Jump to content



Photo

Network Drive setup + security

Answered Go to the full post

  • Please log in to reply
49 replies to this topic

#1 wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 15 October 2013 - 19:49

Hey all. 

I'm helping my dad out switch his office over from a dedicated server to using a NAS. His server got wiped out from the Cryptolocker malware. We decided to go with a dedicated NAS mainly because he only has 2 client computers now as opposed to 6 and the server maintenance wasn't something he wants to deal with as much now. We plan to have the network drive do a full back up to one of the client computers, and have some essential files back up to the cloud with office 365 and skydrive.

They have a sonicwall in the office, that was only connected to the server. I have since set it up so all the client computers and the NAS are routed through it. 

One of the IT guys for a neighboring office had mentioned to me that he didn't recommend this setup because of lack of security on the NAS and that it would be too exposed to the internet. He was saying that I should instead use a stand alone PC with a firewall as my NAS. How do most people secure their NAS setups. We are using a Western Digital My Book Live Duo as the network drive. 



Best Answer +BudMan , 05 November 2013 - 13:17

So just add that network to your sonicwall interface and connect into that other network with the sonicwall.

You might have to readdress your network space.. I don't recall the specifics.. And just looked over thread again and you never seem to give what networks your working with 192.168.0.0/24 10.x.x.x/? etc..

But lets for example say the common network use to be 192.168.1.0/24

Just make your network 192.168.2.0/24 and connect the other network to a port on your sonicwall. Then in sonicwall firewall only allow your machines to talk to the port and IP of the printer.

Now your still isolated by firewall, and have access to the printer. Go to the full post



#2 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 15 October 2013 - 20:49

how is it exposed to the internet - I assume your sonicwall is doing nat -- have you forwarded any ports to your NAS ip?



#3 OP wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 15 October 2013 - 20:59

I'm still learning about all the settings on the sonicwall. I reset it to its default setting, All 5 ports are acting as LAN ports and 1 WAN port, I'm assuming I can individually configure the ports so that the port for the NAS isn't forwarded through to the internet. I didn't see any settings on the hard drive which allowed me to turn off internet access, just manual ip config. Its a Sonicwall TZ170 if that helps any and it has 1 port that says optional on it



#4 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 15 October 2013 - 21:08

not talking about letting your nas access the internet - I am talking about unsolicited traffic INBOUND from the internet can reach your nas..  This is NOT how any normal nat router/firwall works.. You have to specifically allow for unsolicited traffic via a port forward or firewall rule..

 

How many public IPs do you have?  Unless your devices are using public IPs - they are behind a NAT..  A nat by nature with allowing the sharing of 1 internet connection with by multiple devices prevents unsolicited inbound traffic.. Only replies to something a client behind the nat router requested is allowed in via the state table.

 

I find it highly unlikely your nas is open to the internet - so this IT guy doesn't understand your setup or is blowing smoke up your ass.  Are the devices on your office network considered hostile?  If not then there is little need for a software/host firewall on every device.  Firewalls make more sense at your trust borders..  You trust the machines on your local network I have to assume so no need to firewall -- but you don't trust the people on the internet - so yes firewall ;)

 

So here is the thing even if you firewall at the NAS - what do you have to open up?  I would assume file access right - you want your users to access files correct?  So if the user gets infected and say infects all files the machine has access too - what good is the firewall going to do??  The virus will just look like a normal user accessing the files - so its not possible for the firewall to prevent this issue.

 

Now lets say you wanted machine 192.168.1.100 to be able to talk to your NAS on smb/cifs -- but you didn't want 192.168.1.101 to be able too.. Then sure you would need a firewall at the NAS to prevent this. But if all the devices on your local network need to talk smb/cifs (windows file sharing) there is little point of firewall on the nas.

 

Now maybe you want billy to only be able to access the files and not susan -- this would be done with a form of Auth ( username and password normally)  This is not a firewall function.. And I would think your nas supports auth of different kinds already..  Would have to look up the features of your nas to see.

 

edit: just looked - yeah that nas supports users, and public shares - so you can give billy access to a share - and he needs user name and password.  And susan if she does not know this username and password would not have access.

 

Don't enable any remote access stuff on the box or forward any ports on your sonicwall and your fine.

 

Keep in mind that even if you have it with raid 1 -- you need a BACKUP of your files..  Lets say billy gets infected with something again, if he has access to the files - his machine can infect the ones on the nas.. So you need BACKUP that is not real time sync of the files.. So that even if he infects the stuff on the nas, you can restore from say last weeks offline copy of them.



#5 OP wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 16 October 2013 - 02:40

Thanks, that helps greatly. Really, I wasn't sure if there was something I needed to do on the sonicwall ports, but its seems like everything should work out fine. 

The only other thing that IT guy said was, that I should just plug in a small switch or router to the port on the sonicwall where the server once was. Then plug everything else to that switch. To me that doesn't seem any better than what I am already doing, that is unless the router has the firewall on as well.



#6 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 16 October 2013 - 04:03

To be honest dude this so called "IT" guy seems like a IDIOT to me ;)

 

He really told you to plug in a soho router into your sonicwall??  Really??

 

What sonic wall do you have - you mention multiple ports on it.  Guessing its a TZ series -- could you post up the model number?



#7 OP wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 16 October 2013 - 12:56

Its a TZ 170

I don't trust this guy, my dads office shares a space with a larger company for which this guy works for. That larger company has several dedicated servers, he looked at me as if I was crazy when I mentioned I want to ditch our server for a NAS. He has already charged my dad a ton of money trying to unsuccessfully remove the cryptolocker malware, which stemmed from that larger company. The larger problem for me is trying to figure out how my dads network is places in the larger companies

 

Right now the setup is pretty messy

The internet modem is split to 2 sonic walls, My dads and the other companies. From there it gets kind of messy. Each sonic wall has the servers plugged into one of the ports. The second port on each sonic wall goes to a single switch. So 2 sonicwalls going to one switch, that switch has connected, a shared copier, voip system, and then another switch was both my dads computers and other companies computers are wired into. The only thing I can see that separates the 2 networks, is the ip addresses, not sure if the sonic wall is really doing what it needs to do. This IT guy assures me its the easiest way right now. 

 

Ideally, Id like to disconnect his computers from their shared switch and have them directly connected to our sonic wall 



#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 16 October 2013 - 13:28

Why are you on a shared switch?  Are these companies part of the same larger company?

 

You know when I said you trusted all the computers on your network??  That was before I knew this other company was on it..

 

So a TZ 170??  I show that was END of support July 2013 http://www.sonicwall...tion_TZ_170.pdf -- might be time to upgrade and just completely break away from this other company.. 

 

Modems don't split btw -- must be a router of some sort??  Can you get me the make and model number of that device?



#9 OP wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 16 October 2013 - 13:42

I don't know why its a shared switch, best guess is that since my dad is basically renting a few office rooms out of this larger company, someone was lazy.  All of the servers, sonicwalls and modems are in one room as well as that small switch, the switch that all the computers are wired into is in another. Best guess is that someone didn't want to do major re stringing of wires, and just put my dads sonicwall and server right in the middle of the network. Their network is on a different IP range and domain at least. 

 

 

Ill have to make a trip over there this evening to see what router is between the sonicwalls and the modem. I just remember it being a Dlink 16 port, Ill have to see what model later.  Like I said, I do want to break away from the other companies network. The issue is how the office is wired.

If our sonicwall is EOL, would you recommend replacing with another one, or just a standard router? Its just 2 client computers, a shared copier/printer and the nas right now. 



#10 duddit2

duddit2

    Neowinian Senior

  • Joined: 24-January 10
  • Location: Manchester UK
  • OS: Windows 8 Pro

Posted 16 October 2013 - 13:57

The simplest way is to find out which patch panel ports correspond to the wall ports in your dads office, then unplug them all from this shared switch and put your own switch in there (if needed, depends on how many ports you need live in the office really and how many ports you have on the switch).

 

This maybe what that guy meant about sonic wall - new switch, he may have meant to get all your ports off the shared switch and onto your own.

 

Then you'd have edge firewall (sonic wall) - switch - your patch panel ports - office wall ports - your network equipment.

 

As Budman said though, maybe worth getting your own edge firewall as well, and I am curious about the split WAN - its possible the ISP connection has multiple statis IP addresses and an edge router is routing (not NAT) to the sonic walls (which each have their own static public IP address out of the ISP pool (probably a block of 8 - 5 usable). If so youd just need to know the IP to use along with gateway and subnet to setup your own edge firewall (sonicwall replacement).



#11 OP wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 16 October 2013 - 14:29

I believe the switch is marked with which ports are his, there is a single line that connects the server room switch to the larger switch. Right now though, the NAS isn't connected the larger switch that all the computers are wired into, its wired in directly to the sonicwall, so at least its my understanding that the other companies network shouldn't be able to see this NAS right now. I'll double check on the edge router part, it would make sense if their are 2 separate static public IP addresses.Also any suggestions for a replacement for this sonic wall? Will we be fine at least for a few months using this current sonic wall? 



#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 16 October 2013 - 15:08

Yeah you can use it til dies - but its end of support, so unless you have some extended support contract with sonicwall you can not call them for support if something breaks or how to do something.

 

Its possible the shared switch is using vlans to isolate your 2 networks - but why the shared switch in the first place?  If these companies are their own entities seems odd share equipment.

 

When you say server room switch to this shared switch - this server room switch is connected to both sonicwalls?  Anyway you could draw this network out - even if just in ms paint?  But http://www.gliffy.com is a free easy way to get a quick drawing done.

 

It is possible that the ISP hands out more IPs and your sonic walls each have their own - but your still talking a shared internet connection I have to assume.  So if they use up all the bandwidth what can you do about it?

 

Is this a building internet connection or something where all the tenets share?  I would really suggest you break out everything on your own.. If you want to talk security ;)

 

As to replacement - the sonicwalls work, just get newer supported model that meets your requirements.  Maybe their is a trade in policy?  I think sc302 has lots of experience working with sonicwalls.  You might want to bring him into this thread.

 

Is there any wireless to your network or the building?  If we can get a basic drawing we can move forward in how to break away from this other company and secure your network, etc. etc. etc..



#13 OP wv@gt

wv@gt

    Neowinian Senior

  • Tech Issues Solved: 1
  • Joined: 19-May 04
  • Location: Atlanta, GA

Posted 16 October 2013 - 15:52

Here is a basic map, from me trying to reverse engineer the set up. There is no wireless yet, but my dad would like that option. Its not a shared building internet, each office spaces needs their own modems. I will need to check tonight if they are sharing a public ip for its separate. Looking at the map, my best guess is that the edge router was added in, to allow for my dads sonic wall to be dropped inside their existing network. 

The current server in place is running sever 2k3. With me adding in the NAS, I have been transitioning the 2 client computers off the domain of the server. I believe 1 of the computers is still using the server for dns, but I will need to check

Attached Images

  • Network Map.jpg


#14 C:Amie

C:Amie

    Neowinian

  • Joined: 02-December 02
  • Location: United Kingdom

Posted 16 October 2013 - 17:00

Your diagram seems to suggest that everyone is sharing the modem (bank) off of the edge router. Your diagram also suggests that your firewall is in the wrong place because you can get to "all computers, both offices" without going through it.

Unless there is some sort of VLAN setup to provide isolation through tagging or we are still missing something crucial, this is quite, quite problematic.

Do you need to consume the copier / VoIP services / other companies server services at all? If you do you will need a router and some tight port restrictions.

Can you run new lines between room 1 and room 2?

You may have dropped down to 2 PCs now, but is there any chance that you will have to increase the numbers again in the future? By losing the server / AD you sacrifice the potential for future integration and automation in a non-trivial fashion. The server also potentially allows you to master data storage here and backup the server and clients to the NAS, giving you a better backup strategy. Its running 2003 does however pose a problem around the cost of upgrading it that you may not want to have to deal with - and you have already acknowledged that the maintenance of it is a driver for its removal.

If you are backing up data from the NAS to a client, then you are surrendering data security as you are keeping entire copies of the data in both room 1 and presumably room 2 (with the clients). On the assumption that room 1 is a server room and is more secure, this is not the best strategy. You are also copying it all over a shared network, again not ideal.

At a minimum the first step should be to get your clients onto a new switch that runs directly into your sonic device or an additional new switch behind the firewall. That will at least mean that you are dealing with a single network entry point.

#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 75
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 16 October 2013 - 17:02

so do you need access to this copier and the voip.backup system?  Who owns / manages these?





Click here to login or here to register to remove this ad, it's free!