How Secure is DW Spectrum IPVMS?
Affected Roles: All Users
Related Digital Watchdog VMS Apps: DW Spectrum® IPVMS
Software Version: DW Spectrum® IPVMS v5.0
Last Edit: October 6, 2022
Occasionally, Digital Watchdog (DW) Sales and Support team members will be asked how DW Spectrum® IPVMS platform is kept secure. With the assumption that an attacker is intimately familiar with how DW Spectrum operates, Digital Watchdog takes steps to include code reviews and automated testing to ensure that there are no known encryption keys, backdoors, or hidden hacks in our code. This ensures that the security of a system is as secure as the user makes it.
This article will describe Digital Watchdog’s security philosophy and how Digital Watchdog ensures that your DW Spectrum System is secure.
**NOTE: It is recommended to consult with a Network Security professional if additional network and data protection beyond the services provided by DW Spectrum IPVMS is needed.
The DW Spectrum IPVMS software platform includes several safeguards and security features that can be enabled to assist customers with meeting the need for reliable cybersecurity methods and protection.
Some of these features include:
System Administrators may define custom encryption keys and enable encryptions for all recorded video archives, rendering them safe even in situations where a perpetrator may have direct physical access to the Server machine.
The following components are either encrypted by default or can be encrypted by enabling settings within the Security tab of the System Administration menu:
The following encryption technologies are used:
DW Spectrum Servers will automatically generate a self-signed certificate to be used when validating encrypted connections between Clients and the System.
Servers exchange certificates when merged into a multi-server environment, which are validated whenever a client attempts to connect to the System.
Desktop and Mobile Clients pin certificates upon first connecting with the System, which are then validated against the Server’s certificate for every subsequent connection.
Clients that are connecting through the DW Cloud connection service are validated through DW Cloud.
**NOTE: A self-signed 2048-bit SSL certificate with 256-bit encryption is automatically generated when the DW Spectrum Server is initially created. You can replace the SSL certificate with one provided by a Certification Authority (recommended for any public servers that you may have within the system).
DW Spectrum System Owners and Administrators have the option to encrypt the recorded video archive so that recorded video can only be viewed when using the DW Spectrum Desktop Client, DW Spectrum Mobile Client, or with the Web Admin.
The Archive Encryption feature uses 128-AES encryption, which uses ten (10) transformation rounds to encrypt data and is approved by the National Security Agency to protect information. When encrypting the archives is combined with encrypted communications, organizations create end-to-end encryption to protect all video streams, recorded video archives, and video stream data.
To enable the optional encryption options through an instance of the DW Spectrum® Client:
**NOTE: Encrypting video traffic will increase the CPU usage of the DW Spectrum® Server machine as more processing resources will be needed.
User connections are validated through session-based (bearer token) authentication by default. This prevents man-in-the-middle attacks and
The Two Factor Authentication (2FA) security feature can be implemented as an additional layer of cyber security. When someone tries to gain access to a DW Spectrum System using 2FA, they will be required to enter a password when initially connecting (1st factor) then will be required to enter a pin code (2nd factor) that has been generated from an authentication application.
DW Spectrum uses session-based (bearer token) authentication by default for improved end-to-end encryption between user client connections and the DW Spectrum System.
The previous authentication method for local users is now disabled by default to prevent MD5 password storage in the local DB.
DW Cloud users use “OAuth2 authentication” by default to prevent compromising a user’s DW Cloud password and to render Offline DW Cloud Login attacks impossible.
It is recommended to enable Two Factor Authentication to add an additional layer of protection for the OAuth2 authentication.
Email Server options include TLS (Transport Layer Security) as the default option to protect Internet communication by creating a secure connection by encrypting the communication that is transmitted between a DW Spectrum Server and its clients, preventing potential eavesdropping.
The DW Spectrum® Server software runs on the server computer as a service and has administrator permissions. To protect DW Spectrum® Server data from being overwritten by other applications on the same server, we highly recommend that these other applications are not provided with administrator privileges and do not have access to the DW Spectrum® Server archive storage.
Digital Watchdog uses the OpenSSL library whenever something needs to be encrypted. Although the DW Spectrum® Server can utilize all the hash algorithms that OpenSSL is capable of, we disable deprecated and insecure protocols that have known security vulnerabilities (such RC4 and 3DES ciphers). The Transport Layer Security (TLS) protocol aims to provide privacy and data integrity between two communicating computer applications.
The default OpenSSL cipher setting “High:!RC4:!3DES” is used, but the cipher can be changed manually to be even more secure. We support TSL1.2 by default, but other options can be enabled by modifying the parameter “allowedSslVersions”.