Any major security issues sharing NV+ files over HTTPS?
Hi!
I have been a long time ReadyNAS user and know just enough to get myself in trouble now and then.
Work has given me one of their old ReadyNAS - an NV+ (sparc based) that is running the latest version of the software for this hardware.
I'm interested in setting up my own home server and turning on remote access to the HTTPS sharing service. I have set it up with some test data, forwarded the ports, etc. - and all is working great.
However, I wondered if there are any major security concerns I should be aware of before I start using this machine to hold my personal data? It will just be the norm - my music, photos, documents - but I didn't want to share all of that using HTTPS / port forwarding if a huge security hole exists. I realize it is older software and older hardware at this point, so I just wanted to ask. Thanks for any tips or pointers on how I can ensure I'm the only one accessing my data 😃
Re: Any major security issues sharing NV+ files over HTTPS?
Also, just to be clear, I would like to set this up with the web interface (upload/download via browser) as well as WebDAV use. So my question about security pertains to those two services in particular.
Re: Any major security issues sharing NV+ files over HTTPS?
4.1.15 beta has some important security fixes. I believe it is up to date, though there are no guarantees on how long Netgear will keep providing patches.
In general, you will have to use beta firmware releases to keep on top of the security issues.
Another approach is to use deploy openvpn (which of course gives any user full access to your network).
Re: Any major security issues sharing NV+ files over HTTPS?
It is wise to control what you open up over the internet, and not enable more than needed. So limiting https/WebDAV to the shares where that is needed is a good idea.
But often if a protocol has a security hole it can lead to compromise of the entire system.
Currently I am doing something along your lines - ftps is the main protocol (I allow FTP, but configure my clients to use FTPS if they support it). I've also started using openVPN, and if that works out I will switch to that and close most of the ports I have open now.
Re: Any major security issues sharing NV+ files over HTTPS?
If you open up the primary HTTPS port (443) to the outside world, you open up the Admin access port to possible hacking from the outside world. Of course, you also open it up to your own remote administration if that's your goal. Using the alternate HTTPS port as the open port changes that. If you don't want the users to have to specify the port, and your router supports it, just re-direct the incoming port 443 to the ReadyNAS alternate port.
If you open up the primary HTTPS port (443) to the outside world, you open up the Admin access port to possible hacking from the outside world. Of course, you also open it up to your own remote administration if that's your goal. Using the alternate HTTPS port as the open port changes that. If you don't want the users to have to specify the port, and your router supports it, just re-direct the incoming port 443 to the ReadyNAS alternate port.
Well, no. You are enabling admin access with either HTTPS port (there is no way to specify "no admin access" on the secondary https port).
So if you open up https, make sure you have all the security patches (at the moment, that means 4.1.15 T3 for the NV+ v1), and make sure you have a strong admin password.
Well, no. You are enabling admin access with either HTTPS port (there is no way to specify "no admin access" on the secondary https port).
So if you open up https, make sure you have all the security patches (at the moment, that means 4.1.15 T3 for the NV+ v1), and make sure you have a strong admin password.
Well, yes, there is, with mod_rewrite. And I thought that RAIDiator did it by itself. But maybe I did that part manually. But the rest is true whichever is the case.
Well, no. You are enabling admin access with either HTTPS port (there is no way to specify "no admin access" on the secondary https port).
So if you open up https, make sure you have all the security patches (at the moment, that means 4.1.15 T3 for the NV+ v1), and make sure you have a strong admin password.
Well, yes, there is, with mod_rewrite. And I thought that RAIDiator did it by itself. But maybe I did that part manually. But the rest is true whichever is the case.
You must have done it manually - it is not set up that way by default.
In any event, most of the recent security threats to https don't require admin access. So you can't ignore the security patches just because you disabled admin access. [I'm not saying you do, just clarifying for others...]
