Securing QNAP usefully

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
jmeister369
New here
Posts: 5
Joined: Wed Mar 21, 2012 1:35 pm

Securing QNAP usefully

Post by jmeister369 »

Hey folks,
I manage an SMB across a couple of countries and am steadily trying to improve security across the offices as well as still allow the workers convenient access while on the road and in the office.
Over the past few weeks I am becoming increasingly concerned about the escalating number of 'firewall' events. Essentially both units geo-block anything outside their respective countries and each others. I realise geo IP can be gotten around with a VPN but it's a line of defence.
Ongoingly on these forums I read 'don't port forward/use a VPN' without anything further.

Questions I have for the 'turn of qnapcloud/upnp' argument which would help me move to a more secure environment:

  • Yes I have VPN set up for remote 'from-home' workers, which works great, mapped drives etc but I still need to port-forward the VPN port don't I? So how does that help ?
    Also, how does that help the worker on the way to the meeting that needs to access Qfile over his iphone app ? Yep, the QVPN connection works fine using Qbelt, but then what ?
  • I'm trying to be as secure as possible whilst at the same time keeping some sense of usefulness for remote / mobile workers AND allowing me as admin access for back-ups/maintenance etc. Again, how would the well-working VPN allow me to access for instance HSB back ups/archiving ?
I'm seriously looking at putting all our 'current' working stuff in the Sharepoint or similar space and keep QNAPS for LAN only (merely using WAN connection for HSB/archiving) but that means 6-8TB of fast cloud storage. In the meantime Backblaze is proving good storage for back ups at least.

We also have a decent Cisco router in at least one of the offices with VPN/ACL/Firewall - wondering again if THAT VPN and/or ACL/geoIP be at least another line of defence.

The paranoia is real :) We've been hit once with ransomware many years ago - user error, clicked on a mail-link and boom :( At times it feels like we're the little boy with his fingers in the dyke and holes are springing out all over the place :)

Thanks for your advices and wisdoms in advance
J
TS-431P
TS-419P2
TS-431P3
All latest firmware
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Securing QNAP usefully

Post by P3R »

jmeister369 wrote: Fri May 14, 2021 9:16 am Yes I have VPN set up for remote 'from-home' workers, which works great, mapped drives etc but I still need to port-forward the VPN port don't I? So how does that help ?
It's a single port open to a tried and tested security software that is designed from the ground up to be as secure as possible and from the beginning is intended to withstand the harsh internet environment. A NAS is typically designed for maximum connectivity and ease of use on a local LAN. Security is mainly added on later as an afterthought and to be frank, Qnap haven't been best in class in keeping their underlying software updated and secure.
Yep, the QVPN connection works fine using Qbelt, but then what ?
The only VPN-protocols I would recommend or consider are IPSec, OpenVPN and Wireguard. Also I recommend to have it terminated on the internet-facing router/firewall or a separate dedicated VPN-server, not on the Qnap.

Qbelt is a Qnap-proprietary protocol and that's a big no-no in the cryptographic world.
I'm trying to be as secure as possible whilst at the same time keeping some sense of usefulness for remote / mobile workers AND allowing me as admin access for back-ups/maintenance etc. Again, how would the well-working VPN allow me to access for instance HSB back ups/archiving ?
With a properly working remote access VPN you can access everything (or less if configured that way) on your local network as if you were located inside the network.
Last edited by P3R on Sat May 15, 2021 5:50 pm, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
jmeister369
New here
Posts: 5
Joined: Wed Mar 21, 2012 1:35 pm

Re: Securing QNAP usefully

Post by jmeister369 »

Hey thanks heaps for taking the time to reply, but this is what I keep reading and I keep coming up short with the 'how' following the 'what' :)

Totally get that Qbelt is not the best option, will amend as I have half on Qbelt, half on openvpn

This is what I dont understand though:

"With a properly working remote access VPN you can access everything (or less if configured that way) on your local network as if you were located inside the network"

if my VPN terminates at my router, 'how' do I then access the admin page IP
and how do people access qfile/qmanager etc on the go ?

Much thanks
J
TS-431P
TS-419P2
TS-431P3
All latest firmware
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: Securing QNAP usefully

Post by P3R »

jmeister369 wrote: Sat May 15, 2021 10:59 am if my VPN terminates at my router, 'how' do I then access the admin page IP
and how do people access qfile/qmanager etc on the go ?
In exactly the same way as you/they do when being connected to the local network.

My phone is currently connected remotely to my pfSense firewall and can do all the things you ask about as if I was on location.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
jmeister369
New here
Posts: 5
Joined: Wed Mar 21, 2012 1:35 pm

Re: Securing QNAP usefully

Post by jmeister369 »

Awesome ! Thank you. I shall set up our cisco and see how we go. Likely be back for brain picks :)
TS-431P
TS-419P2
TS-431P3
All latest firmware
Post Reply

Return to “Miscellaneous”