Who leaves unprotected consumer-grade NAS boxen exposed to a direct internet connection.....
Oh yah, everyone.............
Some 62,000 QNAP network-attached storage (NAS) boxes are right now infected with the data-stealing QSnatch malware, the US and UK governments warned today. A joint statement from America's Cybersecurity and Infrastructure Security Agency (CISA) and Britain's National Cyber Security Centre (NCSC) said the software nasty, first …
I have a Synology, and it refuses anything that is not from the local network.
Media is disabled, internet access is disabled, FTP is disabled. The only way to access it is by being on the same local network.
That, plus the fact that the router doesn't accept outside queries either, and I think I have a good foundation for being secure.
Which, obviously, does not mean I do not pay attention to the firewall on the router, or on the machines I work with.
I just can't understand people who configure their machines to accept Internet requests without wondering how to ensure that only the "right" people will access their data. Twenty years ago, you could be forgiven for not knowing that some miscreant is just begging for a chance to get at your data. Today, not so much.
So the Trojans used to pivot through one of your other devices can narrow down the attack vector quickly.
I have a plain old Linux box with a massive storage area in it and use only SFTP with non-cached credentials.
CIFS/SMB storage is exposed the minute you share it. There's a buttload of SMB replay attacks out there, all the hackers need is a pivot. Which usually finds people through email attachments, guests connecting their infected crap to your network, kids downloading dodgy freeware, literally everything on Forced Scourge (Source Forge for those not in the know) and various other devious little nooks on the internet.
So in a couple of places I have a pair of 8 bay synologys which will would if needed just allow me to reset one, then the other. However the smaller two bay machines are aimed at consumers who will not be equipped to offload all of their data on their NAS to perform the factory reset. Also not everyone uses their nas solely as a NAS my home one is also my NVR. This will require fully setting up from scratch for fear of bringing any remanants from the malware over. All in all a bit of a ball ache for uninitiated and probably the last time they do the sensible thing and keep their data off the cloud.
Only through buying a ds106 over 15 years (approx) that I have stuck with Synology, QNAP have always been on the list when looking into a new NAS but with so little to tell them apart I stick with what I know.
I have two QNAPs and one Synology the Synology was cheap, doesn't have hot swappable bays and feels cheap - plastic case. It was a pain to install drives on the Synology because it needs to be dismantled to get access to the drive bays. That said it was less than half the price of the QNAPs and works, mostly, just as well. The Synology web interface is prettier but not as capable as the QNAP offering. QNAP has features such as NUT for managing/reporting UPS status that doesn't seem to exist on the Synology. The Synology doesn't report the SATA interface speed for some reason, the QNAP does. It's still possible to load a package manager on the Synology and add your own command-line tools, this feature was removed from QNAPs a couple of years ago.
Really not much to choose between them. I got the Synology because after upgrading the drives in one of the QNAP to 4x8TB it seemed a shame to just throw away the 4x3TB drives that I had removed. So now I can use the Synology for multimedia storage.
I recall that setting up rsync to work between QNAP and Synology was a pain, but can't remember why.
Can someone explain to me if my understanding of IPv6 is right.
With IPv6 as my local network, my Qnap would effectively be on the internet because there is no NAT function in IPv6.
My only protection would be obscurity due the quantity of addresses available in IPv6 and I would just have to hope that my Qnap didn't advertise itself or a hacker didn't get lucky?
If for instance, I had an old PC that needed lots of updates. With NAT on IPv4, I could connect it with reasonable confidence that it will be safe while I do the updates.
What would be my options on IPv6? As an IT tinkerer with no network training, understanding firewall configurations is difficult, especially as the same problem applies to testing it.
Is there an off the shelf IPv6 box that would protect local network devices? The PC only needs to be able to respond to addresses that it has initiated connections with and so give me similar protection as NAT.
I understand that the argument goes that every device should be secure and that the obscurity of so many addresses is security but the reality is that no devices are secure and when I open a web page, generally there can be 100+ servers referenced in scripts that now know my IPv6 address and so can now narrow down the range of my network.
I would be interested to know if my understanding is wrong and I should step away from my tin foil hat and what advice there is to secure a IPv6 local network to be sure it is as secure as it can be because, as an engineer, crossing my fingers and hoping is very unsatisfactory.
The firewall in your router will behave in the same was as it does for NATed IPv4 connections.
It will reject any unsolicited connection requests from outside (by default; unless you've tinkered with it!)
The way IPv4 NAT works means that an IPv4 address (32bits) + port number (16bits) gets routed to the local device which initiated the connection, so IPv6 is no less secure anyway (32+16=48bits vs 128bits)
With IPv6 as my local network, my Qnap would effectively be on the internet because there is no NAT function in IPv6.
NAT isn't a firewall. NAT gives some protection because the logic that maps incoming WAN connections to LAN addresses will normally drop any connection for which there isn't a mapping rule, so if you have no rules set up then all unsolicited WAN packets will be dropped. Any sane router will do that (at least by default) but it's coincidental, and not the purpose of NAT.
It IS possible to use NAT with IPv6. The IPv6 address space is so large that there isn't any real point in doing do -- there are enough addresses that every computer, every IoT toy, every internet-enabled fridge and cat-flap in the world can have its own IPv6 address -- but it is possible (and some routers do support it).
Most routers, though -- especially consumer-grade kit -- don't support IPv6 NAT because there's no need for it. They should still offer at least a basic firewall and the ability to reject any unsolicited incoming WAN connections.
The only real sense in which IPv6 may be less secure than IPv4 is that it is newer and less well understood. The firmware in an IPv6 router will be newer and won't have stood the test of time, so bugs are a possibility -- if it's completely new firmware those bugs may affect IPv4 connections as well as IPv6 ones, of course. This is especially true of budget models with cheaply-developed firmware (but also surprisingly true of more upmarket models).
I don't use a QNAP, but I would have thought that unless you've configured an IPv6 address on one of the NICs for the device or you have a DHCPv6 server on your network (quite unlikely), you should be fine. The NIC should self assign the IPv6 version of an IPIPA address called a link local address which is not routable.
To check this login to your QNAP and check the IPv6 address on the NIC(s). They should only have IPv6 addresses begining with FE80 only.
https://en.wikipedia.org/wiki/Link-local_address
Also, as others have said, your router won't allow unsolicited connections and may not even by IPv6 capable (depends how old it is).
Hope this helps
Devices can self assign routable IP's with just IPv6 RA's (Route Announcements). All DHCPv6 does is extend the RA's to provide additional information eg DNS, Domain etc. You can do IP allocation over DHCPv6, but that's only if you want specific IP's that are not related to the mac address
As I disagree with the other answers.
"Qnap would effectively be on the internet because there is no NAT function in IPv6" - Essentially correct
"My only protection would be obscurity due the quantity of addresses available in IPv6 and I would just have to hope that my Qnap didn't advertise itself or a hacker didn't get lucky?" yes. If there was any malware that phoned home then that obscurity is completely out the window.
If you have a working IPv6 connection then you probably have a /64 block routed to you. Go to https://www.ripe.net (Don't worry, it's the place that hands out IP addresses to all the ISP's in Europe) In the top right of the screen you should see an IP address. If it's an IPv6 address (has colons in it) can you find that address one on one of the network interfaces on your computer.
Unless your router (which may also be an IPv4 NAT gateway) has an obvious IPv6 firewall, then you have an open & unfiltered connection that is globally routable. If you have someone that you can trust get them to to try and connect to your ip address. If they can then you're probably not secure
"Is there an off the shelf IPv6 box that would protect local network devices?" Depends on your internet connection. Does your router / modem have an IPv6 firewall. It would then allow you to restricted what traffic origionated from outside your local network (/64).
I installed debian on them, it's a bit fiddly without a console.
Next NAS box I get will be a DIY thing - the QNAP's are good but lack of a console and proprietary motherboard and UI lets them down a bit. They're great for plug and play but to really make best use of them, ditch QNAP's O/S which is a pretty limited Linux.