The data stored inside a NAS is precious: what precautions to take when connecting the device to the network and sharing files with other users. Guide to the built-in security features of QNAP NAS.
Il NAS (Network-attached storage) is one of the best tools for creating data backups for both professional and home users. QNAP NAS are not just simple storage stands data storage but they present themselves as advanced devices, highly customizable, usable to manage a wide range of needs.
Just visit the QNAP App Center to see which ones and how many applications they can be installed south NAS.
Many applications, depending on the tasks they perform, integrate server functionality that is, they listen to requests from client devices.
QNAP NAS can, for example, be installed apps for content management and collaboration, for scheduling user calendars, for communicating within the work team, for accessing multimedia content saved on the NAS, for managing a video surveillance.
All these applications open one or more communication ports on the NAS. The same file sharing saved on NAS via SMB protocol exposes some communication ports. This is easy to spot by scanning with Nmap (command nmap -A NAS-IP-address) or with the Android app called Fing: in this case, just tap on the name of the NAS connected to the local network and then on the icon Find open ports.
Here is a partial list of porte which can be open QNAP’s own NAS.
Just because there is a server component listening on each communication port, as a general rule, the NAS should not be directly exposed on the WAN port. This applies not only to a data storage device but also to any other device used within the local network.
Make a reachable NAS on public IP address it is a strongly discouraged practice, also and above all for the data it keeps.
By exposing the administration panel of the NAS on the public IP or by opening one or more ports used by the device, making them reachable remotely, the side is exposed to attacks brute force (think of the attacker who tries to guess the credentials for accessing the NAS) and runs the risk that an unresolved security vulnerability (for example because the patches released by the manufacturer have not been installed…) can be exploited to gain elevated privileges, initiate the execution of arbitrary code, steal data contained in the NAS, or use the device to launch a broader attack within someone else’s local network (lateral movement).
Storage professionals with QNAP
With this article we continue with the appointments dedicated to those who wish to benefit from useful advice for innovating their corporate infrastructure by choosing the right mix of hardware devices, software solutions and technologies.
The goal is to help professionals and companies to promote the digital transition increasing the productivity and competitiveness of the company.
The entire editorial project is centered onimportance of the data and on the activities that must be put in place to preserve its value. THE videocreated in collaboration with QNAP, are “pills” that in about 5 minutes tell what are the main needs of professionals and SMEs in the field of data management suggesting the best strategies to face today’s challenges and become “Storage professionals with QNAP“.
I NAS QNAP they integrate advanced network functions: they have one or more Ethernet ports to exchange data with devices connected to the local network or connected remotely via the Internet.
The firewall and NAT functionality, Network Address Translation of the router (although the latter, strictly speaking, should not be considered a security mechanism) usually prevent theremote access to the NAS. In other words, no communication port of the NAS connected downstream of the router itself faces the public IP address that the telecommunications operator assigns to the router.
The NAS, therefore, can normally only communicate with the devices connected to the local network.
NAS: Difference between open ports on local interface and WAN port
By default, when the NAS is connected downstream of the router using an Ethernet cable, the open communication ports can only be reached by devices connected to the local network.
It is for this reason that by typing the name of the NAS or its private IP address (assigned to it by the local router) in the address bar of the browser, it is possible to access its administration interface.
By making one or more ports of the NAS face thepublic IP addressthese will also be reachable from remote hosts, potentially even of unknown users.
Cybercriminals are constantly looking for services displayed on the Internet: in the event that a server component suffers from a known security vulnerability, this is exploited to steal other people’s data, remotely access the local network, execute arbitrary code, upload ransomware and then request a ransom.
We have already seen how a computer attack arises and what threats can come both from the external network and, possibly, from the local network itself.
This is why it is not recommended to expose the NAS ports on the WAN interface: any attackers can try to force access to the device starting from known vulnerabilities or launch attacks brute force which consist of trying as many possible credentials in rapid succession.
QNAP NAS provide all the tools to defend against any type of attack: later we will see how to protect against attacks brute force. To protect yourself from attacks that exploit known security vulnerabilities, just install the firmware updates periodically released by QNAP.
At the same time it is equally important install updates of applications installed on the NAS via App Center.
Timely installation of updates released by QNAP helps you protect yourself from major risks even though the NAS administration panel (which responds on TCP 8080 and TCP 443 ports) should never be exposed on the Internet unless you enable at least one filter on remote IP addresses that can connect.
For example, if a remote collaborator needs to access the NAS and always uses the same remote IP address (static IP), you can for example expose the NAS ports only for that specific public IP address.
Furthermore, on the router side, it is strongly recommended to disable UPnP (Universal Plug and Play): this prevents the user from finding some of the NAS ports exposed on the WAN interface, even without being fully aware of it.
Compared to exposing the NAS ports on the public IP, it is much better to use other solutions: for example, you can focus on the creating a VPN server.
Access the NAS securely via VPN server
Many routers allow you to activate a VPN server that is, they allow connection from remote devices through an encrypted tunnel. Remotely connected devices, regardless of their location and the network they are connected to, can use the remote VPN server to securely access the local network and all shared resources.
QNAP QHora and QMiro routers integrate a VPN server that can be activated upon user request.
However, the NAS is a device that, like the router, is always switched on and connected to the local network. If you are using a router, even a third-party one, which does not offer any VPN server components or if it supports inappropriate protocols, it is possible enable the VPN server right on the QNAP NAS.
QVPN Service is a tool built into QNAP NAS capable of operating as both a VPN client and server: it supports OpenVPN, WireGuard, L2TP/IPSec protocols and QNAP’s proprietary QBelt solution. At the bottom of the page posted on QNAP’s website, the company summarizes the main differences between the various protocols you can use to set up your own VPN server.
QNAP QBelt VPN is a proprietary protocol that was born starting from the concept of security by-design and prevents, for example, third parties from noticing that users are actually using a VPN connection. It is the fastest way to set up a VPN (QNAP provides clients for all major operating systems including mobile devices) and is suitable for exchanging data over a QuWAN mesh connection.
After you install QVPN Service through AppCenteryou can configure the VPN server by accessing the left column and selecting the VPN protocol to use.
What you need to take care to do, in this case, is configure the client VPN with the information returned by QVPN Service. For QBelt, as mentioned, the procedure is more immediate because it is sufficient to install the clients provided by QNAP to establish a connection; in the case of others VPN protocols you need to set the IP address of the server, the port on which the VPN server is listening, the login credentials or the public key of the remote server.
By selecting OpenVPN for example, a configuration file is provided to be used on the various clients.
The only thing to do, in the case of protocols other than QBelt, is to open one incoming port on the router then enable port forwarding to the private IP address assigned to the QNAP NAS.
By opening a single port on the router (for remote connection with the VPN server) avoids needlessly exposing other communication ports of the NAS or other devices connected to the local network. The VPN server configured on the QNAP NAS acts as a “access door” to the entire LAN and the resources shared therein: even if connected thousands of kilometers away, this way you have the possibility of exchanging data within your home or office network.
Remote access via VPN, by activating the VPN server on the QNAP product, router or other LAN-connected devices, should not be separated from a solid access control and the protection of the IT infrastructure as a whole.
Secure access to remote NAS via myQNAPcloud Link cloud solution
As an alternative to accessing via VPN, myQNAPcloud Link is a tool that simplifies secure remote connection with the NAS administration panel and the contents of the device.
Since outgoing traffic from the router is generally always allowed, the QNAP NAS connects to a server that plays the role of an intermediary. Connecting from a remote client to this server (called relay), you can access the NAS and its resources without the need to change the configuration.
Opening the app myQNAPcloud from the administration panel of the QNAP NAS then by logging in with your account ID, you can get a customized address (such as qlink.to) to use to remotely access the device (it’s called SmartURL).
It is essential to choose Personalized in the section Access control: This way, only the specified QNAP accounts can remotely connect to the NAS.
myQNAPcloud Link activates access via HTTPS by default: when establishing a connection with the NAS remotely, in fact, it is essential avoid connections…