Brand spankin ' new owner to a Synology 218+ here Questions:

[G+_Joel Pomales]

Brand spankin' new owner to a Synology 218+ here. Questions:

 

How secure is getting to the NAS through Quickconnect? Should I get a cert to make sure traffic is https secure? Should I go the DDNS route? What's the general experience?

 

Two factor: if I enable it with Quickconnect, will it ask me every time I log in? Or just once on clients? Will it ask for a TFA code on the local network?

 

thx!

[G+_George Fromtulsa]

I did see one comment from a Quickconnect user. He started randomly typing in character strings and started receiving responses. Haven't set up for 'net access, but that's a cautionary advisory.

[G+_John Saunders]

I have an RS218 with TFA enabled, and quickconnect. Regardless of access (internal/external network), you are prompted for TFA.

 

However, I have some uncertainty regarding quickconnect, and I believe I will be turning it off.

 

I already have a DDNS setup through Google Domains, and an openvpn server run by my Pfsense firewall. I'd rather use a trusted VPN technology for my access.

[G+_Marco van Laerhoven]

George Fromtulsa can you be more specific?

 

Quick connect makes your NAS start polling for connection requests from a known domain. It ensures you don't need to open ports on your router.

It will work fine without ddns.

 

If you want to setup a certificate that requires a response in setting up, like let's encrypt, then you need it setup (so LE can confirm it's talking to the right machine)

 

You can (and I recommend you do) set up secrity restrictions when connections come in, eg limit connection attempts and auto block.

 

I take security seriously, and think using QC is safe to use of you take these precautions.

[G+_Marco van Laerhoven]

John Saunders could you elaborate on your doubts?

 

[G+_George Fromtulsa]

Marco van Laerhoven What I understood from a thread about using QuickConnect is that a Synology user set up QuickConnect then used the software, which I believe uses a Synology website as a connection point, to go fishing for other QuickConnected Synologies. And found some that indicated readiness to QuickConnect.

 

Writer did not say he tried to "break in."

 

So the takeaway is your Synology can be "found" by strangers through QuickConnect. That implies QuickConnect itself does not confer security, and may help identify connected Synologies. The security of a QuickConected Synology from "dictionary" attacks, etc., would depend on the robustness of passwords, Synology's response to failed connection attempts, etc.

[G+_Marco van Laerhoven]

Thanks a lot for your response!

 

I would like to share my view, and hope others will chime in to create a joint view of the situation...

 

If I understand correctly the risk is that someone may be able to determine there is a Synology NAS listening and try to connect.

As security by obscurity is not really security at all, I think it is fair to assume our QuickConnect ID is publicly known.

 

In my view, compared to me opening a a port on a router (which can also easily be detected) this is still a lot better - with QuickConnect there is nothing open, and whenever someone actively tries to connect directly to my public IP address they will not get any response.

 

The only way is to connect is to setup a session (port 80) to the Synology domain and request my QuickConnect ID. This means the "hacker" is already seriously limited in the options of breaking in (as he is not initiating the connection).

 

And we can further enhance protection by enabling auto block and account protection (block IP address or account login after a number of unsuccessful login attempts).

 

All in all, I think this is a "safe enough" option to use - as I really like the benefits of my private cloud.

 

Looking forward to hear what others are thinking, please let me know your thoughts.

 

[G+_George Fromtulsa]

Marco van Laerhoven So what we have on our work Synologies is important to protect. Payroll data with Tax ID numbers, employee medical insurance with possible HIPAA implications.

 

This current discussion is the deepest I've looked into the Synology <> Internet connection as we really don't need access away from workplace. Employess who need to "catch up" by working from home take the files they need with them on either encrypted laptops - or encrypted thumbdrives.

 

Nothing is absolutely secure, but the linked Synology article about QuickConnect does not build my confidence -

 

 

Our Synologies have no such content, but consider the scorched earth lawsuits of the RIAA and MPAA. Yet there's thouands of Synologies "broadcasting" music and video across the planet? Legal? Maybe, though a grey area I'd much prefer not to be defending in court. And that's content I bought in physical media and still own in physical media. Different case when re-broadcasting captured streams, OTA TV recorded on DVR, that Tor movie download, or ripped content from physical media sold on eBay . . .

 

https://www.synology.com/en-global/knowledgebase/DSM/help/DSM/AdminCenter/connection_quickconnect

[G+_John Saunders]

I believe my opinion is based more on the fact that I have already spent the time setting up DDNS and an openvpn server to access my internal network.

 

I'm sure that QuickConnect will work nicely for most, but I'd rather not open a direct connection into me NAS.

[G+_Marco van Laerhoven]

I see, so in your case when somebody wants to connect they contact the VPN server first.

If this is a separate box, not on the NAS I see rhe benefit.

 

Thanks for sharing!

[G+_George Fromtulsa]

Marco van Laerhoven In our case, the Synolgies are behind a firewall and set to only accept local connections.

[G+_Marco van Laerhoven]

George Fromtulsa

That's clear, you basically don't want outside access to the NAS.

 

Our use cases are different, we need a way to backup and sync files me and my colleagues create into a central location. We work on different locations and we use the NAS as private cloud (no Google drive or Dropbox for us).

 

In your case the let's encrypt method won't work as the NAS needs to be able to connect to the internet to get the cert. If you've blocked non-locsl access that will not be possible

[G+_George Fromtulsa]

Marco van Laerhoven And if I were more confident in the security of the NAS if it were online, I'd be doing what you do. Currently we share Mac files with other locations via encrypted DMGs and Linux files in 7-zips, using either Gmail or Google Drive. Not worried so much about anyone hacking "everything" (which they'd get by bursting into our Synologies) on Google Drive, and while the Goog has the processing power to break into our password protected uploads, it would be a big waste of Goog's resources. NSA, if you're listening, don't bother. Just get it from the IRS.

[G+_Joel Pomales]

NAILED IT!

 

I was missing a step. I did everything right except one thing: pointing my subdomain to the DDNS entry. Done and done. Works and SSL cert shows green. Booya!

 

Good bye to Quickconnect. Now to change passwords all around (longer, random) and enable TFA for the admin group. Happy camper.

[G+_George Fromtulsa]

Joel Pomales Good you're setup like you wanted. Have a static IP address?

[G+_John Saunders]

George Fromtulsa Joel doesn't need a static when he is using DDNS to update the WAN address. Then when the connection is attempted via FQDN, the DNS is translated to what the DDNS record has been last updated to.

[G+_Joel Pomales]

And I found out that I sort of cheated. I entered the CNAME record to refer to my provided, but I did not modify any port forwarding rules in my router. Synology Quickconnect did that for me. Thing is that when I disable Quickconnect, the port forwarding rules go away.

 

I also found out that the Linux Drive client doesn't like me entering the address that I set up for my NAS. So I went ahead and disabled all Quickconnect services but Drive. For all intents and purposes, the only way you can get to my NAS through Quickconnect is through Drive.

 

Found a relatively nice solution for it. I think it's a win.

[G+_George Fromtulsa]

John Saunders Thanks for the answer. I might be able to handle QuickConnect, which is why I'm sure it is there, but beyond plugging in gear to (unmanaged) switches, I'm stepping beyond my knowledge set.

[G+_John Saunders]

Quickconnect essentially does a third party connection to synology. So...

 

SynologyNAS <> QuickConnect Server <> Your Connection

 

If you use DDNS, you initiate a direct connection, just using a dynamic DNS to direct your connection to the correct IP, but it is still a direct connection.

[G+_Joel Pomales]

John Saunders and this was what I was looking for. I don't want to rely on a third party to get to my data.

[G+_John Saunders]

Joel Pomales I'm not entirely sure if the QuickConnect feature actually tunnels your traffic from your NAS through Synology to your device (like a VPN).

 

I'm almost thinking the QuickConnect is Synology's version of DDNS, which would still make a direct connection.

[G+_Joel Pomales]

John Saunders but there is a difference. While I was able to access the NAS using Quickconnect, I couldn't use SSL certificates at all. With direct connect I can. Huge difference for me.

[G+_George Fromtulsa]

Joel Pomales I am pretty sure (without even looking under the hood) that QuickConnect will establish an SSL connection, using Synology servers.

 

"Back in the day" Apple's MobileMe provided optional {paid} secured / encrypted connections through iChat, and that enabled sorta' peer-to-peer encrypted chat, audio, video, file transfer, and remote desktop control. iChat connections passed through Apple servers,which functioned as a "switchboard." I suppose there was a theoretic danger Apple could have done a man-in-middle -

 

My issue with QC is the guy who reported he could "find" other Synolgies that weren't his. Meaning he was a password attack away from gaining access.

[G+_Joel Pomales]

George Fromtulsa well, when I setup my NAS and created my account Chrome was complaining that my connection was not secure. ?????

[G+_George Fromtulsa]

Joel Pomales Like many things I only see from the "user" level, I have learned this "stuff" is complicated.

 

I'm planning to dive deeper into the Synology setup for the 'net - when the real work I have in the queue gets done, if ever I get it done -

developers.google.com - Preventing Mixed Content | Web Fundamentals | Google Developers