Is WebDAV the best option for remote access?

[aGraphicz]

Hi there

We are a small company and we just started using Synology (DS920+). Some of us would like to have remote access to the files, maybe sometime working from home, and for this reason I used WebDAV to map the drives (we mostly work on MacOS devices) without going every time through DSM.

I was wondering:
- is this the best solution?
- do you have any other suggestions?
- is it safe?
- is it possible to add a 2fa for WebDAV?
- is somehow possible to define via geolocation who has access via WebDAV?

Many thanks in advance

 

[WST16]

Hi,

I’ll attempt to answer. Others will add their input based on their experience too hopefully…

is this the best solution?

It is a good solution. WebDAV is considered slow though, but if it’s acceptable for what you’re doing, then why not.

do you have any other suggestions?

VPN to the DiskStation and mount the folder you’re working with. Safer and faster. However, everything is relative.
Also, have you looked at Synology Drive.

is it safe?

WebDAV has been around for a long time. However, you’ll need to secure the DS by enabling the firewall, use a reverse proxy and limit the DS exposure to the outside world to the minimum necessary. Think DiskStation remote access, regardless of what is enabled.

is it possible to add a 2fa for WebDAV?

2FA is user based. As long as the user needs to login. I’d leave it to someone else to cover it. My experience is very limited here as I don’t use 2FA.

is somehow possible to define via geolocation who has access via WebDAV?

If you mean to restrict with the granularity of each users’ location (i.e. user x can only access WebDAV from location y only and nothing else), then (to the best of my knowledge) I don’t think so. However, you can restrict WebDAV access to a certain country (your country) for instance using the firewall.

 

[kiriak]

best option for remote access is to have a security appliance between your network and the outside world

you can have a mini PC worth of 200-300 euros and a free firewall-router distro installed,
like OPNsense, pfsense, Sophos XG etc.

my Sophos XG mini PC runs on 6 W consumption, I have enebled Open VPN server on it, just a matter of a few clicks, really easy for a novice like me, with certs on the clients (mobile devices and PCs of my family) and support for 2 FA if I want.

Maybe some good consumer routers (like Synology) support these functions also.

If you are concerned about security, a firewall between your NAS and the WAN adds another layer of security and offers many many tools to restrict and monitor what is going out and what is coming in.

 

[Shadow]

maybe sometime working from home,

Makes me wonder how the IT landscape looks like. Security should always be a priority. So I would expect if employee's take their company issues laptops home to work with, they should work with a VPN...

 

[aGraphicz]

Makes me wonder how the IT landscape looks like. Security should always be a priority. So I would expect if employee's take their company issues laptops home to work with, they should work with a VPN...

WebDAV has been around for a long time. However, you’ll need to secure the DS by enabling the firewall, use a reverse proxy and limit the DS exposure to the outside world to the minimum necessary. Think DiskStation remote access, regardless of what is enabled.

Thanks for your inputs. Regarding security: using WebDAV and a valid certificate (Let's Encrypt for example) can be an acceptable alternative?

 

[Shadow]

Regarding security: using WebDAV and a valid certificate (Let's Encrypt for example) can be an acceptable alternative?

When looking At purely accessing the NAS files securely: yes

Also beware of a limitation of file sizes with Windows machines: How to increase the WebDAV file limit in Windows - Email Hosting | Website Hosting | Phone Hosting | Website Design | Graphic Design

 

[aGraphicz]

When looking At purely accessing the NAS files securely: yes

Also beware of a limitation of file sizes with Windows machines: How to increase the WebDAV file limit in Windows - Email Hosting | Website Hosting | Phone Hosting | Website Design | Graphic Design

Thanks for the tip. We will work exclusively on MacOS devices. There shouldn't be a problem right?

We are a small graphic design agency and files can get quite big, but mostly we will work in local and remotely just sometime and mostl, for "office stuff" like Excel and Word. Can WebDAV be a limitation in terms of workflow?

 

[Shadow]

We will work exclusively on MacOS devices. There shouldn't be a problem right?

From what I've seen and read is that MacOS has better native support for DAV protocols than Windows.

I'd say test it out (maybe a UAT?) on big files and see what happens. that way you can also see if the performance is acceptable or not , because as already mentioned it will not be as fast as regular SMB protocol.

 

[WST16]

We will work exclusively on MacOS devices. There shouldn't be a problem right?

I’ve used WebDAV on my Macbook for a long time (before almost completely switching to the iPad and Synology Drive) with no problems. You should be fine.

 

[aGraphicz]

From what I've seen and read is that MacOS has better native support for DAV protocols than Windows.

I'd say test it out (maybe a UAT?) on big files and see what happens. that way you can also see if the performance is acceptable or not , because as already mentioned it will not be as fast as regular SMB protocol.

Will try then

Another question: for the WebDAV server to work I am giving the Syno access to the internet using QuickConnect. Is that a good idea? Or better a DDNS and a certificate (Let's Encrypt for instance)?

 

[Rusty]

Will try then

Another question: for the WebDAV server to work I am giving the Syno access to the internet using QuickConnect. Is that a good idea? Or better a DDNS and a certificate (Let's Encrypt for instance)?

It will essentially be the same. The upside for ddns is speed, considering the communication is going directly to your NAS as QC will relay you over Syno infrastructure.

 

[aGraphicz]

It will essentially be the same. The upside for ddns is speed, considering the communication is going directly to your NAS as QC will relay you over Syno infrastructure.

I see.

Is also possible to completely disallow DSM, File Station and FTP so users cannot connect using the Quickconnect ID and still have access to shared folder via WebDAV right?

 

[Rusty]

I see.

Is also possible to completely disallow DSM, File Station and FTP so users cannot connect using the Quickconnect ID and still have access to shared folder via WebDAV right?

You can edit user app access using the user permissions tab. This is per user/per app. So, yes.