I was wondering about the real risk (which is real) of port forwarding.
I consider just how many holes have already been punched through the router for various games onto the several PCs hanging off it. I wondered how much risk there was from that alone?
And whilst I might consider to some extent the individual PCs to be expendable (they are all backed up locally and remotely). Don’t they represent a risk because they are on the LAN , and so malware could strike through them to the the LAN to my NAS and other PCs?
Likewise if I download malware by mistake, or browse some evil, possibly hacked website, these all could bring the problem behind the router and into the LAN anyway?
So whilst I am dedicated to getting all of my remote connections off MyQnapCloud and onto at least a NAS based VPN, I am wondering if this is not all a bit futile? Heck that very remote resource is on a real local LAN too.
I am trying to get some perspective here, and I have no way of really calculating risk.
Regards.
On the wicked WAN
-
dolbyman
- Guru
- Posts: 35243
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: On the wicked WAN
look at this forum, reddit, bleeping computer
All the people that have lost their data...what percentage is this of people exposing thier NAS?...unknown...but do you want to risk it?
All the people that have lost their data...what percentage is this of people exposing thier NAS?...unknown...but do you want to risk it?
-
ColHut
- Know my way around
- Posts: 249
- Joined: Sat Oct 14, 2017 12:13 am
Re: On the wicked WAN
Thanks I do check the Reddits etc. It does concern me. I just wonder how all the other vulnerabilities compare…
-
jaysona
- Been there, done that
- Posts: 854
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: On the wicked WAN
Port forwarding itself is not really the issue. What is being made accessible via the port forward is the issue.
QNAP NAS malware will not infect a Windows, MacOS, Linux, etc workstation, just as a Windows malware will not infect a MacOS workstation - yet. I suspect that one day, sooner than later, there will be malware that will be able to re-write itself to exploit whichever systems the infected host has access to.
That said, no one should be forwarding any ports from the internet to internal systems unless they know what they are doing and have a sufficient level of technical knowledge.
The inverse is also true, all systems should have no default route to the Internet and all outbound access would be sent via a proxy server. Of course this is technically complex for the uninitiated, which is why most do not employ these measures.
In an ideal setting none of these settings would be necessary, however this will not change until there are legal consequences for producing insecure software.
Luckily our physical infrastructure are not designed, engineered and built the way our digital infrastructure is - otherwise we would need a lot more cemeteries.
QNAP NAS malware will not infect a Windows, MacOS, Linux, etc workstation, just as a Windows malware will not infect a MacOS workstation - yet. I suspect that one day, sooner than later, there will be malware that will be able to re-write itself to exploit whichever systems the infected host has access to.
That said, no one should be forwarding any ports from the internet to internal systems unless they know what they are doing and have a sufficient level of technical knowledge.
The inverse is also true, all systems should have no default route to the Internet and all outbound access would be sent via a proxy server. Of course this is technically complex for the uninitiated, which is why most do not employ these measures.
In an ideal setting none of these settings would be necessary, however this will not change until there are legal consequences for producing insecure software.
Luckily our physical infrastructure are not designed, engineered and built the way our digital infrastructure is - otherwise we would need a lot more cemeteries.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)