Thursday, March 27, 2014

Security for Synology NAS

In my previous post, I laid out the features of the latest firmware for the Synology NASes. A popular use of any NAS is to access the data on it from the Internet. This is a scary proposition because if you or any authorized persons can access this data from outside the local network in which the NAS resides, what prevents unauthorized people, especially those with malicious intent, from accessing the server?

The Synology website has a primer on how to enhance security of its NASes. This has the recommended configuration of the its system for this purpose.

http://www.synology.com/en-global/support/tutorials/478

The article however does not mention about VPN. If you use a Synology NAS at home, then it should already be part of a trusted local network. Therefore, most of these recommended configurations are not necessary. In fact, it is not necessary at all if the home network in question is behind an Internet gateway such as the router that is connected directly to the Internet modem, and this gateway/router has the latest firmware, its firewall activated, and blocks all incoming ports. If there is a need to access the NAS from the outside of the network, then I recommend a VPN solution that uses L2TP/IPSec or OpenVPN. I have written a few posts about this matter so please read them for more info. Remember, VPN is like a catch all method so that you do not have to worry about the more granular configurations for the NAS itself. It's like having a strong door and lock for your home's front door. With such a barrier, you do not really need to have additional doors behind this big door. With that said, if your NAS has confidential information in it, additional and more granular security setup is recommended for the NAS itself.

A few of the tips in the article actually should be the standard setup for the NAS regardless of the situation. An example is the password to the admin account for the NAS. No matter how much trusted is the local network, never leave the admin account on the NAS with either the default password or one that can be guessed easily. Logging into the NAS with the admin account is basically getting in with the key to the kingdom. Even if there is no confidential data stored on the NAS, the admin account should be locked down.

Security is all about layers. The more layers there are, the more difficult it is for any unauthorized people from accessing the information. However, there is a point of diminishing return where the additional complexity does not give you any additional benefits.


No comments:

Post a Comment