Computers & Electronics

NAS (Synology) vs Google: security

  • Last Updated:
  • Dec 7th, 2017 12:57 pm
Tags:
[OP]
Sr. Member
May 12, 2014
919 posts
374 upvotes
Montreal

NAS (Synology) vs Google: security

I currently use a Synology NAS on my local network to host files (backups mostly) & as an NVR. The NAS is NOT exposed to the internet. I use Google Drive for internet accessible documents and collaboration.

I'm considering switching to using "my own cloud" for documents, etc.

But once the NAS is internet accessible, I wonder about security. I find it unlikely that someone will crack into Google, but a zero day in Synology can happen anytime.

Thoughts? Suggestions?
14 replies
Deal Expert
Aug 2, 2004
25875 posts
2879 upvotes
East Gwillimbury
First they have to find you.

Second, nothing is 100%. Not even google. Look at what happened to yahoo etc.
Sr. Member
User avatar
Oct 14, 2010
859 posts
341 upvotes
Barrie ON
I have been doing this from the Android "DS File" app for years with no problem. Since the app can remember the password for you, be certain to choose a longer/complicated password to prevent people guessing your password. Of course you should always have a password on your device in case it is ever lost or stolen.

I also suggest you always use the https port of the DSM, or even enable the VPN server function of the Synology for times when you need access over a public Wi-Fi network.

In the DSM you can also enable a security feature to automatically block an IP after a chosen number of failed attempts. You would be notified by email if this protection feature is ever triggered.

BTW I also use the Synology "Cloud Sync" package to encrypt my personal files and sync then with my free Google Drive as another source of recovery. I don't bother syncing my media files since that would exceed the storage limit of my free Google account.

I suppose that if you still have doubts about the safety of using the Synology, you could also use the "Cloud Sync" package to keep your desired files synchronized with your Google Drive, and continue accessing them only from Google.
Deal Addict
Jun 8, 2005
2640 posts
273 upvotes
Don't make the NAS internet accessible. Set up a VPN so that you can only reach it that way. You can run a VPN server on the device, with that being the only 'exposed' service. Or set up the VPN server on your router.

What does your home firewall situation look like?
Deal Expert
Aug 2, 2004
25875 posts
2879 upvotes
East Gwillimbury
VPN is how I access my NAS. This is a viable option if you’re the only user or there are very few users.

I also have a NAS running OwnCloud for those that I give access to. But it is isolated and on a separate VLAN
[OP]
Sr. Member
May 12, 2014
919 posts
374 upvotes
Montreal
Gee wrote:
Dec 5th, 2017 8:52 am
First they have to find you.

My understanding is that "finding you" was an issue 20+ years ago. But then crackers started constantly scanning the net looking for vulnerable machines. To the point that a new WinXP machine exposed to the net would get rooted before windows update could even complete.
[OP]
Sr. Member
May 12, 2014
919 posts
374 upvotes
Montreal
Rick007 wrote:
Dec 5th, 2017 9:32 am
I suppose that if you still have doubts about the safety of using the Synology, you could also use the "Cloud Sync" package to keep your desired files synchronized with your Google Drive, and continue accessing them only from Google.
But if the files are hosted on the Synology, then if someone gets in they'll have access to them.

Also, the idea is that i want to stop using other people's cloud infrastructure to retain greater privacy.
[OP]
Sr. Member
May 12, 2014
919 posts
374 upvotes
Montreal
wrote:
Dec 5th, 2017 9:49 am
Don't make the NAS internet accessible. Set up a VPN so that you can only reach it that way. You can run a VPN server on the device, with that being the only 'exposed' service. Or set up the VPN server on your router.

What does your home firewall situation look like?

So you can use the VPN to access services like NoteStation and other Synology apps?

How would you make the Synology accessible by VPN? By port forwarding directly to it?


Firewall wise, I have none. My home network is behind a standard router (soon to be an Orbi) which means I'm somewhat protected by NAT.

The Synology's internal firewall has super strict rules enabled for now: all connections are refused except those originating from a whitelist of IPs (192.168.x.x).
Deal Expert
Aug 2, 2004
25875 posts
2879 upvotes
East Gwillimbury
FrancisBacon wrote:
Dec 6th, 2017 10:03 pm
How would you make the Synology accessible by VPN? By port forwarding directly to it?
That's the beauty of a VPN. The Synology is not accessible at all from an outside network. Once you connect with a VPN, your machine will have a local IP and you access it as if you were at home.
FrancisBacon wrote:
Dec 6th, 2017 9:54 pm
My understanding is that "finding you" was an issue 20+ years ago. But then crackers started constantly scanning the net looking for vulnerable machines. To the point that a new WinXP machine exposed to the net would get rooted before windows update could even complete.
You don't have to make it easy for them. Use a non standard port and a very long password. Anti-hammering lock out and you should be relatively safe.

Who said anything about XP? If you set up a private cloud exposed to the internet. Windows would be the last platform I would use.
Sr. Member
Nov 28, 2013
996 posts
285 upvotes
London, ON
Gee wrote:
Dec 5th, 2017 11:28 am
VPN is how I access my NAS. This is a viable option if you’re the only user or there are very few users.

I also have a NAS running OwnCloud for those that I give access to. But it is isolated and on a separate VLAN
Are you using the built in VPN server on the Synology NAS ... and logging in to the vpn via the NAS? wouldn't that expose it to the internet and allow someone to hack the VPN portion of the NAS still?
Deal Expert
Aug 2, 2004
25875 posts
2879 upvotes
East Gwillimbury
sk1001 wrote:
Dec 7th, 2017 3:47 am
Are you using the built in VPN server on the Synology NAS ... and logging in to the vpn via the NAS? wouldn't that expose it to the internet and allow someone to hack the VPN portion of the NAS still?
I don't have a Synology. I build my on NAS units.

I run OpenVPN on pfSense (router)

If the Synology is setup correctly, the VPN server would be separate from the NAS portion
Sr. Member
User avatar
Oct 14, 2010
859 posts
341 upvotes
Barrie ON
FrancisBacon wrote:
Dec 6th, 2017 9:57 pm
But if the files are hosted on the Synology, then if someone gets in they'll have access to them.

Also, the idea is that i want to stop using other people's cloud infrastructure to retain greater privacy.
If you want to access your files directly on the NAS, then you need to install the "File Station" package, and and a port forwarding rule to your router. This makes your NAS available for remote access.

If you install the "Cloud Sync" package, then your NAS will poll the Google Drive and keep it synchronized with your NAS. This gives you access to your files via Google Drive, which you seem comfortable with, and does not allow any remote access to your NAS (i.e. no port forwarding is required since the NAS is establishing the connection).

If your desire is "that i want to stop using other people's cloud infrastructure to retain greater privacy" then you don't seem to have any other option but to install "File Station" and open up the port.

To access your NAS remotely, someone must first locate your IP amongst the millions that are available. Then the person must locate active ports on your router amongst the 65,535 that are available, Then he must enter the correct password of the almost infinite number that are available (when using long passwords with random characters). Then he must use the correct password within his first 3 attempts (user selectable) or his IP will be blocked from future attempts.

You could also setup "File Station" without a port forwarding rule on your router and use Synology's OpenVPN to access your internal LAN. OpenVPN requires that a .ovpn file be generated by the Synology, and then this file needs to placed on your mobile device. This is preferred over some other VPN types which only require the VPN password. If someone learns your VPN password then more damage can be caused than if they only knew your Synology "File Station" password.
Deal Addict
Jun 8, 2005
2640 posts
273 upvotes
FrancisBacon wrote:
Dec 6th, 2017 10:03 pm
How would you make the Synology accessible by VPN? By port forwarding directly to it?
Yes
FrancisBacon wrote:
Dec 6th, 2017 10:03 pm
Firewall wise, I have none. My home network is behind a standard router (soon to be an Orbi) which means I'm somewhat protected by NAT.

The Synology's internal firewall has super strict rules enabled for now: all connections are refused except those originating from a whitelist of IPs (192.168.x.x).
Yes, you have a firewall, your standard router provides it. You'll have to adjust the internal firewall to allow connections on your VPN, as well as connections from your VPN network range.
[OP]
Sr. Member
May 12, 2014
919 posts
374 upvotes
Montreal
Rick007 wrote:
Dec 7th, 2017 9:41 am
...first locate your IP...locate active ports on your router ...enter the correct password...
For locating IP/port, I believe that constant scanning no longer makes this an issue. We can no longer hide in the crowd. See, for example,
https://en.m.wikipedia.org/wiki/Shodan_(website)

(Same as facial detection and license plate scanners have made anonymous travel impossible in real life, but that's a topic for another day.)


For the password, what concerns me is that someone could access the NAS without even needing a password
Eg
https://www.cvedetails.com/cve/CVE-2013-6955/
Or
https://www.exploit-db.com/exploits/43190/


Rick007 wrote:
Dec 7th, 2017 9:41 am
You could also setup "File Station" without a port forwarding rule on your router and use Synology's OpenVPN to access your internal LAN.
That sounds interesting... So it's possible to run a VPN server on the Synology without having the router port forward to it? Not sure how that works???

Also, I'm currently running a VPN on my phone, so I wonder if I can add a second one for the Synology...
Sr. Member
User avatar
Oct 14, 2010
859 posts
341 upvotes
Barrie ON
FrancisBacon wrote:
Dec 7th, 2017 11:08 am
That sounds interesting... So it's possible to run a VPN server on the Synology without having the router port forward to it? Not sure how that works???

Also, I'm currently running a VPN on my phone, so I wonder if I can add a second one for the Synology...
If you want to use "Cloud Sync" with Google Drive, then you don't need port forwarding. If you want to use "File Station" then you have the choice of port forwarding directly to the "File Station" port, or port forwarding to the VPN server port running on the Synology. Some people feel that running a VPN is more secure than simply port forwarding to a file serving port. I choose to only use the Synology VPN server when accessing my files from a public network.

With regard to running another VPN cleint on your phone, I run the PIA VPN client software on my phone, as well as an OpenVpn client to access my Synology VPN server.

As mentioned before, if your goal is to no longer use a public cloud storage, then you have no choice but to use your own cloud server. As you know, back doors are always being found in Windows itself, and Microsoft issues patches ASAP to reduce the chance of hacking. In the same way Synology issues patches as soon as they discover a potential back door. I sometimes get 4-5 DSM updates in one month. Because of these frequent updates I feel that Synology offers the best security of all available NAS products,

Top