Imagine that a hacker took over one of the cameras in your company - because of the default password, an unpatched firmware vulnerability or a vulnerable port exposed to the Internet. What can he do now? If the cameras are on the same network as employee computers, file servers and printers – the answer is almost everything. It can scan the network, look for additional devices, and try to access company data.
Network segmentation via VLANs solves this problem. Cameras go to a separate, isolated network - and even if someone takes them over, there is no way from there to the rest of the infrastructure.
What is VLAN
VLAN (Virtual Local Area Network) is a virtual local network created in software at the managed switch level. Physically, all devices may be connected to the same switch, but logically they operate in separate, isolated network segments.
Devices in different VLANs cannot communicate directly - traffic between them must pass through a router or firewall, where it can be controlled and filtered.
A typical scheme for a company with monitoring
- VLAN 10 – corporate network: komputery, serwery, drukarki, telefony IP
- VLAN 20 – CCTV: IP cameras, rejestratory NVR
- VLAN 30 – guests / guest WiFi: odizolowane od wszystkiego
- VLAN 40 – management: switches, access points, routers (access only for administrator)
Between VLAN 10 and VLAN 20, I only allow traffic necessary to manage the recorder - HTTPS to port 443. Cameras in VLAN 20 do not see anything from VLAN 10 and cannot initiate connections to the company network.
What you need to implement
A managed switch supporting VLAN 802.1Q – this is essential. A simple unmanaged switch (one that costs PLN 50-100) does not support VLANs. You need to invest in a managed switch.
Popular models I use:
- Ubiquiti UniFi – great interface, management from one console, easy VLAN configuration
- MikroTik CSS326-24G-2S+RM – cheaper option, more configuration options, steeper learning curve
- TP-Link TL-SG2428P – good price-performance ratio for smaller installations
A router or firewall that supports inter-VLAN routing – e.g. MikroTik RouterBoard, Ubiquiti EdgeRouter or pfSense on dedicated hardware.
VLAN configuration on the example of MikroTik
Below is a simplified configuration - I assume that the MikroTik CSS326 switch is already connected and available via Winbox or webfig.
Step 1: Creating VLANs
In the Bridge → VLANs section, add two VLANs: VLAN ID 10 (corporate network) and VLAN ID 20 (CCTV). Select which ports belong to which VLANs.
Step 2: Assign ports
Ports 1–8 – VLAN 20 (cameras, NVR) – configure as access ports with PVID 20. Ports 9–24 – VLAN 10 (corporate network) – PVID 10. Trunk port (connection to the router) – tagged VLAN 10 and 20.
Step 3: Firewall rules on the router
On the router, add a rule that prohibits traffic from VLAN 20 to VLAN 10 (drop forward from src-address 192.168.20.0/24 to dst-address 192.168.10.0/24). Only allow traffic in the other direction if you need to manage the recorder from a computer.
Co zyskujesz?
Even if the camera is compromised, the attacker is trapped in VLAN 20. He cannot scan computers in VLAN 10, he cannot access the file server, he cannot spread ransomware. This is a fundamental safety principle - defense in depth – consisting in creating subsequent layers of protection, where breaking one does not mean access to everything.
By the way: cameras in a separate VLAN do not generate unnecessary broadcast traffic in the company network. Large installations with many cameras can significantly burden the network with broadcast - segmentation eliminates this.
If you want to implement VLANs in your company and you are not sure where to start, I will be happy to conduct a network audit and design an architecture tailored to your facility.