Security concern related to port openings for Let's Encrypt

Currently reading
Security concern related to port openings for Let's Encrypt

N

nasusers

53
4
NAS
DS1522+, E10G22-T1-Mini RJ45 10G Ethernet Module
Hello,

I set up DSM. I only use the NAS locally. No plan to access it from outside home network but need to update software and firmware when available. I want to use Synology Photos, Apple's Touch ID as 2FA, Synology Drive an Active Backup for Business. However, these apps seem to require me to create a domain name and generate a certificate. Then, get it authenticated by Let's Encrypt. It seems that to do that, I have to open ports on my router which some users said could create a security risk.

I expressed my concern and Synology told me that:

"These applications do not require a connection certificate. Connection certificates are only required if you want to connect securely. Otherwise, the connection will be unencrypted."

1. Is it better to have encrypted connections even all the devices are from home network?

I asked them if there is another way to get around this as opening ports creates a security risk and somebody mentioned Tailscale.

They replied:

"Yes, this is only if you connect with the Synology DDNS. Otherwise, you can use the Quickconnect relay service. This does not require port forwarding. You will still connect securely; our Synology Apps are designed to connect with this service.

What are the differences between QuickConnect and DDNS? - Synology Knowledge Center
"

2. Does that mean he suggested using Quickconnect which many people advised against enabling especially for those who do not want/need to make the NAS visible to the internet?

3. In my case, what is the best way to do if I want to use the apps and feature I mentioned? What is the risk for opening ports for a few minutes?
 
nasusers said:
No plan to access it from outside home network but need to update software and firmware when available.
Click to expand...
In that case you need neither DDNS nor QuickConnect, You are fine as is.
nasusers said:
apps seem to require me to create a domain name and generate a certificate.
Click to expand...
Not an Apple user, but generally that is incorrect. Did you try?
 
nasusers said:
However, these apps seem to require me to create a domain name and generate a certificate
Click to expand...
What support said stands, but in case of using Apple Touch ID and 2fa access using the Secure SignIn app that supports it, you will have to configure it using a valid https accesible domain name. That means you will not be able to "host" it over http even if its just for internal usage. The wizard will warn you when you try and configure it.

Screenshot-2020-11-29-at-07.09.44.png


www.blackvoid.club

DSM 7 - Synology Secure SignIn

See how you can use the new Synology Secure SignIN feature to log into your NAS using your mobile device
www.blackvoid.club

nasusers said:
What is the risk for opening ports for a few minutes?
Click to expand...
Being exposed is always risky unless you follow certain rules, and even then you have to be on top of things in terms of patches, security hardening.

Best to follow the security sheet and make sure all elements are closed and set as best as possible.

 
Thanks for the security sheet.

After getting the certificate approved by Let's Encrypt, if I disable QuickConnect, will I stop the NAS from being exposed or it has already left some traces on the internet?
 
nasusers said:
Thanks for the security sheet.

After getting the certificate approved by Let's Encrypt, if I disable QuickConnect, will I stop the NAS from being exposed or it has already left some traces on the internet?
Click to expand...
As long as its not accessible, nobody will be able to connect to it anyways.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Register

Log in

Already have an account? Log in here.

Similar threads

Cyberwasp
Security tab ?
Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,085
7Natives
7
Jnm3
*Generated Security Advisor Report* Issues: malformed EMAIL and URL
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
637
Gerard
G
southerndoc
Syno NAS Security Settings
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
494
southerndoc
southerndoc
J
Security, RP vs VPN (Tailscale?)
Understood, thanks for clarifying.
Replies
13
Views
1,674
7Natives
7
Huggy
  • Question
Trying to harden security, some advice please
Unless your home network is CGNAT, Tailscale offers no real advantage over VPN or HTTPS. Keep it simple...
Replies
3
Views
1,261
Telos
Telos
Jan Janowski
Security updates in past couple years
Why sad Mr. T? I’ve learned much in past 5 years, but last 2…. It’s like someone stepped on the gas! I...
Replies
1
Views
949
Jan Janowski
Jan Janowski
D
IP Camera Security Network Configuration
I'm not familiar with the router hardware and I don't use OpenWRT but I have seen it enough to trigger a...
Replies
11
Views
3,250
Robbie
Robbie

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Register

Trending threads

Back
Top