Firewall Hardening, anyone use IPSET with a Synology box?

[TikiG]

Hello,

My question revolves around the Synology Firewall and IPSET integration.

Setup is a DS918+ for a small company (5 office workers). They have a subdomain and have to share links with the outside world/file upload requests. They have both internal and remote users. We have forwarded ports to the NAS, including 443, DSM ports (changed from default) and drive default ports. I have the Synology firewall limited to inbound US IP's.

That's okay, but I would also like to drop IP's using IPSET and the firehol_level1 list if possible. Can this be done? Has anyone integrated IPSET?

What is the firewall really running behind the scene.

I know this should be done on the router level ideally, but I'm trying to work with the equipment they have, which is an Asus router (basic firewall options). I know I could dump Merlin/Skynet on it but I don't want to go too far out of the box.

Any suggestions or any way to increase port "open" security.

Thanks!

 

[fredbert]

I think the DSM firewall is or based on iptables but changes will most probably get overwritten when updated.

As you said, you'd be better off placing a separate firewall in front of the server. While not using the ruleset you mention, Threat Prevention in Synology's RT2600ac can be modified to deny access from several suspect and low reputation IPs rules (and similar) from within the ET Open ruleset.

From a business point of view you have to consider the time to maintain bespoke modifications, where they aren't expected to be by the equipment vendor, versus using something that has been designed to do the job. I'd certainly consider splitting the main security and network infrastructure from the content and applications servers.

 

[TikiG]

Thank you for the reply.

The Synology NAS is already obviously running IPSET with the country filter option. They just didn't push more features into the Firewall GUI and opted for a form of simplicity. It just needs an advanced feature tab of some sorts.

In the end, I guess I'll just convert the router to Merlin/Skynet with a custom filter list. That is probably the easiest to implement and not likely to suffer from any future firmware update wiping it out.

For me the Asus is pretty feature rich with Merlin firmware and add-ons. The TrendMicro AiProtection is advertised as commercial grade and works well by those who have tested it. (Note: You do give up some data privacy for that benefit, which may turn some people off to it, but it's a tradeoff considering the additional IPS feature set).

I'll look into Synology's RT2600ac some more. Seems like a decent product, (probably due for a cpu upgrade by now) but definitely more security features than most out of the box. I'll read up more within the router forum.

Again appreciated your response.