security of the hyper backup vault port

[EAZ1964]

Just to be sure, I would like to know your opinion on the hyperbackup-vault port.

As I do run a cross backup between two online NASses, They have been setup identically.
I have opened and forwarded the HB-vault port on my routers to the same port on the NAS.
The NAS firewall is active, and it will only allow incoming hyper backup, from the HB source - fixed IP4 address.
All other traffic blocked.

1) Would you consider this secure enough?
2) Would it be better to use IP6 (both routers and NASses have IP6 capability and connection) . I do not have experience with IP6 so not sure how to setup that in a secure way, but can find out if needed.

Thanks

 

[Robbie]

The router has to be the real firewall so strapping that down is important. If the only thing connecting is the Hyper Backup links then you can tie it down further to a specific country, type of traffic and (hopefully) static IPs at either end. The rule that is often forgotten when you have a scheduled backup is to limit the router firewall to those specific times only. Basically you are trying to identify anything that is unique to the HB traffic and prohibit anything that does match it.

IPv6 can be a bit of a minefield with most routers having very different firewall settings for IPv6 traffic. However, it does mean you can use an individual machine's (non-private) routable IPv6 address as a very specific source/destination for the firewall rules. There is something satisfying about accepting packets that can only come from a static IPv6 global address that you own with an interface ID that includes the MAC of the single machine you are linking to.

 

[EAZ1964]

Thanks for the comment, unfortunately my router is limited in its firewall functionality:

1. It does not allow a time restriction for opening/closing the port of have forward active. I do shutdown the NAS systems each night on a post backup schedule though.
2. Limit to TCP is standard, but will not really help, I guess.
3. It does not allow the incoming ip address to be restricted to one fixed ip (the DS/ NAS firewall does)
4. It does not limit IP range to specific country, but honestly I do not believe in that anyway as the VPN servers in every country bypass this easily.

Will moving to IP6 reduce security risk? Cannot think of any reason, as the router will just forward incoming traffic and you will end up at the DS anyway?

 

[Robbie]

A proper router with a more configurable firewall should be on your shopping list. They open-up a world of networking features that you will wonder how you did without.

️

 

[EAZ1964]

Thanks for the advice.
So far, the Fritz!Box range tops many SOHO router security tests

Hundreds of vulnerabilities in common Wi-Fi routers affect millions of users

Researchers discovered a total of 226 potential security vulnerabilities in nine Wi-Fi popular routers from known manufacturers.

securityaffairs.co

and since it is my modem as well and serves my Wifi6 mesh, I have to think a few times more before moving to a new router with better firewall.

First want to learn what exactly is the disadvantage using the Synology firewall in my port forwarded setup (other than it also does not support the time restriction and the IP restriction is one step later)?

 

[Robbie]

No disadvantage in the Synology firewall and I didn't suggest otherwise. But when anything is going through your router it is getting on the LAN side of your network and your first goal is to protect that.

I've no experience of your Fritz combo unit and I am sure it is good at its job. But once you start doing more esoteric networking you need a router that can do what is needed.

None of us who have had to move to a proper modem, router, AP setup did it for fun. It is very much a needs-driven activity. It sounds like you are at that tipping point - as soon as you have to compromise on security due to feature-absence then you need to move to a better system.

I have only mentioned LAN protection so far but having an encrypted transport for your data is on the important list too.

️

 

[EAZ1964]

After all, it is possible in the Fritz!Box to limit in- and outgoing traffic for specific devices in the LAN to external IP.
I missed that. It is called filters, and requires setup of rules and link these to devices on the LAN.
There is a time schedule possible using this or the parenteral control functionality, never thougth about using that for other purposes...
Not sure why I missed that, as I already created a rule that prohibits my Chinese robot-hoover to access the rest of my lan...
So I will implement this. Thanks for the feedback.

 

[Robbie]

They sound like good options to set so well done on hunting them down.

I probably prattle on about the 'time' or ephemeral aspects of security but it can add serious value to your physical and logical security, especially for small or home network users.

We get used to the idea that large external-facing networks are very different to a SOHO environment but then do ourselves a disservice by adopting the security aspects of the former as the best practice for the later. There are advantages for SOHO environments that just don't fully exist at the large scale. Time / ephemeral security is one of them.

Just to add some additional and somewhat wider thoughts to expand on this:

• Systems devoid of power are devoid of risk
• Systems should be scheduled to run only when needed
• If a system 'needs' to run 24/7 is that really for all services, just a few or even just one?
  • If a service needs to run in the silent hours, does it need to talk to the WAN, LAN or just an individual client on an individual port using limited protocols?
  • For ad hoc out-of-schedule use make best use of WoL
  • When enabling WoL, does that need to be from any client or just 1 or 2?
  • With WoL acting as a barrier, does the device / client need access to mains power at all times or would a timed power socket on a UPS or even a plug-in device add to the virtual air-gap?
• In the case of a dedicated backup device, does it need to be on the same broadcast domain / subnet / VLAN as the rest of the network?
  • If you can put a backup device on a different network do you need that network to be routable all of the time or will a timed firewall rule cover the tasks required?
  • With multiple interfaces on some NAS models, can you split the 'task' element onto a different subnet from the management side?
• With backup timings consider not running a backup on a certain less-busy day, to provide a cleaner break in backup history and snapshots
  • Considering running a weekly backup on this 'missing' day to provide a time buffer from an malware / virus infection point to give a 'clean' restore point

As said, I could go on but the neat thing about time-based rules is they are free, require no additional kit and are simple to understand and tailor for individual needs. Very few of these exist at scale but for regular users they do add value. Most of us have already got used to the idea of only opening our fly zipper when we need to pee or on 'special' occasions.

️