iSCSI over VPN for security system. Is this practical?

[KurskKnyaz]

So here is the situation: I'm setting up a security system for the office. We have 5 Axis M1103 IP cameras in the office and one in our office in Belarus. The server that runs Axis Camera Station which records the footage is located on premises. I will eventually set up the camera at our Belarus office to record here to, once the office is set up and I figure out how to do that.

The boss said he wants all the footage to be recorded to his house. We correctly have a Cisco RV082 at the office and what I plan to do is create a gateway-to-gateway VPN to the Cisco RV042 at his house and have the footage recorded on a QNAP NAS that is capable of iSCSI. All cameras are capable of H.264 encoding and we have a 5 megabit upload at the office so I don't think bandwidth will be an issue. What I want is for the server to treat the QNAP NAS as if it was a hard drive on the server that stores video footage.

I have no experience with iSCSI but from what I understand it allows for SCSI commands to be sent over TCP/IP and allows a NAS to act as if it was a hard drive attached to the sever. We ant the footage stored at the bosses house but we want to be able to review the footage on premises.

These are my concerns:

1) Will iSCSI add a lot of overhead and is this even possible to do over VPN and how much overhead can I expect with iSCSI and all the VPN protocols used?

2) Will jumbo frames reduce this overhead and is that possible over VPN?

3) Is this even practical or is there a better solution for recording to a remote location.

Thanks for your help.

 

[Lifted]

You don't want to go iSCSI.

If he wants the footage recorded at his house, setup the recording software on a computer at this house, and all the cams directed to that station. It makes no sense to have the recording app in one location connected to storage via iSCSI in a different location.

 

[KurskKnyaz]

You don't want to go iSCSI.

If he wants the footage recorded at his house, setup the recording software on a computer at this house, and all the cams directed to that station. It makes no sense to have the recording app in one location connected to storage via iSCSI in a different location.

So you are implying that iSCSI is something that we developed for performance purposes in a network environment not for remote storage purposes since a 5 megabit upload would cap all the performance advantages of iSCSI?

I was considering iSCSI because I though that it would give me fewer headaches than having it recorded to a network folder.

 

[Nothinman]

iSCSI is a block layer protocol so the OS sees it as a normal disk. So if the latency gets too high, the OS may think the drive is having issues and mark it as offline. I don't know if those values are able to be tuned, but I wouldn't want to trust iSCSI over anything with more than a few ms of latency.

 

[KurskKnyaz]

iSCSI is a block layer protocol so the OS sees it as a normal disk. So if the latency gets too high, the OS may think the drive is having issues and mark it as offline. I don't know if those values are able to be tuned, but I wouldn't want to trust iSCSI over anything with more than a few ms of latency.

So how would you go about recording to a remote location? The cameras will be constantly streaming data and i don't want latency to cause any problems where the software bugs out if it can't write to the disk on time. Thanks.

 

[Nothinman]

So how would you go about recording to a remote location? The cameras will be constantly streaming data and i don't want latency to cause any problems where the software bugs out if it can't write to the disk on time. Thanks.

Record to a local disk and then get it to the remote location via some other methods like SAN replication, DFS-R scripted uploads, etc.

 

[Lifted]

IP cams and associated recording software are designed to work over internet quality (unreliable high latency) connections.

You simply setup the cameras the way they are set up now, simply pointing to the public IP or DDNS address for the system at your boss' house, and the cams will stream the images to the server, by default when motion is detected unless you've changed that.

 

[Lifted]

Record to a local disk and then get it to the remote location via some other methods like SAN replication, DFS-R scripted uploads, etc.

The problem with this is that playing the recorded streams usually requires the recording software itself, and it's databases, so rsyncing/duplicating the files (databases) to another location will only be good for backup purposes.

 

[bobdole369]

iSCSI is a block layer protocol so the OS sees it as a normal disk. So if the latency gets too high, the OS may think the drive is having issues and mark it as offline. I don't know if those values are able to be tuned, but I wouldn't want to trust iSCSI over anything with more than a few ms of latency.

The instant there is a hiccup, network outage, reroute, power flash that reboots either gateway - the iSCSI will drop and your disk is gone. Data in-transit lost and files in an inconsistent state. To recover you would need to fill the files that didn't close with 0's.

Use something like rsync as a backup over such a link.

 

[Nothinman]

The problem with this is that playing the recorded streams usually requires the recording software itself, and it's databases, so rsyncing/duplicating the files (databases) to another location will only be good for backup purposes.

The OP says that the recordings are H.264 which shouldn't require any special software for playback.

 

[Lifted]

The OP says that the recordings are H.264 which shouldn't require any special software for playback.

Actually he said the cameras are capable of H.264, but I don't think that has any bearing on the format the software saves the recordings in.

If you want to check on that...

User Guide
http://www.axis.com/files/manuals/um_acs_44738_en_1108.pdf

Install Guide
http://www.axis.com/files/manuals/ig_acs_41260_en_1011.pdf

Have fun

I took a quick glance at the user guide and it looks like a typical DVR system, which supports exporting video to probably DVD and some sort of file (that might require a propriety player as many do). The reason for the proprietary player is that the exported file contains metadata such as the names of the cameras, events, time stamps, etc., that the player will allow you to use to control what you are playing. If there were events at 11:03PM and 1:05AM, you need to know when the events took place, which cameras, how long, and all that jazz.

 

[Lifted]

I'd like to make a suggestion to the OP, although this is having no idea of the level of security required.

Recording to an offsite location leaves you vulnerable to somebody taking out your internet access. If the cameras are being used for night as well as daytime monitoring, along with having no eye witnesses to whatever transpired at night, you will have no video evidence either.

For this reason it's best to keep recordings onsite, in a secure room, with cameras and the DVR server running off a UPS, and accessing the video footage via a web browser if supported, or using some form of remote desktop tool if no browser front-end is available.

Good luck with your project.

 

[OlafSicky]

I'd like to make a suggestion to the OP, although this is having no idea of the level of security required.

Recording to an offsite location leaves you vulnerable to somebody taking out your internet access. If the cameras are being used for night as well as daytime monitoring, along with having no eye witnesses to whatever transpired at night, you will have no video evidence either.

For this reason it's best to keep recordings onsite, in a secure room, with cameras and the DVR server running off a UPS, and accessing the video footage via a web browser if supported, or using some form of remote desktop tool if no browser front-end is available.

Good luck with your project.

:thumbsup::thumbsup:

When my company was working in that part of the world we had a hidden safe room for backups and recording/storage equipment. All essential data was also stored off site. I don't know what business the op is in but Belarus is a small step better than NK. The police/mob are basically the same thing. If the OP's boss is so worried about security he should also hire a night guard which in that part of the world would be about $35 a month.

 

[skyking]

I was working with a couple of 1011's today, nice little cams.
Lifted brings up some good points.
I have ~15 IP cams and ~13 analog cams on a C2d with a couple gigs of ram, running debian and zoneminder.
Personally, I would never record continuously. The axis has very good on-camera detection. It will do TCP notification (what I use) or send to an FTP.
In the event that something does happen, it is much quicker to look through motion events than it is to look through hours of recordings, even using high speed fast forward.

 

[KurskKnyaz]

I'd like to make a suggestion to the OP, although this is having no idea of the level of security required.

Recording to an offsite location leaves you vulnerable to somebody taking out your internet access. If the cameras are being used for night as well as daytime monitoring, along with having no eye witnesses to whatever transpired at night, you will have no video evidence either.

For this reason it's best to keep recordings onsite, in a secure room, with cameras and the DVR server running off a UPS, and accessing the video footage via a web browser if supported, or using some form of remote desktop tool if no browser front-end is available.

Good luck with your project.

What goes on outside is not a problem. We are mainly concerned about someone breaking into our office and taking the equipment including the server with the recordings.

 

[skyking]

we went on vacation and I hid my cam server in a crawlspace for this reason. I know, super paranoid of me but I had been ripped off recently. You can use such a small server, it can be easily hidden away.

 

[RadiclDreamer]

Set the cams to record to something local and have a robocopy job set to send them to his house, you seriously dont want to do iscsi over the internet.

 

[Lifted]

We are mainly concerned about someone breaking into our office and taking the equipment including the server with the recordings.

This is why you hide and lock it away someplace safe. How much time will they really spend looking for it, especially since the police may have been notified?

You combat theft of this, to some extent, by

1) hide it
2) lock it down (room and/or equipment)
3) have it set to send notifications & pictures upon internal motion detection (so can call the police!)
4) security guards
5) alarm system installed by professional alarm company w/ monitoring
6) large angry hungry dogs
7) shotgun pointed at area where head would be if somebody were to try and remove server, triggered upon removal (don't forget about this one, ouch!)

etc

You get the idea.

I guess if you find yourself getting too much sleep, praying that the intruders don't sever your internet connection before breaking in is one way to keep you awake at night.