Network Drive setup + security

[ATLien_0]

Hey all. 

I'm helping my dad out switch his office over from a dedicated server to using a NAS. His server got wiped out from the Cryptolocker malware. We decided to go with a dedicated NAS mainly because he only has 2 client computers now as opposed to 6 and the server maintenance wasn't something he wants to deal with as much now. We plan to have the network drive do a full back up to one of the client computers, and have some essential files back up to the cloud with office 365 and skydrive.

They have a sonicwall in the office, that was only connected to the server. I have since set it up so all the client computers and the NAS are routed through it. 

One of the IT guys for a neighboring office had mentioned to me that he didn't recommend this setup because of lack of security on the NAS and that it would be too exposed to the internet. He was saying that I should instead use a stand alone PC with a firewall as my NAS. How do most people secure their NAS setups. We are using a Western Digital My Book Live Duo as the network drive. 

[+BudMan MVC]

how is it exposed to the internet - I assume your sonicwall is doing nat -- have you forwarded any ports to your NAS ip?

[ATLien_0]

I'm still learning about all the settings on the sonicwall. I reset it to its default setting, All 5 ports are acting as LAN ports and 1 WAN port, I'm assuming I can individually configure the ports so that the port for the NAS isn't forwarded through to the internet. I didn't see any settings on the hard drive which allowed me to turn off internet access, just manual ip config. Its a Sonicwall TZ170 if that helps any and it has 1 port that says optional on it

[+BudMan MVC]

not talking about letting your nas access the internet - I am talking about unsolicited traffic INBOUND from the internet can reach your nas..  This is NOT how any normal nat router/firwall works.. You have to specifically allow for unsolicited traffic via a port forward or firewall rule..

 

How many public IPs do you have?  Unless your devices are using public IPs - they are behind a NAT..  A nat by nature with allowing the sharing of 1 internet connection with by multiple devices prevents unsolicited inbound traffic.. Only replies to something a client behind the nat router requested is allowed in via the state table.

 

I find it highly unlikely your nas is open to the internet - so this IT guy doesn't understand your setup or is blowing smoke up your ass.  Are the devices on your office network considered hostile?  If not then there is little need for a software/host firewall on every device.  Firewalls make more sense at your trust borders..  You trust the machines on your local network I have to assume so no need to firewall -- but you don't trust the people on the internet - so yes firewall ;)

 

So here is the thing even if you firewall at the NAS - what do you have to open up?  I would assume file access right - you want your users to access files correct?  So if the user gets infected and say infects all files the machine has access too - what good is the firewall going to do??  The virus will just look like a normal user accessing the files - so its not possible for the firewall to prevent this issue.

 

Now lets say you wanted machine 192.168.1.100 to be able to talk to your NAS on smb/cifs -- but you didn't want 192.168.1.101 to be able too.. Then sure you would need a firewall at the NAS to prevent this. But if all the devices on your local network need to talk smb/cifs (windows file sharing) there is little point of firewall on the nas.

 

Now maybe you want billy to only be able to access the files and not susan -- this would be done with a form of Auth ( username and password normally)  This is not a firewall function.. And I would think your nas supports auth of different kinds already..  Would have to look up the features of your nas to see.

 

edit: just looked - yeah that nas supports users, and public shares - so you can give billy access to a share - and he needs user name and password.  And susan if she does not know this username and password would not have access.

 

Don't enable any remote access stuff on the box or forward any ports on your sonicwall and your fine.

 

Keep in mind that even if you have it with raid 1 -- you need a BACKUP of your files..  Lets say billy gets infected with something again, if he has access to the files - his machine can infect the ones on the nas.. So you need BACKUP that is not real time sync of the files.. So that even if he infects the stuff on the nas, you can restore from say last weeks offline copy of them.

[ATLien_0]

Thanks, that helps greatly. Really, I wasn't sure if there was something I needed to do on the sonicwall ports, but its seems like everything should work out fine. 

The only other thing that IT guy said was, that I should just plug in a small switch or router to the port on the sonicwall where the server once was. Then plug everything else to that switch. To me that doesn't seem any better than what I am already doing, that is unless the router has the firewall on as well.

[+BudMan MVC]

To be honest dude this so called "IT" guy seems like a IDIOT to me ;)

 

He really told you to plug in a soho router into your sonicwall??  Really??

 

What sonic wall do you have - you mention multiple ports on it.  Guessing its a TZ series -- could you post up the model number?

[ATLien_0]

Its a TZ 170

I don't trust this guy, my dads office shares a space with a larger company for which this guy works for. That larger company has several dedicated servers, he looked at me as if I was crazy when I mentioned I want to ditch our server for a NAS. He has already charged my dad a ton of money trying to unsuccessfully remove the cryptolocker malware, which stemmed from that larger company. The larger problem for me is trying to figure out how my dads network is places in the larger companies

 

Right now the setup is pretty messy

The internet modem is split to 2 sonic walls, My dads and the other companies. From there it gets kind of messy. Each sonic wall has the servers plugged into one of the ports. The second port on each sonic wall goes to a single switch. So 2 sonicwalls going to one switch, that switch has connected, a shared copier, voip system, and then another switch was both my dads computers and other companies computers are wired into. The only thing I can see that separates the 2 networks, is the ip addresses, not sure if the sonic wall is really doing what it needs to do. This IT guy assures me its the easiest way right now. 

 

Ideally, Id like to disconnect his computers from their shared switch and have them directly connected to our sonic wall 

[+BudMan MVC]

Why are you on a shared switch?  Are these companies part of the same larger company?

 

You know when I said you trusted all the computers on your network??  That was before I knew this other company was on it..

 

So a TZ 170??  I show that was END of support July 2013 http://www.sonicwall.com/us/shared/download/Dell_SonicWALL_EOS_Notofication_TZ_170.pdf -- might be time to upgrade and just completely break away from this other company.. 

 

Modems don't split btw -- must be a router of some sort??  Can you get me the make and model number of that device?

[ATLien_0]

I don't know why its a shared switch, best guess is that since my dad is basically renting a few office rooms out of this larger company, someone was lazy.  All of the servers, sonicwalls and modems are in one room as well as that small switch, the switch that all the computers are wired into is in another. Best guess is that someone didn't want to do major re stringing of wires, and just put my dads sonicwall and server right in the middle of the network. Their network is on a different IP range and domain at least. 

 

 

Ill have to make a trip over there this evening to see what router is between the sonicwalls and the modem. I just remember it being a Dlink 16 port, Ill have to see what model later.  Like I said, I do want to break away from the other companies network. The issue is how the office is wired.

If our sonicwall is EOL, would you recommend replacing with another one, or just a standard router? Its just 2 client computers, a shared copier/printer and the nas right now. 

[duddit2]

The simplest way is to find out which patch panel ports correspond to the wall ports in your dads office, then unplug them all from this shared switch and put your own switch in there (if needed, depends on how many ports you need live in the office really and how many ports you have on the switch).

 

This maybe what that guy meant about sonic wall - new switch, he may have meant to get all your ports off the shared switch and onto your own.

 

Then you'd have edge firewall (sonic wall) - switch - your patch panel ports - office wall ports - your network equipment.

 

As Budman said though, maybe worth getting your own edge firewall as well, and I am curious about the split WAN - its possible the ISP connection has multiple statis IP addresses and an edge router is routing (not NAT) to the sonic walls (which each have their own static public IP address out of the ISP pool (probably a block of 8 - 5 usable). If so youd just need to know the IP to use along with gateway and subnet to setup your own edge firewall (sonicwall replacement).

[ATLien_0]

I believe the switch is marked with which ports are his, there is a single line that connects the server room switch to the larger switch. Right now though, the NAS isn't connected the larger switch that all the computers are wired into, its wired in directly to the sonicwall, so at least its my understanding that the other companies network shouldn't be able to see this NAS right now. I'll double check on the edge router part, it would make sense if their are 2 separate static public IP addresses.Also any suggestions for a replacement for this sonic wall? Will we be fine at least for a few months using this current sonic wall? 

[+BudMan MVC]

Yeah you can use it til dies - but its end of support, so unless you have some extended support contract with sonicwall you can not call them for support if something breaks or how to do something.

 

Its possible the shared switch is using vlans to isolate your 2 networks - but why the shared switch in the first place?  If these companies are their own entities seems odd share equipment.

 

When you say server room switch to this shared switch - this server room switch is connected to both sonicwalls?  Anyway you could draw this network out - even if just in ms paint?  But http://www.gliffy.com is a free easy way to get a quick drawing done.

 

It is possible that the ISP hands out more IPs and your sonic walls each have their own - but your still talking a shared internet connection I have to assume.  So if they use up all the bandwidth what can you do about it?

 

Is this a building internet connection or something where all the tenets share?  I would really suggest you break out everything on your own.. If you want to talk security ;)

 

As to replacement - the sonicwalls work, just get newer supported model that meets your requirements.  Maybe their is a trade in policy?  I think sc302 has lots of experience working with sonicwalls.  You might want to bring him into this thread.

 

Is there any wireless to your network or the building?  If we can get a basic drawing we can move forward in how to break away from this other company and secure your network, etc. etc. etc..

[ATLien_0]

Here is a basic map, from me trying to reverse engineer the set up. There is no wireless yet, but my dad would like that option. Its not a shared building internet, each office spaces needs their own modems. I will need to check tonight if they are sharing a public ip for its separate. Looking at the map, my best guess is that the edge router was added in, to allow for my dads sonic wall to be dropped inside their existing network. 

The current server in place is running sever 2k3. With me adding in the NAS, I have been transitioning the 2 client computers off the domain of the server. I believe 1 of the computers is still using the server for dns, but I will need to check

[C:Amie]

Your diagram seems to suggest that everyone is sharing the modem (bank) off of the edge router. Your diagram also suggests that your firewall is in the wrong place because you can get to "all computers, both offices" without going through it.

Unless there is some sort of VLAN setup to provide isolation through tagging or we are still missing something crucial, this is quite, quite problematic.

Do you need to consume the copier / VoIP services / other companies server services at all? If you do you will need a router and some tight port restrictions.

Can you run new lines between room 1 and room 2?

You may have dropped down to 2 PCs now, but is there any chance that you will have to increase the numbers again in the future? By losing the server / AD you sacrifice the potential for future integration and automation in a non-trivial fashion. The server also potentially allows you to master data storage here and backup the server and clients to the NAS, giving you a better backup strategy. Its running 2003 does however pose a problem around the cost of upgrading it that you may not want to have to deal with - and you have already acknowledged that the maintenance of it is a driver for its removal.

If you are backing up data from the NAS to a client, then you are surrendering data security as you are keeping entire copies of the data in both room 1 and presumably room 2 (with the clients). On the assumption that room 1 is a server room and is more secure, this is not the best strategy. You are also copying it all over a shared network, again not ideal.

At a minimum the first step should be to get your clients onto a new switch that runs directly into your sonic device or an additional new switch behind the firewall. That will at least mean that you are dealing with a single network entry point.

[+BudMan MVC]

so do you need access to this copier and the voip.backup system?  Who owns / manages these?

[ATLien_0]

Access to the copier printer and voip system isn't needed, my dad has a printer/scanner/copier that is connected via usb on his computer. Im not really sure what that VOIP backup system does. All I know is that its a beige box similar to a standard computer tower, that is labeled voip back up. 

Running a wire between the two rooms shouldn't be a problem, its a drop ceiling 

 

I've looked through everything that is wall mounted in that first room and can't find any other network related hardware. That diagram is as close as I can get. Yes in theory it looks like I should be able to access the other network. When I am on one of my dads client computers, I have tried browsing to see if I see their network or domain, which doesn't show up. I need to see if I can ping theirs though. 

 

Right now the client computers are using the sonic wall for the default gateway, and I have matched the DNS server, Subnet range and ip range to the sonicwall as well. 

 

I really don't see him adding more client computers, maybe 1, but thats all he as far as office space. 

[C:Amie]

Are these managed switches, Cisco Catalyst and such or are they SOHO/consumer devices? They could be VLAN'd.

[+BudMan MVC]

then I would remove that connection and run your own switch..  There is no need to be tied to that system if your not using any services on it - and yes is a security issue to be sure.

 

Get a switch and connect to your sonicwall and connect all your devices either to the sonicwall or your switch.

 

Now your all behind your sonicwall for security.

[ATLien_0]

The small 5 port switch is a consumer dlink 10/100 switch. The main switch with all the client computers in room 2, I need to check, but I doubt its been changed. Only reason I say this is because my Dad is just using 2 office rooms out of this entire main office, which was setup like this before minus his equipment 

 

+Budman, Thanks for the help on all of this. I by no means am an expert on this, just trying to help out since my dad already lost a bunch of money with this cryptolocker virus and this other IT guy

[C:Amie]

Agreed. One or two switched may be required to isolate you, but it is worth doing. Once you've done that you should consider looking at disconnecting your Internet connectivity from the other company network if you aren't using any of the services on it and don't want to have a redundant link arrangement.

[+BudMan MVC]

Yeah switches are cheap.. Even a smart one, which is fine for a small setup is at most a $200 bucks..  Especially if you only need a handful of ports.

 

I would isolate your network from the rest of the building as fast as possible.. And then as C:Amie suggest looking into breaking out your internet connection if possible.  That sort of setup seems odd to me, unless maybe your dad piggybacked onto their connection is paying them $ for access vs getting his own connection?

 

edit:  A business type connection from a cable or dsl provider should be fairly reasonable in price for a small company.  To be honest if your such a small shop even a sonicwall might be overkill and the device the isp gives you will surely do nat, and might be all that you really need for such a small setup with a handful of computers..

[ATLien_0]

I do have a boxed Linksys Wireless N300 router that I bought a few weeks ago. Would this be ok to use, if we ditched the sonic wall down the road? I could just use this and a small switch later on. First thing I will see is about the internet connection, if its shared or 2 separate ips. Is there an easy way to tell with out having to get on their systems? The Sonicwall is set right now to get WAN via DHCP

[+BudMan MVC]

And what is your sonicwall wan IP.. does it start with 10.x or 192.168.x.x or 172.16-31.x.x  then its behind a NAT.. 

 

If it is something other than those then most the shared isp is handing out multiple IPs..

 

As to using a linksys router for your connection - for a few person shop, yeah lots of places do it.  Clearly a cost saver ;)

 

How many people in the location, how many machines?  If your talking a handful -- then yeah why spend money on medium/enterprise grade equipment?  Most ma and pop shops have tiny budgets if anything at all.

 

Its not ideal -- but sure you can make a lot of things work on pennies.  If the budget is there I would go with something a more upscale, etc.  But sure that router does not care if your business or home - it just does its thing and nats your private to a public IP..  And should work out just fine.

[C:Amie]

The other thing to consider in this is what is the relative cost to the business of a security breach, data loss, hack. You've already had the expense of the virus recovery now what happens if that happens again. Does it matter because all you lose are low priority letters to customers? Or do you lose your accounts, tax data and information on that top secret government contract that no one is supposed to know about?

Your security and the money you throw at providing it has to be relevant to BOTH the needs of the data and the predicted growth of the business. There is no point getting a 4 port switch now if you know that you'll need a 16 port in 12 months time.

[ATLien_0]

Hey guys. So a quick update. I have setup a new router with wifi (setup as a switch) and run both client computers to that switch. The switch is wired to the sonicwall directly. So currently My Dads network is now separate for the other office. Which is great! 

 

 

Only downside, is that I misunderstood with the copier. It is also a shared printer for both offices to use. I need to figure out how to set it up so that both networks can access it, but also keeping the networks separate. It only as 1 LAN port and does have a USB port. No computer is wired to it via usb though