- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
RR4312S MFA for admin interface
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.?
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@EMF2 wrote:
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.?
This has been requested, but Netgear doesn't have 2FA or MFA as an option now. (If they did, I'd certainly want it to to optional).
@EMF2 wrote:
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Again, no. You can connect to multiple networks, but you cannot restrict the admin interface a specific interface.
If you can block ports in your switching fabric, you could block http/https on the main network interface of the NAS (while allowing SMB/NFS), but allow it on the VLAN. That would have the same effect.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@EMF2 wrote:
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.?
This has been requested, but Netgear doesn't have 2FA or MFA as an option now. (If they did, I'd certainly want it to to optional).
@EMF2 wrote:
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Again, no. You can connect to multiple networks, but you cannot restrict the admin interface a specific interface.
If you can block ports in your switching fabric, you could block http/https on the main network interface of the NAS (while allowing SMB/NFS), but allow it on the VLAN. That would have the same effect.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RR4312S MFA for admin interface
I understand why you might want this to be optional. I don't have a choice; our cybersecurity insurance provider is mandating that all admin interfaces be MFA protected or they won't renew the policy.
Unfortunately my switching fabric does not have the ability to block at the port level unless you cross a routing interface. Most of the devices in my network (including a Netgear M4300 switch) support RADIUS or TACACS authentication for the admin interface, so I can enforce MFA on that. All of the others (except these NASs) I can move just the admin interface to a different VLAN without changing the primary service interfaces, usually through a separate network connection, sometimes through dot1q VLANing. Then I can MFA-protect that VLAN through an internal gateway authentication connection... but that also limits the bandwidth to <1Gbps, which is not suitable for the use these NASs serve.
Is there a software firewall suite (e.g. iptables, firewalld, etc.) in the ReadyNAS line? If I could block it in the ReadyNAS itself, then I wouldn't have to move them.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RR4312S MFA for admin interface
Your answer provoked some thought. I'll have to change a whole bunch of cabling around to make room on that M4300 (and hope I can get cables to maintain 10Gbps between the two), but that switch *does* support TCP port blocking. I'll give it a shot.. but again, if the RR4312 has firewall kernel modules, I'd love to use that too
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: RR4312S MFA for admin interface
@EMF2 wrote:
but again, if the RR4312 has firewall kernel modules, I'd love to use that too
iptables is installed, but I believe Netgear has customized it somehow. I haven't seen any posts here from people who have managed to configure it for their own purposes.