Home > DreamerGear > Waterfall Solutions WF ISE+

Waterfall Solutions WF ISE+


Exact Name and Version of the Product: Waterfall IP Surveillance Enabler Plus – WF ISE+

Manufacturer and Website: Waterfall Solutions www.waterfall-solutions.com

Type of Product: Video Camera Security

Uses: Protect IP camera infrastructure from hackers and malware

What We Loved: Easy setup and no-nonsense architecture.

What We Didn’t: The price

Price: Prices are not available for public distribution.

Overall Rating: 4 out of possible 5


Lior and Avner took the redeye to Chicago, so when they walked in I immediately started the coffee pot. One cup to set up the equipment, another to describe the overall architecture and functionality. By the third cup of coffee, I completely understood the Waterfall technology. A single pot of coffee is the entire investment I made to qualify as a systems engineer of this elegant and useful product.

I’m a big believer in the value that IP video surveillance cameras give to large organizations. Easier video sharing, analysis and data gathering are just a few of the benefits. Unfortunately, IP cameras have a serious drawback. Not cost – prices are dropping and functionality is rising quickly enough that price doesn’t concern most buyers seeking flexibility and functionality. No, my concern is security. Security of the cameras and the network they share. Bad guys can turn a network camera into a network access point, shutting down or diverting video, or worse, connecting to internal systems and stealing corporate data. Think of the camera as a little, unprotected web server and you get the idea.

Network pros immediately think of standard IT security measures like firewalls, encryption, authentication, anti-malware software and the like. However, building that kind of infrastructure will take extensive involvement of IT professionals, and even then, the firewall may prove powerless against an internal Trojan horse.

Waterfall employs a networking concept called an air-gap to create a secure infrastructure for IP video surveillance. The IP connection from the camera is actually severed, then, reducing the payload to pure video stream in a non TCP/IP format, forwarded over a one-way optical connection to the receiver. The transmitter physically cannot receive, nor can the receiver send, so it is impossible to send any malware upstream or to divert video traffic. For those rare times when a PTZ command must be sent upstream, or when the camera needs a configuration change, the system opens a separate, firewalled, temporary connection that closes immediately after use.

This type of straightforward IT security, using standard technologies and best practices is just what the physical security industry needs to win the embrace of their IT brethren. We liked the easy setup and no-nonsense architecture. We didn’t like the price. We think the product should be priced about the same as an IT firewall protecting an equivalent number of ports. We recommend the Waterfall solution for any end user, distributor or integrator of large numbers of IP cameras.


Download This Review

Categories: DreamerGear
  1. April 16, 2008 at 3:38 pm

    This is an interesting, different, technology. I have a few questions that might spur clarification on who and how this can serve security customers:
    Why is this better than tunneling across a VPN connection? I am willing to grant this approach may be more secure, but how much more secure and how much more risk does it mitigate? Setting up VPNs is a pretty common activity and a fairly low cost. If this is $2,000 more, $4,000 more, $6,000 more, is the value there?
    Also, since this utilizes a fiber optic physical connection, I assume you are constrained to running the link inside of a local area; that is, to say, you are not running this fiber optic cable across a city? If that is the case, don’t I need to secure the video from the remote site across the WAN into the central facility where these units are located?
    It’s not clear to me what specific applications are best suited for this technology but I will through out one that I have experienced.
    It’s fairly common for organizations to maintain two networks – one for data, “the regular LAN” and a separate one for security/video surveillance. This often happens do to bandwidth considerations (video could overwhelm) or organizational disconnects (IT does not want to add the responsibility). This happens even in the same campus or building.
    As a result, security often faces a real problem – they can only view video on PCs connected to security’s network, so you have multiple PCs next to each other or dual-homed PCs or worse yet, no access to security video in spots.
    I could see organizations pay non-trivial money for Waterfall’s solution to solve this problem and bridge the side-by-side networks. Often, it’s not even a matter of having IP cameras but simply letting remote clients access the NVR/DVR on the other side.
    I have seen this frequently in the US military. I don’t know if, when and how you can get this certified for them but there are lots of DVRs that are blocked from wider view because of isolation on a dedicated network.
    Thanks for sharing this new technology.

  2. April 16, 2008 at 8:10 pm

    “It’s fairly common for organizations to maintain two networks – one for data, “the regular LAN” and a separate one for security/video surveillance.”
    Agreed! So let’s assume that our victim has a separated network.
    An IP box type camera in an environmental enclosure is installed on the outside of the building. I’m a competitor trying to obtain video from inside of the test lab (which has security cameras). An after hours attack takes place. I disable the camera with my trusty paintball gun, climb my ladder and go to work. I open the camera enclosure, install a wireless bridge inline with the network signal to the camera. The wireless bridge is currently configured to disable the secondary network port which is now connected to the camera. I clean the housing of the paint, collect my ladder and disappear into my surveillance van. Now that I’m out of view of the camera, I wirelessly log into the bridge and enable the secondary camera port. Everything appears back to normal.
    The morning comes and the victim may or may not notice the lost video alarm. Even if they do, it works now and they ignore it as a one time problem.
    Now I’ve got a wireless access point directly into your trusted and unsecured dedicated security network. I can watch video from your lab and anywhere else in the facility that I may wish to.
    Add Waterfall. Video/Data can go in but none can come out.
    You’re still vulnerable to a denial of service attack from the wireless point flooding the network with data and a number of other issues, but the data/video is protected.
    While my decision isn’t made up on the Waterfall technology, at this point, I would consider adding this to all perimeter attackable network access points (exterior cameras, intercoms, etc…)
    Just my thoughts…
    Michael Glasser

  3. April 17, 2008 at 11:58 am

    Hi Michael,
    I agree that vulnerabilities do exist and Waterfall could help reduce such vulnerabilities.
    I think the challenge with such scenarios is that organizations tend to deprioritize funding for “securing” security video. Budgets for many are tough enough to get the systems in that adding in another $5k, $10k, $15k is not always easy.
    Many organizations will simply choose to absorb the risk if the scenarios are deemed sufficiently improbable or the expected lost is not high enough.
    I am not saying that I agree or this is the right thing to do but I have seen enough of it, that I think this can be a concern.
    This is why, as a general rule, I tend to emphasize day to day operational benefits in a sales process as purchasers usually find this easier to justify and more motivating to purse.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: