NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
RR4312S MFA for admin interface
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.? Barring that, is there a way to move the admin interface to a different VLA...
EMF2 wrote:
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.?
This has been requested, but Netgear doesn't have 2FA or MFA as an option now. (If they did, I'd certainly want it to to optional).
EMF2 wrote:
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Again, no. You can connect to multiple networks, but you cannot restrict the admin interface a specific interface.
If you can block ports in your switching fabric, you could block http/https on the main network interface of the NAS (while allowing SMB/NFS), but allow it on the VLAN. That would have the same effect.
EMF2 wrote:
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.?
This has been requested, but Netgear doesn't have 2FA or MFA as an option now. (If they did, I'd certainly want it to to optional).
EMF2 wrote:
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Again, no. You can connect to multiple networks, but you cannot restrict the admin interface a specific interface.
If you can block ports in your switching fabric, you could block http/https on the main network interface of the NAS (while allowing SMB/NFS), but allow it on the VLAN. That would have the same effect.
I understand why you might want this to be optional. I don't have a choice; our cybersecurity insurance provider is mandating that all admin interfaces be MFA protected or they won't renew the policy.
Unfortunately my switching fabric does not have the ability to block at the port level unless you cross a routing interface. Most of the devices in my network (including a Netgear M4300 switch) support RADIUS or TACACS authentication for the admin interface, so I can enforce MFA on that. All of the others (except these NASs) I can move just the admin interface to a different VLAN without changing the primary service interfaces, usually through a separate network connection, sometimes through dot1q VLANing. Then I can MFA-protect that VLAN through an internal gateway authentication connection... but that also limits the bandwidth to <1Gbps, which is not suitable for the use these NASs serve.
Is there a software firewall suite (e.g. iptables, firewalld, etc.) in the ReadyNAS line? If I could block it in the ReadyNAS itself, then I wouldn't have to move them.
Your answer provoked some thought. I'll have to change a whole bunch of cabling around to make room on that M4300 (and hope I can get cables to maintain 10Gbps between the two), but that switch *does* support TCP port blocking. I'll give it a shot.. but again, if the RR4312 has firewall kernel modules, I'd love to use that too
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
