myQNAPcloud and security

[spile]

I am confused.
MyQNAPcloud is a current product, promoted by QNAP as "a cloud service provided by QNAP for you to remotely connect to your QNAP devices and to share your files securely."
Source: https://support.myqnapcloud.com/faq/wha ... ud?lang=en and https://www.qnap.com/en/how-to/tutorial ... ud-service

It is interesting that the questions posed in this thread viewtopic.php?t=134974 opened in 2017 have still not been answered.

1) Is the current version of myQnapcloud and QTS inherently insecure as a service and therefore unsafe to use?
2) If 1 and 2 are true why have QNAP issued this: https://www.qnap.com/en-uk/security-advisory/qsa-20-02?

[OneCD]

MyQNAPcloud is a current product, promoted by QNAP as "a cloud service provided by QNAP for you to remotely connect to your QNAP devices and to share your files securely."

Unfortunately, QNAP's marketing dept are detached from reality. Their hope is that the quoted statement will eventually be true.

It is interesting that the questions posed in this thread viewtopic.php?t=134974 opened in 2017 have still not been answered.

The answers provided by @dm in that topic are still correct. There's nothing more to add. (I'll also need to lock it now to prevent anyone reviving it. )

[spile]

Thank you for your reply. Please can you answer 1) and 2) above. Thank you.

[dolbyman]

1) myqnapcloud is a DDNS service (mainly) nothing secure or insecure about it, QTS system is not hardened enough to be exposed to the net
2) unclear what a security advisory is supposed to (dis)prove , please elaborate

[jaysona]

I am confused.

....

That means QNAP marketing has succeeded in their job.

1) Is the current version of myQnapcloud and QTS inherently insecure as a service and therefore unsafe to use?
2) If 1 and 2 are true why have QNAP issued this: https://www.qnap.com/en-uk/security-advisory/qsa-20-02?

On a more serious note;

1a. I can not answer for myQnapcloud - i do not use it, and probably never will.
1b. QTS is inherently insecure, however there is no safety (safety != security, therefore the words are not interchangeable) issue with QTS.
1c. If you want to protect your NAS from being hacked and keeping the data it stores secure, then do not expose the QTS Admin web page and do not expose any QTS applications to the Internet.

2. QNAP has issued several security warnings because QNAP had no choice after someone publicly disclosed vulnerabilities about some of the QTS applications, and those vulnerabilities were actively being exploited in order to compromise QNAP NAS units that had QTS applications exposed to the Internet.

[QNAPDanielFL]

myQNAPcloud allows you to access your NAS remotely without needing to do port forwarding. What this means, is that even if there were vulnerabilities not yet patched on your QNAP, it would be very hard to exploit those vulnerabilities if you had no ports open. So myQNAPcloud is a secure way to access your NAS remotely through a qlink that removes the need for port forwarding. I would recommend making the myQNAPcloud password something very hard to guess.

Another way to access the NAS securely it to use VPN. We have the QVPN app of you want to make the QNAP the VPN server and we are releasing the QHora router that can also be a VPN server. VPN allows you use some features that you can't use through a qlink and in general, I think QVPN is the better way. But not every customer is as technical as the average person who posts on this forum and some of them are intimidated by trying to set up a VPN. So myQNAPcloud makes it easy to access your data remotely without exposing potential vulnerabilities by opening ports to the internet.

Of course, we still recommend keeping your NAS firmware and apps up to date so you can apply the latest security patches. But there is a lot of safety in not needing to open ports to the internet to access your NAS remotely.

[boubi]

@QNAPDanielFL
Hi,
I set up my VPN with qbelt.
I was trying to connect to the NAS when I was out of the home network from my laptop.
Sometimes I succeed and I have a list of apps and sometimes it does not fully connect.
Meaning that there is a message "limited access: ... will only provide vpn connection"

No app is active in this mode.
What does it allow to do in this situation?

[QNAPDanielFL]

Did you choose a DNS server for Qbelt?
If not, then you can VPN to the NAS but can't access the internet?

Is that the issue you have? That you can VPN to the NAS but can't access the internet when you do?

[boubi]

first, so sorry for my English (I try to do my best )

I choose "NAS default" for the dns.
the situation:
I am at work/friend - connected with my laptop to Wi-Fi.
open the QVPN app on my laptop and try to establish a VPN connection.
when it works then:

• I can see my home network IP if I go to "what is my IP" on google.

• I get a new internal IP from the VPN client pool (10.6.0.*)

• I see all of my published apps so I can connect them:
  FYI - the container station can work only if I connect though VPN (not from cloud or qlink.to/mynas)

When it partially work, I see the message "limited access:... will only provide VPN connection"
and it is just show connected, but no app show on list, also my IP stay on the Wi-Fi network (work/friend).