Flussonic Agent - firmware for cameras
The organization of cloud-based video surveillance is a set of technical nuances that need to be addressed immediately: the visibility of cameras due to NAT, the activation and identification of cameras, encryption and automatic provisioning. When connected, the camera should automatically become part of the operator’s IT infrastructure. Plus, communication with the subscriber should be provided. Flussonic Agent solves these problems.
In the previous article, we talked about one of the applications of Flussonic Watcher and briefly about why Flussonic Agent is needed. And even earlier about how an agent can solve security problems when transmitting a video stream . And everywhere we answered the questions “Why?”, But very briefly touched upon the question “How?”.
As we already wrote, the main problem when launching a large network of video surveillance is setting the visibility of the camera from the Internet. To solve it, there are three classic schemes:
A common and easiest way is to organize an OpenVPN tunnel. It is chosen primarily because for most cheap cameras the firmware is built using buildroot, and it already has OpenVPN and it is easily turned on.
')
The connection certificate and the address of the OpenVPN server is written on the camera. Then the streaming server in the cloud sees the camera through the OpenVPN server and takes the video from it. However, OpenVPN requires another server nearby, doubling your server costs.
Managing the server that the camera comes to is located on the device itself. Quickly add a new server instead of a burned one and send the camera to it will not work - you need to change the DNS. And on the way between your DNS server and the camera, a convenient DNS server for another day will surely appear, which will carefully substitute the old address of the OpenVPN server.
In addition, OpenVPN requires more resources due to the fact that it does more than is necessary for this task. A full-fledged tunnel is organized, which passes traffic through the linux kernel. In the case of the Flussonic Agent and the Flussonic Media Server, this does not happen - all traffic comes and stays in the same process. With gigabit incoming video, this is very noticeable.
Port Forwarding — port forwarding or manual port forwarding — allows you to access an IP camera from the Internet, which is located on the internal network behind a router that uses NAT. Access is performed by forwarding traffic of certain ports from the external address of the router to the address of the selected device in the local network. The disadvantages of manual port forwarding are:
Buying “white” IP addresses for each IP camera solves the access problem due to NAT, but can only be an adequate solution if you have a small number of cameras. Otherwise, the organization of video surveillance will be simply unprofitable enterprise.
Each of these schemes has advantages and disadvantages. Two factors unite them: the applicability only to a small network of video surveillance and the inability to organize the Plug-n-play mode for the subscriber and the automation of the process for service administrators. Flussonic Agent just closes these problems, allowing our customers to simplify the launch of the service. The program is installed on all cameras, transfers the necessary information to activate and connect the camera with the user to billing or directly to Flussonic Watcher and starts sending video to the operator's streaming server.
Also, as with the OpenVPN server, there is a binding to the DNS in the agent, but still providing a failover for a small virtual machine that runs only the web interface and the management server is much simpler than the failover of a high-loaded server with a thick channel.
We can run Flussonic Agent on almost all cameras running Linux. The important point - we need the original firmware of the device. At the moment, the installation of the agent on outdoor cameras based on HiSilicon, TI DaVinchi and MIPS routers based on dd-wrt has been worked out.
The most interesting. The firmware we prepared with the agent is installed by the vendor at the factory or is stitched by the operator themselves. After the camera with the installed firmware gets to the client and is launched for the first time, the following operation scheme is implemented:
1. When the camera is turned on and connected to the Internet, the Flussonic Agent is launched.
2. The agent connects to the server with the Flussonic Media Server , on which Flussonic Watcher is installed, and reports that it is ready to transfer video. This server is the manager and is called in the terminology of the agent: endpoint . Here the camera receives control information, is authorized and passes through the connection upgrade to our own protocol.
3. If Flussonic Watcher recognizes the agent (a mutual password check occurs), then it sends the agent information about one of the running Flussonic Media Servers to which the video traffic will be transmitted. Such a Flussonic Media Server is called streampoint in agent terminology. Also, endpoint can transfer the command to quickly switch to another streampoint in order to work out the situation with the exit from one of the tape drives in the Flussonic Media Server cluster.
4. After connecting to the Flussonic Media Server, the agent expects a command to open a connection. It looks like an SSH tunnel. When Flussonic Media Server decides to pick up the video from the camera, he turns to the agent with a request to set up a TCP tunnel. Both video from RTSP and screenshots from the camera can be transmitted via this tunnel.
The Flussonic Agent also implements the ability to switch between the main and backup management server (endpoint) and streaming servers of the Flussonic Media Server.
In addition to the main task, it was important for us to protect the cameras from hacking and the video stream from interception. Most Chinese devices are very poorly protected even from the simplest backdoors. Flussonic Agent can encrypt video stream using TLS encryption, eliminating any third-party penetration into the data transfer process.
To understand the principles of the Flussonic Agent and the advantages of its implementation, it is worth considering an example of implementation. We were approached by a client who bought a Flussonic Media Server so that users could look out of the sunny beaches of Thailand from the office, be impressed, and then run to buy vouchers. The development of working with cameras led him to provide the OTT VSaaS service. This means that the client takes the video from the cameras that are installed in restaurants, cafes and other public places in Thailand, and gives access to the video both in the recording and in the live broadcast.
But in Thailand there are two global problems with the Internet:
Of course, video surveillance in restaurants can also be rendered with the help of an ordinary Chinese registrar with a p2p cloud application, but this approach has many drawbacks:
Our client and offers a service that solves these problems. In Thailand, Flussonic Watcher was installed on a leased server, and a copy of the software complex is registered with us so that you can log in via a mobile application. To solve the above problems, our agent is installed on the cameras, with which the camera turns into a full Plug and Play: brought, hung, turned on - the video on the site.
To provide this level of service, we have worked a lot with the client, right up to the advice of which cameras to buy and from which manufacturers. It was also important to us that all the cameras were XM firms. This is a very common noname-brand, which makes the device quite decent quality and at the same time very inexpensive. Hikvision, of course, is better than XM, but also more expensive.
Manufacturers of cameras sent a little other devices, but we were ready for this and prepared several firmware. They were designed so that the cameras immediately went to the right instances of Flussonic Media Server. The client independently installed the firmware on the cameras and launched the service. A couple of moments we had to fix already remotely on the installed cameras due to problems caused by the very very specific Internet in Thailand, but they were easily eliminated.
As you can see, Flussonic Agent can significantly simplify the launch of video surveillance, bypassing both internal technical problems and external, related to the features of the Internet in a given geographic region. In the following articles we will discuss how the integration of Flussonic Watcher with the operator’s billing takes place.
In the previous article, we talked about one of the applications of Flussonic Watcher and briefly about why Flussonic Agent is needed. And even earlier about how an agent can solve security problems when transmitting a video stream . And everywhere we answered the questions “Why?”, But very briefly touched upon the question “How?”.
As we already wrote, the main problem when launching a large network of video surveillance is setting the visibility of the camera from the Internet. To solve it, there are three classic schemes:
- Installing OpenVPN proxy servers.
- Manual port forwarding.
- Assign white IP addresses for each camera.
Openvpn
A common and easiest way is to organize an OpenVPN tunnel. It is chosen primarily because for most cheap cameras the firmware is built using buildroot, and it already has OpenVPN and it is easily turned on.
')
The connection certificate and the address of the OpenVPN server is written on the camera. Then the streaming server in the cloud sees the camera through the OpenVPN server and takes the video from it. However, OpenVPN requires another server nearby, doubling your server costs.
Managing the server that the camera comes to is located on the device itself. Quickly add a new server instead of a burned one and send the camera to it will not work - you need to change the DNS. And on the way between your DNS server and the camera, a convenient DNS server for another day will surely appear, which will carefully substitute the old address of the OpenVPN server.
In addition, OpenVPN requires more resources due to the fact that it does more than is necessary for this task. A full-fledged tunnel is organized, which passes traffic through the linux kernel. In the case of the Flussonic Agent and the Flussonic Media Server, this does not happen - all traffic comes and stays in the same process. With gigabit incoming video, this is very noticeable.
Manual port forwarding
Port Forwarding — port forwarding or manual port forwarding — allows you to access an IP camera from the Internet, which is located on the internal network behind a router that uses NAT. Access is performed by forwarding traffic of certain ports from the external address of the router to the address of the selected device in the local network. The disadvantages of manual port forwarding are:
- Setting up each router and each camera is very complicated and takes an inadmissibly long time.
- Anyone can enter the open port. That is, on the face of a clear security hole.
- All traffic load falls on the distribution chamber and distribution channel, and they will fall on the third client.
- On RTSP the camera will give the crumbling picture.
Assigning White IP Addresses
Buying “white” IP addresses for each IP camera solves the access problem due to NAT, but can only be an adequate solution if you have a small number of cameras. Otherwise, the organization of video surveillance will be simply unprofitable enterprise.
Flussonic agent
Each of these schemes has advantages and disadvantages. Two factors unite them: the applicability only to a small network of video surveillance and the inability to organize the Plug-n-play mode for the subscriber and the automation of the process for service administrators. Flussonic Agent just closes these problems, allowing our customers to simplify the launch of the service. The program is installed on all cameras, transfers the necessary information to activate and connect the camera with the user to billing or directly to Flussonic Watcher and starts sending video to the operator's streaming server.
Also, as with the OpenVPN server, there is a binding to the DNS in the agent, but still providing a failover for a small virtual machine that runs only the web interface and the management server is much simpler than the failover of a high-loaded server with a thick channel.
What cameras does Flussonic Agent work with?
We can run Flussonic Agent on almost all cameras running Linux. The important point - we need the original firmware of the device. At the moment, the installation of the agent on outdoor cameras based on HiSilicon, TI DaVinchi and MIPS routers based on dd-wrt has been worked out.
How does the Flussonic Agent work?
The most interesting. The firmware we prepared with the agent is installed by the vendor at the factory or is stitched by the operator themselves. After the camera with the installed firmware gets to the client and is launched for the first time, the following operation scheme is implemented:
1. When the camera is turned on and connected to the Internet, the Flussonic Agent is launched.
2. The agent connects to the server with the Flussonic Media Server , on which Flussonic Watcher is installed, and reports that it is ready to transfer video. This server is the manager and is called in the terminology of the agent: endpoint . Here the camera receives control information, is authorized and passes through the connection upgrade to our own protocol.
3. If Flussonic Watcher recognizes the agent (a mutual password check occurs), then it sends the agent information about one of the running Flussonic Media Servers to which the video traffic will be transmitted. Such a Flussonic Media Server is called streampoint in agent terminology. Also, endpoint can transfer the command to quickly switch to another streampoint in order to work out the situation with the exit from one of the tape drives in the Flussonic Media Server cluster.
4. After connecting to the Flussonic Media Server, the agent expects a command to open a connection. It looks like an SSH tunnel. When Flussonic Media Server decides to pick up the video from the camera, he turns to the agent with a request to set up a TCP tunnel. Both video from RTSP and screenshots from the camera can be transmitted via this tunnel.
The Flussonic Agent also implements the ability to switch between the main and backup management server (endpoint) and streaming servers of the Flussonic Media Server.
Video Delivery Security
In addition to the main task, it was important for us to protect the cameras from hacking and the video stream from interception. Most Chinese devices are very poorly protected even from the simplest backdoors. Flussonic Agent can encrypt video stream using TLS encryption, eliminating any third-party penetration into the data transfer process.
Case of introduction of Flussonic Agent in Thailand
To understand the principles of the Flussonic Agent and the advantages of its implementation, it is worth considering an example of implementation. We were approached by a client who bought a Flussonic Media Server so that users could look out of the sunny beaches of Thailand from the office, be impressed, and then run to buy vouchers. The development of working with cameras led him to provide the OTT VSaaS service. This means that the client takes the video from the cameras that are installed in restaurants, cafes and other public places in Thailand, and gives access to the video both in the recording and in the live broadcast.
But in Thailand there are two global problems with the Internet:
- Expensive external Internet: from $ 80 per month for megabits. If the video from the cameras goes beyond the borders of Thailand, then this can automatically add a lot of money to the monthly check.
- The quality of the Internet. Even in 2011, the year in Thailand hung ads "high speed 1 mbit". Now the situation is better, but still the 4-megabit stream from the camera from the restaurant calls into question the provision of Wi-Fi to visitors, which is very important in this country.
Of course, video surveillance in restaurants can also be rendered with the help of an ordinary Chinese registrar with a p2p cloud application, but this approach has many drawbacks:
- The registrar requires an external IP address. In Thailand, this service costs from $ 30 to $ 60 per month.
- The recorder gives the video out as many times as the clients arrive. Given the above problems with the Internet, giving up video to more than a couple of clients is already a problem.
- The registrar will most likely require setting up port forwarding on the router, and in the light of Mirai, it is also possible to communicate with the provider about unlocking the necessary ports.
- If you pick up video on RTSP from Chinese equipment, you are almost guaranteed to encounter a bug that does not exist .
Our client and offers a service that solves these problems. In Thailand, Flussonic Watcher was installed on a leased server, and a copy of the software complex is registered with us so that you can log in via a mobile application. To solve the above problems, our agent is installed on the cameras, with which the camera turns into a full Plug and Play: brought, hung, turned on - the video on the site.
To provide this level of service, we have worked a lot with the client, right up to the advice of which cameras to buy and from which manufacturers. It was also important to us that all the cameras were XM firms. This is a very common noname-brand, which makes the device quite decent quality and at the same time very inexpensive. Hikvision, of course, is better than XM, but also more expensive.
Manufacturers of cameras sent a little other devices, but we were ready for this and prepared several firmware. They were designed so that the cameras immediately went to the right instances of Flussonic Media Server. The client independently installed the firmware on the cameras and launched the service. A couple of moments we had to fix already remotely on the installed cameras due to problems caused by the very very specific Internet in Thailand, but they were easily eliminated.
Total
As you can see, Flussonic Agent can significantly simplify the launch of video surveillance, bypassing both internal technical problems and external, related to the features of the Internet in a given geographic region. In the following articles we will discuss how the integration of Flussonic Watcher with the operator’s billing takes place.
Source: https://habr.com/ru/post/347072/
All Articles