Topology

• To protect your surveillance system from hackers and unauthorized network access, install the FortiRecorder appliance and cameras behind a network firewall such as a FortiGate. FortiRecorder is not a firewall. FortiRecorder appliances are designed specifically to manage cameras and store video.

• If remote cameras or people will be accessing the appliance via the Internet, through a virtual IP or port forward on your router or FortiGate, configure your router or firewall to restrict access, allowing only their IP addresses. Require firewall authentication for connections from network administrators and security guards.

• Make sure traffic cannot bypass the FortiRecorder appliance in a complex network environment, accessing the cameras directly.

• If remote access while travelling or at home is not necessary, do not configure “Configuring system timeout, ports, and public access”, and do not configure your Internet firewall to forward traffic to FortiRecorder. If you do require remote access, be sure to apply strict firewall policies to the connection, and harden all accounts and administrative access (see “Administrator access” and “Operator access”) as well as keeping the FortiRecorder software up-to-date (see “Patches”).

• Disable all network interfaces that should not receive any traffic.

For example, if administrative access is typically through port1, the Internet is connected to port2, and cameras are connected to port3, you would disable (“bring down”) port4. This would prevent an attacker with physical access from connecting a cable to port4 and thereby gaining access if the configuration inadvertently allows it.