.  In order to protect DW Spectrum® Server data from being overwritten by other applications on the same server, we highly recommend that these other applications do not have administrator privileges and do not have access to the DW Spectrum® Server archive storage.

OpenSSL Configuration for Network Connections

Digital Watchdog uses the OpenSSL library whenever something needs to be encrypted.  Although the DW Spectrum® Server can utilize all of the hash algorithms that OpenSSL is capable of, we disable deprecated and insecure protocols that have known security vulnerabilities (such RC4 and 3DES ciphers).  The Transport Layer Security (TLS) protocol aims to provide privacy and data integrity between two communicating computer applications.

The default OpenSSL cipher setting “High:!RC4:!3DES” is used, but the cipher can be changed manually to be even more secure.  We support TSL1.2 by default, but other options can be enabled by modifying the parameter “allowedSslVersions”.

Audit Trail and Event Log

The DW Spectrum® Client provides logs that can be used to analyze who is accessing the system and monitor past activity within the server.  These logs offer information that can be used diagnose server issues and to secure the system as what is deemed appropriate.

Audit Trail

The Audit Trail log displays the tracked user actions and records.

To view this log, open the Main Menu and click on “Audit Trail”.

There are two summary panels, Sessions and Cameras, with a related Details panel to the right.  Use these tabs to navigate viewing between the summary of activities during a user’s session (Sessions) and of the devices that were used (Cameras).

Event Log

The Event Log displays system events that have occurred within DW Spectrum®.  This can be utilized to search through past system activity to diagnose device or server issues.

To view this log:

1. Open the Main Menu and click on “System Administration”.
2. From the General tab, click on the “Event Log” tile.

Use the Event Log to view occurrences of default and custom system events (Event Rules).