NAS- or Docker-hosted whole-network security options?

Currently reading
NAS- or Docker-hosted whole-network security options?

481
96
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I'm wondering if there is any Syno-native or docker-able app that I can host on my NAS that'd provide whole-network security. I see Antivirus Essentials and Norton are available in the app library. Basically, it'd be nice to have something running in the background that could reach out and scan every device on my network that the NAS can see and report any issues. Does such an app exist? It appears that Antivirus essentials is only for protecting the specific NAS it is installed on?
 
I've seen you make comments saying that AV software is essentially pointless so long as you aren't dumb about what you download. I understand that, and I don't like the processing draw that many of them have, but I also have kids on my network and they can be dumb without realizing it. Is there any AV app for a NAS only that you would recommend?
 
Is there any AV app for a NAS only that you would recommend?
I lean towards Bitdefender Box or Bitdefender GravityZone Business Security. Though the latter is too expensive for my taste. My protection is primarily at the device that accesses the NAS. ClamAV is OK, but it offers no protection against worms and most ransomware. Defensively you should look to snapshot replication and off-NAS backup to USB or trusted cloud devices.
 
Last edited:
Once I'm fully setup I'll have snapshot and offsite NAS and a USB drive that'll get updated monthly and then parked in a safe. I was just thinking it'd be pretty slick to have a system that could cover my whole network without having to actually maintain every device.
-- post merged: --

Looking into it, bitdefender Box actually looks like what I'm asking for, it just isn't hosted on my NAS. I'd need to buy a separate piece of hardware and then it'd cover everything? It sounds like it is includes a firewall without actually calling itself a firewall, or am I misunderstanding it? I'd probably disable that portion because I already have firewall via my ubiquiti gear and don't want to have firewalls battling each other. Mainly looking for virus and malware protection.
 
Basically, it'd be nice to have something running in the background that could reach out and scan every device on my network that the NAS can see and report any issues
'Security' is a broad term and you have to define what you want to achieve in order to know what mechanisms (and procedures) are most appropriate.

Generally endpoint protection requires an agent to be loaded on to each protected device... how are you going to screen the internal data etc of a device via whatever network ports it has helpfully left open, or not?

For LAN monitoring and asset tracking there are products like Qualys (Qualys Community Edition | Qualys, Inc.).

If you have suitable routers, switches, and firewalls then using zero-trust products can adapt their policies to micro-segment networks to ensure only correctly behaving and identified users+devices have access to sensitive services. Products such as Cisco AMP, Stealthwatch, ISE, and DNA combined.

Are you looking at perimeter security? Internet/LAN boundary firewall and more advanced features?
 
I have a firewall already via my Ubiquiti Security Gateway Pro-4 router. I am also going through the process of setting up multiple networks for different device types (IoT, home network, security cameras, etc). After reading more, I know realize that the bitdefender box is actually a router by itself, and includes a firewall. I probably wouldn't use the bitdefender box much as a router or firewall as I already have that set up in unifi. It is the other monitoring services that I'm interested in.

I was hoping to find a solution that even if I had to put a client on the devices, I could still push out updates or restrictions (parental controls) from a central UI. I'd like to be able to to initiate a scan on clients on the network so I don't need to have my kid's tablets in hand to scan them. The other problem with the Kid's tablets is that they are pretty locked down from the school as far as what I can add to them, but there aren't really any restrictions on what they can view on the net (these are wifi-only, no data card). So, it'd be nice to have a network-based solution that'd scan their incoming data for bugs and also restrict what they can access on the net.

After that, just general AV/malware protection for the rest of the net. I'll be set up with a pretty robust backup system, but I'd prefer to never have to use it and stop problems before they start. Currently all I have on our PC's is Windows Defender, and I'm having to disable those firewalls to get the PC's to talk across the new networks I'm creating. I don't know if that answers your questions or just leads to more.
 
So what you're looking for is some MDM solution that's centrally managed, if possible, from the NAS. Plus an inline web access and content proxy.

If you just want something simple then use OpenDNS for resolution and set the URL categories that are permitted. That's available with the free Home account but you can pay for extra stuff.

In the DHCP configuration you just have to set OpenDNS as the DNS servers. Your associated Internet IP (so that the right category filters are used) can be maintained via the DSM DDNS feature. OpenDNS also provides DNS-o-Matic (same user account) and that's supported in DSM 6, but needs a custom DDNS for DSM 7...
 
On the Ubiquiti EdgeRouter there's an "Application" option (with a long list) that you can use in the firewall rules to block (or allow). I assume this is also possible on your router (being Ubiquiti). And of course, take a look at AdGuard.

53DF986A-A80A-42D2-A2ED-D83946D9DC35.jpeg
C2254A4B-4AFB-44E1-A4F5-14B5370F2A83.jpeg
 
Last edited:
Touch wood.... I've just managed to set up Nessus Essentials from Tenable in a docker container.
Nessus is a security scanner (if you don't want to go hunting) it advises of vulnerabilities on anything you ask it to scan as it's the essentials version it's limited to 16 devices but hey it's a start. :)
You would need to use ssh but if you're interested I'm happy to write it up.

Confirmed up and running on CentOS 7 with Hydra (as those were the instructions I could find) it is currently downloading plugins.
Already working on getting it up and running on CentOS 8 without hydra (not sure why we would need it for home use) also to see if I've understood the workings. :)
 
Last edited:
@NAS Newbie
I've actually made it stupidly easy now I think... (NB Think).
My compose is:
Code:
version: "3"

services:
  nessus:
    container_name: nessus
    image: akirainblack/nessus:latest
    volumes:
      - ${SSD}nessus/config:/config
      - ${SSD}nessus/update:/update
      - PUID=${USERID}
      - PGID=${USERGROUP}
    ports:
      - 8834:8834
    networks:
      - synology
    restart: always

networks:
  synology:
    external: true
So
Ok, It's based on Centos 8 (of note for the update section).
Not sure why but it's not showing in my registry in DSM yet but it does exist, once it shows you'd be able to create it as with any other container:
Code:
https://hub.docker.com/r/akirainblack/nessus
Though running:
docker pull akirainblack/nessus:latest
from an ssh into the NAS finds and downloads it so you could just do that and then find it in your images in the UI. :)

You have to map a folder to /config - it'll extract the nessus rpm to there and it's used so that your license and settings remain between reboots.
It already has the current rpm ready in the image to extract (Nessus-8.13.1-es8.x86_64.rpm at time of writing).
It's optional to map a folder to /update (on boot it will look for an rpm in that folder and attempt to extract it) It has no logic so will just extract and overwrite.
Internal port is 8834 which will need to be mapped.

If you can't wait (see above for an easier way to get the image):
ssh into your nas, navigate to your docker folder:
mkdir nessus
cd nessus
mkdir /config
mkdir /update

modify the nessus.yml so that ${SSD}/nessus/config and ${SSD}/nessus/update point to these new folders, save it to your NAS (in my case I save it to /volume2/docker/compose) and then from the directory you saved it to run:
sudo docker-compose -f nessus.yml up -d

Obviously change the network name to the one you use in your docker environment first.

Can attach the Dockerfile and setup.sh it runs if people want to see it (they're not very pretty as I'm very new to creating containers from scratch).
Basically on boot it extracts it's internal nessus.rpm (unless one is found in the update folder) extracts that , creates a symlink to where it would normally be installed, and then runs nessus-service.

The initial WebUI is up pretty quickly it's just the plugins that take time to load. It'll then run you through the initial config.
 
Sounds good, thank you, that was a quick reply. I'm in the process of attempting to move my docker-hosting from my NAS to an old tower PC I'm hoping to use as a server. This is something I'll work on as I complete that process, so don't expect any immediate questions.
 
Not a problem, when I need to rebuild I'll be moving to a server system and not a Synology as I don't use it's UI.
I'm just overly chuffed I've started solving new puzzles, learning to read/write Dockerfiles as well as start to properly understand how thing fit together.
 
Sorry, as I'm unable to edit my post above I'm making a new post.. akirainblack/nessus (ONLY use that one, the others have been/are tests) is now showing in the DSM docker UI for me, so it is nice and easy now. :)
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

FYI nothing new, but still worth sharing as patching remains essential, even when we think that using VPN...
Replies
0
Views
855
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
441
Forum management I'm okay on, that's not an issue. I back up fully before we go away and if I need to...
Replies
4
Views
1,424
We have decided to assign a custom Domain for each NAS with inbound access.
Replies
17
Views
2,520
  • Question
The whole world agrees that https is the right and secure way to access web applications. The question is...
Replies
1
Views
2,362

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top