Thursday, March 27, 2014

Security for Synology NAS

In my previous post, I laid out the features of the latest firmware for the Synology NASes. A popular use of any NAS is to access the data on it from the Internet. This is a scary proposition because if you or any authorized persons can access this data from outside the local network in which the NAS resides, what prevents unauthorized people, especially those with malicious intent, from accessing the server?

The Synology website has a primer on how to enhance security of its NASes. This has the recommended configuration of the its system for this purpose.

http://www.synology.com/en-global/support/tutorials/478

The article however does not mention about VPN. If you use a Synology NAS at home, then it should already be part of a trusted local network. Therefore, most of these recommended configurations are not necessary. In fact, it is not necessary at all if the home network in question is behind an Internet gateway such as the router that is connected directly to the Internet modem, and this gateway/router has the latest firmware, its firewall activated, and blocks all incoming ports. If there is a need to access the NAS from the outside of the network, then I recommend a VPN solution that uses L2TP/IPSec or OpenVPN. I have written a few posts about this matter so please read them for more info. Remember, VPN is like a catch all method so that you do not have to worry about the more granular configurations for the NAS itself. It's like having a strong door and lock for your home's front door. With such a barrier, you do not really need to have additional doors behind this big door. With that said, if your NAS has confidential information in it, additional and more granular security setup is recommended for the NAS itself.

A few of the tips in the article actually should be the standard setup for the NAS regardless of the situation. An example is the password to the admin account for the NAS. No matter how much trusted is the local network, never leave the admin account on the NAS with either the default password or one that can be guessed easily. Logging into the NAS with the admin account is basically getting in with the key to the kingdom. Even if there is no confidential data stored on the NAS, the admin account should be locked down.

Security is all about layers. The more layers there are, the more difficult it is for any unauthorized people from accessing the information. However, there is a point of diminishing return where the additional complexity does not give you any additional benefits.


Tuesday, March 25, 2014

Synology NAS Cheat Sheet

I am a big fan of network attach storage boxes (NAS) made by Synology. I must have installed a dozen of them. It has so many features that it's hard to keep track of how many and how to use them. So I have decided to create a cheat sheet of the features touted by the company and check off this list the features that I have actually tested out.

Below is the list of features (in italics) listed on the Synology website. Their latest firmware is the newly released Disk Station Manager (DSM) 5.0 Build 4458. I use their flagship model DS214se as the base model. It can be had for $160 on Amazon. Of course, this is just the NAS without the harddrives. So given that the DS214se is a 2-bay model, you would naturally buy 2 harddrives for it. With a few exceptions, I always setup the drives in mirror mode using Synology's own SHR RAID.

Below are some of the pictures of the DS214se.





Brand New User Interface

Visual design has been totally revamped to provide a cleaner look and touch-friendly user experiences.
High-resolution images are displayed when launched with Ultra HD or retina-display supported devices.
Badges-style notification counters appear on application icons.
Login page displays local weather information.

This is basically eye candy so I don't pay too much attention to it. It has the new flat look that is the rage these days found in UIs for Windows 8 and iOS 7. The icons are bigger and brighter in colors.

QuickConnect
QuickConnect now supports DSM, Photo Station, Audio Station, Surveillance Station, Download Station, Video Station, File Station, providing simplified remote access, without the hassle of setting up port-forwarding on your router.
All mobile apps support QuickConnect.
Enabling QuickConnect requires registering a MyDS Center account.
Web Station and Mail Station does not support QuickConnect.

If you don't mind doing port forwarding and already use a DDNS service, then you do not need using QuickConnect. However, I will explore this option in dept when I have time. 

Backup and Replication
Multiple version backup is now available on local backup, backup to another DiskStation. Only the differential blocks of data are retained among each version, allowing file history to be maintained with better storage efficiency.
Overview page displays scheduled and completed backup tasks.
Credentials for creating backup destinations can be saved as a profile to make backup task creation easier.
Data and configuration backup created in DSM 5.0 can only be restored in DSM 5.0.
Data and configurations that were backed up in DSM 5.0 cannot be restored using DSM 4.3 or earlier.

Control Panel
Layout has been redesigned for better navigation and organization.
Service list displays related firewall and port-forwarding settings.
VPN client settings have been integrated into Network > Network Interface.
Shortcuts on DSM Desktop that were created previously will be cleared after upgrading to DSM 5.0.

Shared Folders with Windows ACL Permissions
The access permissions of shared folders are based on Windows ACL, allowing you to fine-tune permissions beyond just Read Only, Read/Write, No Access. Newly created shared folders implement the permission settings of Windows ACL.
For shared folders created in DSM 4.3 or earlier, you can either convert the existing permissions to Windows ACL, or leave the permission unchanged.
The shared folders - photo, surveillance, and shares on external storage or volume with ext3 file system cannot use Windows ACL permissions.

Storage Manager
New overview displays the overall health of all disks and volumes, as well as hard disk utilization, volume, and iSCSI LUN usage.
Disk health information includes the current and historical health of hard disks
SSD Cache
Read/Write cache is supported. Two identical SSDs can be combined to create a RAID 1 read-write cache and enhance the performance of a volume or block-level iSCSI LUN.
A high-availability cluster cannot be created when SSD read-write cache is enabled.

Package Center
Auto updating allows packages to be updated automatically.

Log Center
Syslog Server and System Logs have been integrated into a single, centralized application.

Support Center
Support tickets can now be sent directly from DSM.
Remote access and log generation allow Synology support engineers to remotely diagnose technical issues on your Synology NAS.

File Station
File sharing links can be created and shared with your Google+ and Facebook friends. Those who receive the link will be asked to enter their Google+ or Facebook login credentials before accessing the folder or file.
You can view Microsoft Office documents using Office Online when QuickConnect is enabled.

Text Editor
Plain text files can be edited directly in DSM.
Rich features are available, such as the ability to change character encoding, recognize file types, and see variable highlighting.

DSM Help
Online help files can be viewed in DSM Help, allowing you to read the latest versions of documentation regarding DSM and packages.
Font size can be changed to larger sizes.

Web Station
The “http” group (http) is the service account for Web Station, introducing better flexibility and security. \

Web applications will run as the same permission as “http” group. We suggest reviewing the permissions of the web folder and assign appropriate permissions to http group.
The PHP version has been updated to 5.5. Please check the compatibility of your PHP-based web apps with php 5.5. The details can be found at Migrating from PHP 5.3.x to PHP 5.4.x and Migrating from PHP 5.4.x to PHP 5.5.x.
Performance has been enhanced with Apache MPM worker.

Media Library
The default indexed folders - photo, video, audio - are removable from indexed folders.
The types of media to be indexed in each default folder can be changed.

Synology High Availability
When binding two or more ethernet connections to create an aggregated heartbeat connection, load balancing and failover are supported.

iSCSI Performance
For iSCSI LUN with Advanced LUN option enabled, iSCSI random read performance has been enhanced by over 6 times, as illustrated in the below comparison:
IOPS (4KB)DSM 4.3DSM 5.0Improvement
Read IOPS from DS1813+ 135 995 637 %

Configured with 4 HDDs composed in SHR-1, the LUN used for testing is a 100G LUN with advanced LUN features enabled. Tested by IOmeter by 100% random read with 4k block size.

File Service
AFP (Apple Filing Protocol) performance has been improved, as illustrated in the below comparison of transferring 5000 x 1MB files to Synology NAS:
Mac to Synology NASDSM 4.3DSM 5.0Improvement
DS213j 25.14 MB/s 31.42 MB/s 25.0%
DS1513+ 31.64 MB/s 41.61 MB/s 31.5%

SPDY
Support for SPDY v3.0 accelerates the overall responsiveness of the user interface when using HTTPS connections.

Memory Compression
Least recently used data in memory is compressed, improving system responsiveness when under heavy load.

Wi-Fi
Connecting up to two USB Wi-Fi adapters is supported, allowing your Synology NAS to share its Internet connection via both 2.4GHz and 5GHz ranges.
You can bridge your wired connection with Wi-Fi hotspot(s) to extend your wireless network range and unify your existing local network and the wireless network hosted on your DiskStation.

Snapshot Manager
Synology Snapshot Manager software plugin available on vSphere and Windows Server environments to create application-consistent snapshots in DSM.
For VMware environments, you can install Synology Snapshot Manager for VMware vCenter Server on Windows Server. After installation, when a snapshot is triggered on DSM, vCenter Server will be notified and flush all the data from memory to the LUN to guarantee data consistency. Once the snapshot is complete, vCenter Server will resume normal I/O operation of VMware datastore.
For Windows environment, you can install Synology Snapshot Manager for Windows Server. After installation, when a snapshot is triggered on DSM, Synology Snapshot Manager will use the Microsoft 
Volume Shadow Copy Service (VSS) technology to produce consistent point-in-time copies of data. 

Synology Snapshot Manager for Windows Server also supports performing snapshots when triggered by 3rd party software via VSS.

Synology Snapshot Manager for VMware vCenter Server supports vSphere 5.1 or later, and vSphere web client server plugin is required for application interface. Snapshot Manager for Windows supports Windows Server 2008 R2, 2012 and 2012 R2. VMWare applications support up to 3 maximum concurrent snapshot tasks.

Sunday, March 23, 2014

Prepaid Credit Card for Roku Setup

I was setting up a Roku 3 and confronted by the setup routine that required a valid credit card number before it could proceed. I googled for a way to proceed without divulging a credit card number, but found no workarounds. This requirement is not listed on the box that the Roku comes with. This of course is not an oversight by the Roku company so I think this is a bit shady if you ask me, a quasi-bait and switch. The box is already opened so certain stores will not take it back for a refund.

So given that this Roku is not for my own use, I could not use my own credit card. I went to the local Walgreen and bought a disposable VISA credit card from a company called OneVanilla.

At the register, I told the sale clerk that I wanted $50 put into this card. He gave me a I-bet-he-use-it-to-pay-for-online-porn look, and rang up $50 plus the $4.95 surcharge. In addition to the regular receipt, I also got a separate receipt that says "Gift Card" that has the serial number of the OneVanilla card.

The credit card has the expiration date of Feb 2022. At home, I opened the package saw that the card inside looks exactly my regular VISA card. It can be used as a "regular" credit card or as a debit card. The sticker on the card directed me to the OneVanilla website to register the card. There, I put in the card's number, expiration date, and the 3-number code. The site also asked for an email address and a password. That was it. So now this particular card's number is associated with my email address and a password. There is an option to create a PIN number to be used as the PIN for the card to be used as a debit card, but I did not create it.

I went back to the Roku website and put in this credit card's number, expiration date, and the 3-number code, and billing address. Just like a regular online purchase with a credit card. It worked. The Roku site said that the credit card is on file with them, but no charges have been made to this credit card number. Fine, you son of a ...

So although the Roku 3 is setup fine, I am still miffed by Roku's non-disclosure that to use its services, you need a credit card. At least with AppleTV, you can setup without the need for a credit card (last time I did it was a few months ago). If your intention is to use the Roku to access free contents via its 1000s of channels, then either you have to give Roku your credit card or get one of these disposable ones.

I have already sent a nasty email to Roku complaining about this. This is not how you should treat your customers.

Tuesday, March 11, 2014

Simple VPN router

Let's say you want to remote into a network such as your office or home while you are physically outside this place. There are many solutions out there that can be used to do this. Each has its own complexity, cost, reliability, and security strength. If you just want a simple secure way to do such remote access then you can try to setup your own VPN solution.

I am talking about connecting to a remote network here, not necessarily to a specific computer inside a remote network. There are certain advantages of connecting to a remote network in general as opposed to a particular computer. If you are connected to a particular computer, then your usage of that computer is the limitation of the connection. In other words, whatever you can and cannot do on this remote computer is all that you can do. Let's say the remote computer does not have a database program that you want to run to access a database file stored on a server in the same remote network. Then you are still stuck with this problem if you remote into this computer.

By contrast, if you can remote into the network in general and the computer that you are using has this database program, then you can access this server and the database file. In its simplest terms, when you have connected to a remote network via VPN, the immediate machine in front of you thinks it is physically inside this remote network. In fact, through this VPN connection, you can then remote into a particular machine in the remote network and use that machine's installed software, having the best of both worlds.

Using the protocol PPTP is still the current go-to way to create a VPN tunnel if you want something that has the least amount of complexity and cost. PPTP has been around for decades so it has been time tested to work well with a lot of computing devices. The problem for this reliability and friendliness is its security. While it is better than nothing -- yes, you can have a VPN connection without any security at all if your intention is remote access, speed, but security is not a concern -- it can expose your remote session to unauthorized intruders that somehow get tapped into the tunnel.

Microsoft released 2 versions of the security mechanism used for PPTP. The security mechanism is called MPPE. As said, security via encryption of the data going back and forth is not a required criterion of VPN. MPPE is the protocol used for secured PPTP tunnels.

When PPTP was first created, Microsoft used an encryption method called MS-CHAP. This is now deprecated because it has serious security flaws. Microsoft updated it with MS-CHAP version 2. Even this version is considered dated by today's standards, but if your security need is simple, then MS-CHAPv2 is still good. I however recommend L2TP/IPsec is the way to go these days. There is no right or wrong way to security, it's just how paranoid you are. It's about your acceptable level to risk of how someone can intrude upon your remote connection.

For a good primer on MS-CHAP version 1 and 2, you should check out this article by Bruce Schneier. It's an old article (1999), but its information is still relevant.
Cryptanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2)

Also, there has been a discovered vulnerability for using MS-CHAPv2 by itself with additional encapsulation.
http://technet.microsoft.com/en-us/security/advisory/2743314

With that said, if you want a simple inexpensive PPTP VPN to connect to a remote network with no fuss, then I recommend using this a VPN router model TL-R600VPN from TP-Link.

Setting up a PPTP VPN on this router is simple. I got it to work within 15 minutes. As expected, the remote connection is reliable and fast. Below is the user guide for this router.

http://www.tp-link.com/Resources/document/TL-R600VPN_V1_User_Guide.pdf

I cannot find any documentation of whether this router uses MS-CHAPv2 for its MPPE. I assume it does because there is no reason to still be using MS-CHAPv1. Moreover, when setting up the VPN connection on a Windows 7, machine, I unchecked the box where the the VPN client would be allow to use CHAP, and checked the box where it says MS-CHAPv2. The fact that the connection works, I would infer that the PPTP tunnel is operating under MS-CHAP2 MPPE.

The router also offers the much more secure IPSec protocol, but this would only work if you connect two of these routers with each on both sides of the tunnel. The PPTP can be used for client-to-LAN connection. This means you only need your computer on one end of the tunnel.

More info on how to use VPN on iPhones and iPads because many people access their networks on the road use these devices.
http://www.apple.com/iphone/business/it/deployment.html

Wednesday, March 5, 2014

SMART Test For Harddrive

When you physically examine your harddrive, you will see a circuit board attached to it. It is usually green in color. This board has some microchips on it. These chips are responsible for communicating with the motherboards to which the drive is attached with a data cable. These chips also do routine self diagnostics to see if there are problems on the drive. One of the most common problems with harddrives is bad sectors. These are physical problems with the drive's storage surface and therefore cannot be fixed. The chips would mark these sectors as unusable to ensure that no data is written onto them. However, once bad sectors are present, it's a cascade of more bad sectors to come.

This self diagnostic is called SMART test which stands for Self-Monitoring, Analysis, and Reporting Technology. Not all drives support SMART, and not all SMART-capable drives do the same thorough self diagnostics. Server-grade drives tend to have more extensive SMART information about themselves. This can be used by drive manufacturers to determine if a failing drive can be fixed with a firmware update instead of allowing them to be returned. Firmware is a general term used for a bit of software that runs in these microchips.

So how can you read this SMART information from a drive that you suspect is going bad? It's quite simple really. In fact, if you call the drive's manufacturer asking for a refund or exchange, by telling them that you have run a SMART test on the drive and showing them the results, they are more inclined to accept the drive back. Many drive manufacturers release their own SMART reading programs for their own drives, but this is not really necessary because the SMART technology is standardized. Any well-written SMART program can do the job just fine.

The one I use is called DiskCheckup by PassMark. It's a Windows program so it runs on Windows with buttons to push instead of traditional SMART reading programs that requires typing text commands. Installing it is very simple. Once installed, you would launch it and tell it to read the SMART information on any drives that are connected to the computer -- internally and externally.

Below is the link where you can go to read all the gory details.

http://www.passmark.com/products/diskcheckup.htm

So what happens when the drive in question is the one that has your operating system which now does not boot up? If Windows does not boot up, you cannot run any Windows programs including a SMART reading one like DiskCheckup to see if the cause of the non-boot is a bad harddrive or is it just some software corruption? In general, before you install Windows on any drive, a time-consuming and tedious process, you should make sure that the physical drive is in good health. If the SMART readout shows errors, skip that drive and install Windows on a different drive that has passed the SMART test.

This is done by using any of the major Linux Live CDs. They have SMART tools built-in. Simply download the ISO image of these programs, burn it only a CD or USB flash drive, boot from this external media, and have the SMART utility in it do a scan of the target disk.










Tuesday, March 4, 2014

How To Create Macrium Reflect Bootable Rescue CD/USB

As a computer technician, I install Windows and Mac OS a lot, more than I ever want to do so because the tasks are time consuming and tedious. Fortunately, there are programs like Macrium that can create a snapshot of my Windows installation so that I do not need to re-install Windows from scratch for the next time. I would simply put back the image. This would without exaggeration save me hours of tedium. Drive cloning and its related cousin drive imaging are two of the staples of a computer technician's tool set. In fact, if someone who claims to be a computer technician and has no idea how to clone or image drives, then you might want to have someone else fixing your computer.

You can run the Macrium program directly in Windows and create an image from within. That is, the Macrium program is installed into the Windows that it images producing an image that includes itself. However, being the purist and minimalist that I am, I prefer the imaging program doing it from outside Windows. This means I would boot the media storage that contains Macrium from a CD or USB stick and from that, create an image of Windows from the harddrive. This way, the resulting image does not contain any traces of Macrium.

The link below shows you how to create a bootable CD or USB from which you can run the Macrium software. This way, you can only create an image manually every time you boot from the CD or USB stick. There is no automatic incremental imaging here. To do that you have to install Macrium into Windows. It is also not a free program compared to its smaller portable version.

http://www.intowindows.com/how-to-create-macrium-reflect-bootable-rescue-cdusb/