NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Security Recommendations in a mostly OS X network
I am looking for recommendations for file protocols and security for my new NAS. I figure I should start out on the right foot from the beginning. I used to not have any security (beyond a secure network) for my old NAS.
Which protocols and what security measures should I set up?
History:
I have just set up a new 12TB ReadyNAS 314 (firmware 6.1.8 ). It is replacing my old system NV+. I have migrated over my data using the Back up feature and a recommended process (Back up once as NFD, then change to RSYNC and run a incremental). I am relatively comfortable that everything transferred, with some oddities of the AppleDouble directories.
On my old NV+ I enable and NFS and CIFS and AFP (in finder I would typically see SERVERNAME, SERVERNAME(AFP), and SERVERNAME(CIFS). I would usually use the AFP for everything I did.
Environment:
Network -- Netgear WiFi Router & Netgear Switch both GB all cables are cat 6
NAS -- Old ReadyNAS (NV+) and New (314) connected to the switch
Physical Devices: iMac, MacBookPro, MacAir (all on latest release of Mavericks), two printers
Virtual Machines: On iMac and MacBookPro three windows machines (Windows 7 and Windows 8 ) as well as one Linux (rarely used).
Usage:
Personal and Business File Storage for my wife and I. We store document, photos, and financial (some access by Quicken of a Windows VM) I also have the iTunes Music Library on the device (not using the service, but rather iTunes from the iMac to manage it).
TimeMachine for all three Macs
My tech background:
On a scale of 1-10, I see my self as a 6. I used to work in IT support (Desktop Applications) and have only dabbled with networks.
Thank you in advance for any and all advice.
Which protocols and what security measures should I set up?
History:
I have just set up a new 12TB ReadyNAS 314 (firmware 6.1.8 ). It is replacing my old system NV+. I have migrated over my data using the Back up feature and a recommended process (Back up once as NFD, then change to RSYNC and run a incremental). I am relatively comfortable that everything transferred, with some oddities of the AppleDouble directories.
On my old NV+ I enable and NFS and CIFS and AFP (in finder I would typically see SERVERNAME, SERVERNAME(AFP), and SERVERNAME(CIFS). I would usually use the AFP for everything I did.
Environment:
Network -- Netgear WiFi Router & Netgear Switch both GB all cables are cat 6
NAS -- Old ReadyNAS (NV+) and New (314) connected to the switch
Physical Devices: iMac, MacBookPro, MacAir (all on latest release of Mavericks), two printers
Virtual Machines: On iMac and MacBookPro three windows machines (Windows 7 and Windows 8 ) as well as one Linux (rarely used).
Usage:
Personal and Business File Storage for my wife and I. We store document, photos, and financial (some access by Quicken of a Windows VM) I also have the iTunes Music Library on the device (not using the service, but rather iTunes from the iMac to manage it).
TimeMachine for all three Macs
My tech background:
On a scale of 1-10, I see my self as a 6. I used to work in IT support (Desktop Applications) and have only dabbled with networks.
Thank you in advance for any and all advice.
6 Replies
Replies have been turned off for this discussion
- You haven't actually said what you want to do !
I have 3 Macs, two have mapped folders on a ProPioneer that are inside user shares for the two principle users ( one for each Mac). These load at login through User>Login Items and are only accessible by each users. The 3rd Mac is used as a compute server and runs headless through VNC and accesses 2 NAS units, one as a mirror to the other.
I also have some top level shares that are hidden and require read permissions for media access (Music, Video, Pics).
As there are only two of us, I'm really guarding against user errors not 3rd party unplanned access. JustKJ wrote: Which protocols and what security measures should I set up?
Interesting question your one...I don't want to hijack your thread but I'm looking for similar information in order to correctly deploy two ReadyNAS RN314 on a network of Apple hosts (mostly Apple MacPro still with Apple Mac OS X 10.5 and 10.6 and few Apple iMac with Mac OS X 10.7) all connected to just one Apple Server (an Apple MacPro with Mac OS X 10.5.8 Server).
I understand that the right choice of networks sharing Protocols like NFS (or AFP, as example) is a matter of which type of connection to NAS you're trying to manage (as example: each Apple hosts will directly connect to NAS for storing their live data or just the Server will connect to NAS for storing its backup?) and a matter of performance you need to realize (fulfill).
Another theme could be (user) Access Permissions or ACL and how to correctly manage those from the point of view of the NAS.
Any note would be helpful.- Apple devices are fully compatible with AFP (developed and maintained by Apple) and SMB/CIFS (microsoft). I believe that they also are compatible with NFS, but NFS has the reputation to be less secure.
Speed should be roughly the same. AFP was known to be faster than SMB at some point I think, but with recent Microsoft updates for the protocol I read this isn't true anymore.
If you are to have windows machines, I would advise SMB. Apple devices will do fine with either AFP or SMB.
If you want to access files over internet I would advise using cyphered connection (VPN) or SSL-enabled services (FTPS, Rsync over SSH, HTTPS...). You should avoid to publish AFP/SMB/NFS on internet as they are not optimized nor secured for it.
For user permissions you have two sets of rights. System rights that are managed by linux itself and apply directly on the system (the chmod command) and you have rights that are managed by the server (AFP, SMB...).
Those two rights apply consecutively. You get through the network and log in using network permissions, then the server tries to read the file using the system permissions that are given to the user that runs the server. If one of those two fails, access is denied. - Thanks xeltros!
If the ReadyNAS deployment will happen in a (only Apple based) network where each Apple Clients logs into an Apple Server (which manages users/groups and so permissions over folders it shares through its AFP) then the question is: in which way ReadyNAS can cope with the Users/Groups permissions defined at Apple Server level? AFAIK ReadyNAS can't "join" the Apple Server OpenDirectory like it happens when it's forced to join an Microsoft Active Directory Server (thus staying synchronized with Active Directory users/groups list and their credentials).
Have we to (re)create on the ReadyNAS all users and groups (with same ID) exactly as they are on the Apple Server to then apply necessary ACL based on their credentials to the various network shares shared through AFP (or NFS) or what?
Maybe the scenario could be simple if the ReadyNAS is not used by Apple Clients directly but it's only used to backup from the Apple Server its various folders of data (hoping the backup preserves the permissions on folders/files backed up from the server). - Hi,
This article on the Knowledge base may assist.
How do disable NFS Sync mode in ReadyNAS OS 6, to improve NFS performance
http://kb.netgear.com/app/answers/detail/a_id/14765
Thanks, Marto - The Mac pros are good machines, depending what you got in it (Mac pros are one of the rare Apple device to have replaceable parts) it could be faster than the NAS. So yes, you can use it for main storage and backup to the NAS. This will be I guess the simplest solution.
I believe you can join an open directory server on linux, but this requires command line configuration because it is not supported via GUI.Moreover this is not simple.
http://deepport.net/archives/setting-up ... x-clients/
If you find where users are stored in open directory, if they use the same mechanisms than linux (particularly for the password storage) you may be able to output them in the password file for linux and if you are able to script you may have something that looks like a synchronization. Not clean though.
NFS uses the UID to connect users, that is why it is insecure, AFP and SMB (to my knowing) use a username, a password and a domain name.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
