This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Anyone know of a way to secure the admin interface on the ReadyNAS 4312 with MFA, be it Duo, Google Authenticator, etc.?
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Again, no. You can connect to multiple networks, but you cannot restrict the admin interface a specific interface.
If you can block ports in your switching fabric, you could block http/https on the main network interface of the NAS (while allowing SMB/NFS), but allow it on the VLAN. That would have the same effect.
Barring that, is there a way to move the admin interface to a different VLAN from the SMB/NFS traffic? I could then secure that VLAN behind an MFA-protected gateway.
Again, no. You can connect to multiple networks, but you cannot restrict the admin interface a specific interface.
If you can block ports in your switching fabric, you could block http/https on the main network interface of the NAS (while allowing SMB/NFS), but allow it on the VLAN. That would have the same effect.
I understand why you might want this to be optional. I don't have a choice; our cybersecurity insurance provider is mandating that all admin interfaces be MFA protected or they won't renew the policy.
Unfortunately my switching fabric does not have the ability to block at the port level unless you cross a routing interface. Most of the devices in my network (including a Netgear M4300 switch) support RADIUS or TACACS authentication for the admin interface, so I can enforce MFA on that. All of the others (except these NASs) I can move just the admin interface to a different VLAN without changing the primary service interfaces, usually through a separate network connection, sometimes through dot1q VLANing. Then I can MFA-protect that VLAN through an internal gateway authentication connection... but that also limits the bandwidth to <1Gbps, which is not suitable for the use these NASs serve.
Is there a software firewall suite (e.g. iptables, firewalld, etc.) in the ReadyNAS line? If I could block it in the ReadyNAS itself, then I wouldn't have to move them.
Your answer provoked some thought. I'll have to change a whole bunch of cabling around to make room on that M4300 (and hope I can get cables to maintain 10Gbps between the two), but that switch *does* support TCP port blocking. I'll give it a shot.. but again, if the RR4312 has firewall kernel modules, I'd love to use that too
but again, if the RR4312 has firewall kernel modules, I'd love to use that too
iptables is installed, but I believe Netgear has customized it somehow. I haven't seen any posts here from people who have managed to configure it for their own purposes.
