General Security Steps?

I am also concerned about the possibility of a virus getting on one of our Windows 7 machines and corrupting or encrypting the data on the server. I wish I knew how to avoid that (beyond teaching users to avoid the viruses and keeping virus protection software up-to-date).

A VPN would be more secure than port forwarding.

Of course if Windows systems can write to the NAS, they can destroy NAS data if compromised. There's no real way to avoid that. Still, part of the Windows instruction should be not mapping network shares to drive letters.

Timed lockouts on wrong passwords would be a nice security feature, hopefully Netgear will add some stuff like that (though probably only to the OS6 line)

If you are willing to go SSH, you can check fail2ban, iptables, clamAV and SELinux.
Iptables and ClamAV are simple enough and low-risk if you spend some time to test before applying setting at boot (that way if you shut the SSH port you won't be locked out, you would only have to reboot and correct the script).
Fail2ban is simple on unmodified debian but I got many warnings and errors when trying on my RN104. Had to reinstall some logging add-on too (Rsyslog I think, not sure).
As for SE-Linux I didn't mess with it at all, but it should help your linux deal with scripts.

If you want a complete picture, Snort is a good pick too but it will eat a lot of ressources.

I agree for VPN, if you can grab some potent firewall this would be helpful to have traffic checked before of after port forwarding.
I don't know what equipment you have (you sound like you speaking for some enterprise), but if you have professional stuff like Cisco routers, you can enable the Zone based firewall if you have the license for it. Otherwise a good machine with PFsense, Sophos UTM, untangle or that kind of stuff can be a solution. A dedicated appliance like Checkpoint or Palo alto Networks is another possibility.

Thank you for your helpful reply, StephenB. I will look into a VPN. We do use mapped drives, so I guess I should look into how to access the NAS easily without mapping them. Thank you for the suggestions.

---

Xeltros, thank you for your suggestions. We are just a small office with only a few machines, and I'm just technical enough to keep out of trouble most of the time. I don't understand how to do much on the command line beyond changing permissions, so the fail2ban and iptables may be beyond my abilities.

I'll look into the items you mention and see if any look simple enough for me to understand. We have a Airport Extreme as our router, which has the word Firewall on one of the tabs, but it seems like you're talking about a more advanced Firewall system?

Which ReadyNAS model do you have, and what firmware is it running?

lgstephen wrote:
I will look into a VPN.

You might need some help getting one set up. But it is more secure. Some SOHO routers have VPN functionality built in. One decision is whether the VPN should allow general access to your network, or just reach the NAS.

lgstephen wrote:
We do use mapped drives, so I guess I should look into how to access the NAS easily without mapping them.

Some malware (crytolocker being one) infects mapped drives, but not shares. What you can do instead is create desktop shortcuts to \\nasname\sharename - and then just click on them.

Also if you right-click on on the "computer" pane you will see "add a network location". That will let you put a shortcut to \\nasname\sharename in the computer pane.