Actually, I don't like exposing any device to the Internet unless it's isolated from the rest of my network in a DMZ area. The alternative as Cody pointed out, is to close down the port on the router and then set up a VPN to allow external access into the internal network. This can be done in a number of ways. It all depends on what functionality you want. You can change out the router to one which supports either an IPSEC VPN or one which supports SSL VPNs. Going IPSEC requires a client to be loaded and configured on the remote client device. SSL VPNs can be done via clientless or client based connections. Clientless is the most flexible which doesn't require a software client to be installed on the remote device which would require the user to have admin privileges. This is what many enterprise businesses use for zero touch deployments.
A clientless setup presents the users with a web portal after authentication and the SSL VPN device acts as its proxy to the rest of the network.
A client based setup allows the remote device to bypass the SSL VPN device and interact directly with the network.
I have two flavors of the SSL VPN devices running on my home network. One from Cisco and one from Juniper. I'm in the process of setting up one from SonicWall.
One last thing about changing the web server in the IP camera to run on port 443. To me this doesn't change anything. While the session to the IP camera is secure preventing snooping of the network session, the camera is still exposed to the Internet. I don't know who the manufacturer of the camera is or if they spent extra time in hardening the IP camera to reduce the network vulnerabilities. But I would be worried that someone can possibly connect up to the camera and hack it. Whether it be on port 80 or 443. Shutting off the ports you expose to the Internet is the best option in my opinion.
A clientless setup presents the users with a web portal after authentication and the SSL VPN device acts as its proxy to the rest of the network.
A client based setup allows the remote device to bypass the SSL VPN device and interact directly with the network.
I have two flavors of the SSL VPN devices running on my home network. One from Cisco and one from Juniper. I'm in the process of setting up one from SonicWall.
One last thing about changing the web server in the IP camera to run on port 443. To me this doesn't change anything. While the session to the IP camera is secure preventing snooping of the network session, the camera is still exposed to the Internet. I don't know who the manufacturer of the camera is or if they spent extra time in hardening the IP camera to reduce the network vulnerabilities. But I would be worried that someone can possibly connect up to the camera and hack it. Whether it be on port 80 or 443. Shutting off the ports you expose to the Internet is the best option in my opinion.