Encryption vs Remote Access

Currently reading
Encryption vs Remote Access

NAS
DS218J
Is encryption only for protection against physical access to the NAS?

If i am not worried about physical access, only unauthorized remote access, should I encrypt the NAS?
 

Rusty

Staff member
Moderator
NAS Support
Website
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2xRS3614RPXS+ (with 2 expansions)
Router
RT1900ac
Personally, I encrypt only certain folders (not that its possible to encrypt the nas as a whole), but just because I really don't want access to those folders in any case.

Not worried about physical access but remote access can be a problem ofc. 1st thing ofc is to secure and harden remote access then, as an additional layer, you can always go with encryption. Saying that, off the bat, I would say if remote access is your primary concern then secure it and later on think about physical one.
 

Rusty

Staff member
Moderator
NAS Support
Website
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2xRS3614RPXS+ (with 2 expansions)
Router
RT1900ac
what can be done fo harden remote access security? Besides a strong password of course.
  • Switch to a custom port(s) away from 5000/5001
  • Activate 2FA
  • Use Firewall to block certain regions (geo blocking)
  • Minimize opening ports to the Internet
  • Setup VPN if you need remote access to your NAS (this ties into the previous bullet)
  • If you do want remote access without VPN (so DDNS for example), be sure to access it via HTTPS (a valid ssl certificate via Lets Encrypt)

There are some things that come to mind, also be sure to check this topic as well: Please help me understand making my NAS secure.
 

fredbert

Well-known member
Encryption is applied to data at different time:
  • In transit between known endpoints but when there is less trust in the medium through which the data is transported.
  • In storage to protect from unauthorised disclosure.
The first case is what is applied when connecting across the Internet, say for passing personal data to a website. This protection is only when the data is passing the two ingress/egress points of the secure connection, beyond these points the data could be in clear or may be have other protections to secure it. For instance, you may make a purchase from an online retailer that uses a secure website, but this only secures data between the browser and webserver. There is no guarantee that the internal servers that the webserver uses to store content and our purchase information will have data transferred securely to them.

The second case is to add further electronic protection to any authentication and access controls already in place, in the case where physical access is gained to the storage devices. In general, most data isn't of a private nature so using full disk encryption may not be required, and a more focused approach can be used for a selected dataset. However, full disk encryption would mask where the interesting data is.

Given that most attacks will be electronic in nature then ensuring that strong mechanisms are used to for authenticating access requests, limiting access anc controlling what is accessible, and strongly encrypting connections should be the first concern. This means:
  • Setting up remote access (SSL-VPN and OpenVPN, then L2TP/IPsec) with strong passwords and 2 factor authentication (DSM supports this for user accounts).
  • Limiting who can connect using remote access.
  • For any Internet accessible services, including remote access, if possible, limit regional accessibility
  • Limit the accessible services that are available from the Internet.
  • Only permit secure connections to these services.
  • Don't permit direct access to the main DSM/SRM web portal, these can used by remote access.
  • At least, limit admin accounts access from LAN side IPs.
Personally, I encrypt stored data that I need secured and not, say, the iTunes media library. I've three WD MyBook Studio drives that encrypt their data and their internal disks cannot be moved to another enclosure in the event of a MyBook power brick dying. The MyBook encryption key is hardware stored and not extractable, unlike on DSM ... so be very careful to keep any encryption keys safe when doing a full disk encryption.

Never, ever use a home Internet router/firewall's DMZ feature: if they have one, it usually punches a hole straight through from the Internet to a target device and most home users will not be capable of configuring that device to withstand probes and attacks.
 
Last edited:
NAS
DS218J
okay....so then is a Synology NAS more or less secure compared to Google Drive? in terms of preventing unauthorized remote access, as well as encryption during transit.
 

Telos

Active member
Unless someone here works for Google Security, there's no way of knowing for certain. However, Google has access to all your files, so unless you are encrypting everything on Google Drive, you are insecure.
 

fredbert

Well-known member
Quickconnect is a set of mechanisms that enable connectivity to the NAS. They default to direct access between the client and NAS but can invoke a proxy server to bridge the two endpoints (such as when the NAS uses ports that are blocked at the client's location). There is a risk that the HTTPS traffic is exposed during the transition through the proxy service: the client makes the connection to proxy and the proxy makes the connection to the NAS. But Quickconnect doesn't have any login rights to your NAS.

Synology don't have physical access to the NAS at your house, I'm guessing. Which would mean that either you have given them access via username/password or there's a backdoor. If you have no Internet access to the NAS then Synology cannot access your data.

Any public cloud service is physically present somewhere on the surface of the Earth and, as such, whoever has access to the devices holding your data could access your data. Unless all data sent to a public cloud service is encrypted by you (either by the provider's client app or specifically by you) then access to your data is restricted through the application authentication, access controls, and corporate security policy ... but is still possible because it is held in clear.
 

Telos

Active member
Apart from hacking and peeking concerns... should you draw the attention of govt agencies, Google will kindly provide access to your file storage/history to those authorities when the proper paperwork is presented.
 

fredbert

Well-known member
Any public cloud service is physically present somewhere on the surface of the Earth
should you draw the attention of govt agencies, Google will kindly provide access to your file storage/history to those authorities
Oh yes, and the jurisdiction of the country where your data is held will be applicable. And you probably won’t know where this is unless you have a contract with the cloud storage provider that enables you to select the location(s).
 

jeyare

Active member
NAS
1811+, 3x 1813+, ...
@ braveheart0707
don’t worry about the quickconnect, more important is your WAN/LAN infra and status of your skills to secure these weaknesses (include the NAS). 99% of the “door opening” comes from a neglected attitude or ignorance of basic principles.
Rusty’s point is good way to start better security for your NAS & of course data in the NAS.
Sometime just look in to your prevention system/s how many IPs try to break to your LAN. A lot of attempts.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads


Top