Essential cybersecurity for video surveillance: network segmentation, encryption, firmware management, and zero-trust architecture.
IP cameras are IoT devices connected to corporate networks, and they are frequently targeted. The Mirai botnet compromised hundreds of thousands of cameras. Verkada suffered a breach exposing 150,000+ live camera feeds. Default credentials, unpatched firmware, and flat network architectures create attack surfaces that adversaries actively exploit.
Camera networks often have privileged access to sensitive areas (server rooms, executive offices, manufacturing floors) and can serve as pivot points for lateral movement into broader corporate networks. Securing these systems requires the same rigor applied to any network-connected infrastructure.
The single most impactful security measure is isolating cameras on a dedicated VLAN with strict firewall rules. Cameras should only communicate with the VMS server and should have no access to the internet or other corporate network segments.
Visylix edge nodes sit between the camera VLAN and the management network, acting as a controlled gateway. Cameras communicate only with the local edge node, which handles stream processing and forwards metadata and clips to the cloud through an encrypted, authenticated connection.
All data in transit should be encrypted. Visylix uses TLS 1.3 for management traffic and SRTP (Secure Real-time Transport Protocol) for media streams. Data at rest is encrypted with AES-256. User authentication supports multi-factor authentication and single sign-on (SSO) integration.
Camera credentials should use unique, complex passwords for each device (never defaults). Where supported, use certificate-based authentication (IEEE 802.1X) to prevent unauthorized devices from joining the camera network.
Camera firmware vulnerabilities are discovered regularly. Establish a firmware management program that tracks firmware versions, monitors vendor security advisories, and schedules updates. NDAA Section 889 compliance is mandatory for US government deployments, prohibiting cameras from Huawei, ZTE, Hikvision, Dahua, and Hytera in federal systems.
For commercial organizations, sourcing cameras from NDAA-compliant manufacturers (Axis, Hanwha, Bosch, Vivotek, Pelco) reduces supply chain risk. Visylix works with any ONVIF-compatible camera, giving organizations freedom to select hardware from trusted manufacturers.
Cameras are IoT devices with privileged network access, and many ship with default credentials or unpatched firmware. Incidents like the Mirai botnet compromise and the Verkada breach that exposed over 150,000 live feeds show how flat network architectures let attackers pivot from a single camera deep into corporate systems.
Network segmentation is the highest-leverage control. Cameras should sit on a dedicated VLAN with firewall rules that only allow traffic to the VMS server, with no internet access and no path to other corporate segments. Visylix edge nodes act as a controlled gateway between the camera VLAN and the management network.
Management traffic uses TLS 1.3, media streams use SRTP, and data at rest is encrypted with AES-256. User authentication supports multi-factor authentication and SSO, and certificate-based 802.1X can be used for cameras that support it to block unauthorized devices from joining the network.
NDAA Section 889 prohibits Huawei, ZTE, Hikvision, Dahua, and Hytera cameras in US federal systems. Commercial buyers often mirror these restrictions for supply chain assurance and source from Axis, Hanwha, Bosch, Vivotek, or Pelco. Visylix works with any ONVIF-compatible camera, so procurement teams keep their choice of hardware.