3VR SmartRecorder TM IT Requirements 3VR Video Intelligence Platform IT REQUIREMENTS WHITE PAPER June 2011 Applies to: 3VR Software Version: 6.0.8 3VRSR-ITREQ-R5 3VR, Inc 475 Brannan Street, Suite 430 San Francisco, CA 94107 www.3vr.com Tele: 415.495.5790 Sales: 415.513.4611 Fax: 415.495.5797 Email: info@3vr.com 2011 3VR, Inc. 3VR and the 3VR logo are either trademarks or federally registered trademarks of 3VR, Inc. Specifications herein subject to change without notice.
Contents 1. Summary 3 2. IT Security with 3VR 4 2.1 Operating System 4 2.2 Applications 4 2.3 Network Services 5 2.4 Ports 5 2.5 SMTP 5 2.6 Physical Access 6 2.7 Antivirus 6 2.8 Client Applications 6 2.9 Vulnerability Testing 6 3. Systems Management with 3VR 7 3.1 Systems and User Management 7 3.2 Extraordinary Maintenance Account 7 3.3 Systems Health Monitoring 8 3.4 Updates/Upgrades Management Plan 8 4. Client Application Management 8 4.1 About 3VR Client Applications 8 4.2 Where to Find Client Applications 8 4.3 Client Application System Requirements 9 4.4 Licensing 3VR Client Applications 9 5. Data Redundancy with 3VR 9 5.1 RAID 9 5.2 Settings Backup 9 6. Bandwidth Utilization with 3VR 10 6.1 Bandwidth Consumption 10 6.2 Bandwidth Throttling 10 About 3VR 11 2
1. Summary The purpose of this paper is to detail the capabilities and hardened security measures built into 3VR systems to address the IT requirements of today s security buyers. 3VR has invested heavily to ensure that all of their 3VR VIP appliances are as secure as possible against virus threats and external attacks. Of particular importance are the following 3VR features: 3VR systems conform to industry-leading information security baselines and pose equal or lesser risk than alternative appliances, workstations or operating systems on the market. The 3VR system is built upon a modular version of Microsoft Windows (either Windows Embedded Standard or Windows Embedded Standard 7) and is implemented in a way to strictly avoid components that present security risks such as Internet Explorer, Internet Information Server, File Transfer Protocol or Telnet clients which have historically represented vulnerabilities. All 3VR software applications communicate using proprietary protocols that minimize the risk of intruder access. 3VR appliances require only four open ports for network communication with client applications and the 3VR Enterprise Appliance. In five years of widespread commercial deployment, 3VR has not generated any security compromises. 3
2. IT Security with 3VR 2.1 Operating System 3VR systems use a modular version of Microsoft Windows Embedded Standard or Microsoft Windows Embedded Standard 7 (WES). 3VR version 6.0.8 is our latest software release and is current with all of the latest operating system patches and security hotfixes. 3VR s specific configuration of WES significantly reduces security risks as described in the appropriate sections below. 2.2 Applications 3VR VIP Appliance applications: MySQL 3VR Recording Systems: Shell (3VR proprietary) ContentServer (3VR proprietary) PipelineManager (3VR proprietary) Controller (3VR proprietary) OpCenter (3VR proprietary) SystemManager (3VR proprietary) 3VR Enterprise Appliance applications: MySQL 3VR Recording Systems Shell (3VR proprietary) EnterpriseServer (3VR proprietary) Controller (3VR proprietary) OpCenter (3VR proprietary) SystemManager (3VR proprietary) Interconnects between 3VR applications are by proprietary protocol. This eliminates the attack vectors that viruses use to attack systems. To attack the 3VR system, adversaries would have to build complex protocols. The 3VR appliance is also protected against denial of service attacks. 4
2.3 Network Services 3VR has created an appliance that is highly resistant to network-based attacks. The applications most commonly exploited by attackers are not present on 3VR systems. These include Internet Explorer, Internet Information Server, File Transfer Protocol (FTP), and Telnet servers and clients. 3VR does not use any form of file sharing for storage on the appliance. To further protect the system, 3VR has built-in a software firewall which restricts traffic to only the allowed ports. With this set of security measures in place, the 3VR appliance uses only two types of service: 3VR proprietary protocols and Microsoft Message Queuing (MSMQ) with proprietary payload formats. Each of these methods supports authentication with one-way hash-based encryption. 3VR believes the only potential risk is pirating the Device Update Agent and launching an artificial upgrade. This complicated task, however, would require reverse engineering 3VR s proprietary protocols. The actual threat is low as the expertise is rare and the value of doing so is minimal. 2.4 Ports Models Protocol Port Program Purpose All systems in an TCP 1801 mysuc.exe (MSMQ) Synchronization Enterprise environment VIP Appliance TCP 2500 ContentServer.exe Live video All TCP 3001 Shell.exe Logging All TCP 3020 Shell.exe Remote upgrade, restarts, and network settings changes VIP Appliance TCP 3043 ContentServer.exe Data access VIP Appliance TCP 3044 ContentServer.exe Bandwidth measurement (optional) Enterprise Appliance TCP 3045 EnterpriseServer.exe Enterprise management All UDP 123 ws32time.dll Network Time Protocol All UDP 3333 SystemManager.exe Find Local Servers feature While all the ports in the above list are important, users of OpCenter and SystemManager can access the appliance for normal use using only port 3043 and port 2500 (standalone VIP Appliances) or ports 3043, 2500, and 3045 (appliances connected to an Enterprise). Note that for the Enterprise Appliance, port 1801 must always permit communication between the Enterprise Appliance and connected VIP Appliances. All other ports listed above can be blocked in non-diagnostic, non-upgrade situations. 2.5 SMTP 3VR provides limited SMTP support that is constrained to eliminate risk. 3VR provides outbound-only SMTP and only when a customer specifically configures it. No SMTP forwarding is allowed. Email content is always automatically determined by the software. Furthermore, the SMTP client is coded directly into the application and there is no receiving code in any of 3VR s applications. 5
2.6 Physical Access 3VR appliances can be physically accessed in one of two ways: Logging in at the local console with a monitor, keyboard, and mouse. Logging in to the 3VR Client Applications on a laptop that is directly connected to the system with a USB network adapter. Note: This connection method is subject to the same security restrictions as a remote client. Because of 3VR s account management architecture, a malicious user does not have access to the underlying system. Moreover, even if the user somehow accessed the system, because networking services such as web client, telnet and FTP are not installed, an attack would be extremely difficult. 2.7 Antivirus 3VR ensures that viruses do not attack the system or the network by enforcing explicit signing of all software that is installed. 3VR uses SHA-1, 160-bit key for this task. Because of this, sniffing the transmission and intercepting/modifying is not a practical risk. 3VR s antivirus strategy focuses on lockdown. 3VR does not currently perform antivirus scanning. In five years of widespread commercial deployment, not a single 3VR system has been infected with a virus. 2.8 Client Applications 3VR supports a remote viewing client called OpCenter. OpCenter connects to 3VR appliances via port 3043 as explained in the Ports section. OpCenter uses the same account management plan as described in the Systems Management section. 3VR Client Applications (discussed in more detail in the section Client Application Management ) access the VIP Appliance using port 3043 for data access and port 2500 for video access. The applications access the Enterprise Appliance on port 3045 for both data and any video stored there. All of the protocols used over these ports are 3VR proprietary protocols with one-way hash based authentication. The Client Applications do not support extensions or scripting. Therefore, attacks by these mechanisms are not possible. 2.9 Vulnerability Testing 3VR runs Tenable s Nessus vulnerability test suite on every release that we ship. These tests consistently show that our system is clean with respect to known vulnerabilities. Detailed test results are available from 3VR on request. Network security personnel at various 3VR customers have run different suites with similar results. 6
3. Systems Management with 3VR 3.1 Systems and User Management 3VR designed its systems management solution to maximize the security of the underlying operating system and the overall network. 3VR separates login to the 3VR application from login to Windows. Passwords for user accounts are stored in a SQL database using a one-way hash. No 3VR user account has access to the operating system. Windows logins are completely disabled on 3VR appliances. 3VR also provides single sign-on capabilities, so that an administrator can centrally access and modify system and camera configurations on any specific 3VR system across an enterprise. The administrator can also centrally manage users privileges and passwords. Users access rights can be restricted as follows: By machine(s). A user can be granted access to certain specific machines or to a group of machines in a region. For example, a user may be given access only to machines in the Northeast Region. By capability. For example a user may be restricted to viewing video only. By default, 3VR does not force password changes. However, the administrator of a 3VR Enterprise may enable password constraints to enforce one or more of the following password restrictions: Require minimum password length Require the password contain lower case, upper case, or non-alphanumeric characters Prevent simple dictionary words Prevent word variations Prevent resetting password to a previous password The administrator may also restrict user behavior in respect to user accounts changes: Block account after a given number of failed sign in attempts Require password change after a given number of days Block account after a number of days of inactivity An adversary who acquired the password for a 3VR user despite the protections above could only change data maintained by 3VR software. Since there is no system access available, there is no risk to the system or network. 3.2 Extraordinary Maintenance Account 3VR does have a special system access account used for extraordinary maintenance. This account is accessed through a double password, one supplied by the customer and one that changes daily that s built into the system. The extraordinary maintenance functions cannot be accessed unless both passwords are correctly entered. 7
3.3 Systems Health Monitoring 3VR provides remote health monitoring with real-time health alerts of cameras, hard drives, systems, software, and networks. Administrators can log on from a central location to monitor health of components, reducing potential downtime. 3.4 Updates/Upgrades Management Plan 3VR manages software updates and upgrades through the 3VR system software, which no one can access without the 3VR client tool and proprietary protocol. Customers can administer updates or upgrades by using 3VR s SystemManager application. Administrators can log in from a central location and easily manage the distribution of software updates and upgrades throughout a large enterprise in minutes without the need to visit each system. 4. Client Application Management 4.1 About 3VR Client Applications Standard applications: 3VR OpCenter (opcenter.exe) is a powerful video monitoring and searching application, which also includes the ability to create and track cases, develop watchlists, and configure alerts. 3VR SystemManager (systemmanager.exe) is an appliance configuration and health monitoring application; used for camera setup, user management, and system updates and maintenance. Optional applications used for specific purposes: 3VR SpotMonitor (spotmonitor.exe) is a simple application used to view multiplexed or sequential live video feeds on a TV or other monitor. 3VR EnterpriseViewer (enterpriseviewer.exe) is an application used to view multiplexed or sequential live video feeds from systems across an Enterprise Appliance. 3VR AlertViewer (alertviewer.exe) is an application that notifies the user when an alert has been triggered on the 3VR system. 3VR ReportViewer (reportviewer.exe) is an application used to run reports for the 3VR People Counting analytic. 4.2 Where to Find Client Applications 3VR Partners may download the 3VR Client Applications from the 3VR Partner Portal (partners.3vr.com). The Client Applications can also be installed from the Installation & Resource CD that ships with every 3VR unit. 3VR Technical Support can also provide software and documentation upon request (email: support@3vr.com or telephone: 415-513-4572 Mon-Fri from 9 AM - 9 PM Eastern). 8
4.3 Client Application System Requirements 3VR Client Applications run on Windows XP Service Pack 2 or later, Windows Vista, or Windows 7 using the Microsoft.NET framework and Intel Performance Primitives, which are installed if necessary as part of the installation process. The installation process also installs DirectShow video filters that may be used by other applications, but otherwise the files loaded are specific to 3VR and won t interact with other applications. The most up-to-date system and network requirements are posted in more detail on our web FAQ: www.3vr.com > Services and Support > FAQ > What are the system requirements for 3VR Client Applications?. If the 3VR system is located behind a firewall, another web FAQ details what ports need to be open in order to connect. See www.3vr.com > Services and Support > FAQ > What ports must be open to connect to a 3VR SmartRecorder that s behind a firewall? 4.4 Licensing 3VR Client Applications The first time a 3VR Client Application is run, the user will be prompted to enter a license key. The license keys are provided by 3VR Technical Support. Once an application has been licensed, it will remain so unless the computer s operating system is reinstalled. The applications must be licensed by an administrative user on the PC, although a nonadministrator can run the applications. 5. Data Redundancy with 3VR 5.1 RAID All 3VR P-Series Appliances and Enterprise Appliances come standard with RAID, providing fault-tolerance and protection against loss of video or data in the event of disk error or disk failure. The VIP S-Series may be purchased with RAID (S-Series 40 model) or without RAID (S-Series 30 and S-Series 35). 5.2 Settings Backup All S-Series, P-Series, and Enterprise Appliances have on-board flash storage of system software and configuration settings. If the single drive on an S-Series 30/35 unit (no RAID) or more than one drive fails on an S-Series 40, P-Series, or Enterprise (RAID), the drive(s) can be replaced and the system will come back online with all of its configuration intact. Alternatively, a completely new system can be installed and the system and configuration files copied from the failed system to the new system. This ensures quick return to full functionality without extended downtime for re-installing software and re-configuring the system. 9
6. Bandwidth Utilization with 3VR 6.1 Bandwidth Consumption 3VR has designed its network architecture to ensure that the system minimizes resource utilization and rapidly respects bandwidth constraints even on network connections as low as a DSL. 3VR uses TCP links for video and data. We rely on TCP to provide retransmissions in case of data loss. TCP has sophisticated algorithms for congestion avoidance that allow it to efficiently use slow networks without swamping them with retransmits. Finally, 3VR naturally degrades bandwidth for live video streaming by employing adaptive frame dropping. Most importantly, all of these design elements ensure that the 3VR appliance will not engender or contribute to hysteresis. Bandwidth consumption in the application is highly dependent on load (for example, the number of faces recognized per minute). Live video, 10 fps CIF: 64 Kb/s Searching, 32 events with 3 images per event, 150 KB total per page of search results (search results are downloaded one page at a time as the user asks for them). Depending on event load, there is some amount of new event notification traffic flowing from server to client. 6.2 Bandwidth Throttling 3VR systems have a configurable bandwidth throttle that constrains the bandwidth rate from an individual 3VR appliance to remote clients. Bandwidth throttling provides quality of service (QoS) by ensuring that bandwidth is available for other applications even on slower networks. 10
About 3VR 3VR, Inc., the video intelligence company, enables organizations to search, mine and leverage video to bolster security, identify and mitigate fraud and better serve customers. 3VR s Video Intelligence Platform allows video surveillance systems to reach their true potential and deliver a measurable and sustainable return on investment. 3VR is the video surveillance standard for hundreds of global customers, including leading banks, retailers, governments and law enforcement agencies and owns CrimeDex, an online community of fraud, loss prevention and law enforcement professionals dedicated to stopping crime. Based in San Francisco, CA, the company is privately held with funding from DAG Ventures, Focus Ventures, In-Q-Tel, Kleiner Perkins Caulfield & Buyers, Menlo Ventures and VantagePoint Ventures. 3VR s SmartRecorder is the three-time winner of the SIA Best New Video Product Award and was named Security Product of the Year from Frost & Sullivan in 2006 and 2007, among other awards. For more information, please visit www.3vr.com. Tel: 415.495.5790 Fax: 415.495.5797 Sales: 415.513.4611 Email: info@3vr.com Website: www.3vr.com 3VR, Inc. 475 Brannan Street, Suite 430, San Francisco, CA 941071 11