Recommended Network Architectures

Recommendation 1

In the diagram below you can see that there is a network consisting of two VLANS. These VLANS have different routing and firewall configurations. By separating out these networks, this configuration can add additional layers of security to your system.

If you use this recommendation, the Auto Detect function within the portal to detect your cameras may not detect your cameras, and they will have to be added manually.

Diagrams

VLANs

Notes:

INTERNET: VLAN 1 → Internet should have a ruleset applied to limit the inbound and outbound traffic.

VLAN 1 & 2: VLAN1 ↔ VLAN 2 communication can also have its routable traffic limited this will depend on the camera needs but typically port 80/443 and 554 would be the only ports required.

VLAN 2: Can only access VLAN 1 and should not need direct internet access.

Layout

Recommendation 2

In the diagram below you can see that there is a single network.

Diagrams

VLANs

Notes:

INTERNET: VLAN 1 → Internet should have a ruleset applied to limit the inbound and outbound traffic.

Layout

Other Networking Requirements and Notes

IPs & DNS

We recommend that you provide an IP address through a DHCP server in order for our device to get its network configuration. It must also pass the DNS servers IP/s in the DHCP assignment so that our device can resolve internet addresses. To set a specific IP for a Milestone Kite appliance you can either set a DHCP record or Manually configure the IP locally on the device.

Appliance Access

At Milestone Kite we follow several architectural practices including security by design, for security reasons the appliance only runs and serves ports required to function. None of the open ports need any kind of special rules or routing to ensure they are accessible from the internet. The restriction of ports also includes common device access protocols such as SSH which is not enabled on the device.

Firewall Configuration

Configuration should be based upon the Gateway Security Guide(please contact Milestone Kite Support for the Security Guide Document). Not all companies are able to do hostname based firewall rules. We have some alternative methods.

Limiting the type of traffic by port

Our appliance only needs utilize port 443 to transmit information and an ICMP ping to validate a service is live.

Network Hardware Configuration

Video data is a high bandwidth application and can wreak havoc on a network if not configured correctly. When working with high bandwidth applications it is important that the flow of data between devices is fully understood to ensure traffic does not unnecessarily get passed through additional switches to get to its destination. The OSI model helps explain what certain networking devices can achieve and if the devices are configured correctly can ensure that you intelligently utilize your networks capacity.

Layer 3 Switch

Layer 3 Switches can route traffic which when configured correctly can limit the amount of uplink from a device if its attached Gateway is on the same switch on a different network.

Layer 2 Switch

Layer 2 Switches cannot route traffic but are able to pass traffic on to the same network.

Unsupported Functionality

Proxy Servers

We currently do not recommend or support the use of proxy servers or "Captive Portals". This is due to the amount of traffic that might be generated by our device depending on your setup as well as speed of packet flow to ensure the best viewing experience.

Glossary

DHCP

Description:

DHCP is a central way of distributing IP addresses on a network. You can set reservations that enable you to manage a static IP's without needing access to the device itself. This is done utilizing the devices MAC address.

Why:

On large networks, if an IT admin needs to migrate a subnet there is limited impact on the device.
IT departments can retain control of the network without requiring root access to a device.
Centrally assigning reservations for IP management.

Static IP

Description:

Static IP address is a concept in which you set the IP address manually. This should be set when DHCP services are unavailable for use on the network or stated to do so by a Network Administrator.

Why:

When DHCP services are unavailable for use on the network.
As directed to by a Network Administrator