Creating Firewall Rules To Secure Your Synology NAS

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tom here from orange systems and we're going to talk about how to configure and lock down your synology nas now specifically what this is about is many synology nasa's have multiple interfaces now they can be used for things like lacp and link bonding and maybe even some redundancy but the other really important use case of having more than one network interface on a nas is so you can have each segment of the nas belong to each network where the devices that are going to be talking to the nas directly are set up for example if you had a series of cameras and you're running synology with say synology surveillance station setup you would ideally put at least one of those interfaces in the same network and subnet as the cameras but you're thinking well i like the camera subnet locked down without internet i want to be able to get to my synology and of course you could just punch a firewall rule to get through over there but of course you also don't want the cameras if something were to happen and somehow something nefarious where the cameras were taken over or someone was able to get on your camera network to be able to get to the interface for like dsm or the synology surveillance station interface this can all be controlled with a series of firewall rules this way you can even have a segment where maybe it's on the same network as your devices that do things like casting media so you want to have plex be able to talk to it but not routing through the firewall routing things through the firewall can create some inefficiencies and sometimes just some barriers to getting them working properly so this is all about configuring the network interfaces in different segments and then creating firewall rules so you can limit the level of access that those networks will have to it and then creating a network where you want the access or even an implicit rule where only you or only a specific ip has access to this analogy interface this is just a matter of tightening up security and practicing principles of least privilege you just have to define that privilege implicitly inside of synology before we get started in this video if you like to learn more about me my company head over to laurentsystems.com if you'd like to hire a short project there's a hires button right at the top if you like to support this channel otherwise there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel now let's start with our network topology and layout here's my computer at 192 168 3.9 here's lan 1 at 192 168 3.215 assigned to the lan 1 interface of the synology this is 192.168.3.0.25 so this entire subnet i'm going to refer to as our trusted device network these are the devices that i think are okay to be on the same in synology and i'm not worried about anything on this network trying to attack it or trying to get to the web interface no problem the network down here is our less trusted network now i only did one just to keep it simple but it could be a series of different networks but for simplicity whether this is a network where you have your streaming media devices like chromecast sonos or insert name of your favorite streaming media device your phones that you may want to also stream media on that is located on your synology and maybe some file sharing gaming systems or it's your camera network that you want completely locked down that is where this is the less trusted network and the firewall itself and in my case i'm using pfsense and i have a separate video on how to define pf sense firewall rules but this is not about those rules but i want to make clear nothing from here has access to this this trusted less trusted network does not have access to the trusted network because of the firewall rules that the firewall level has like i said in my case pf sense but these devices are allowed if needed to get over to here now on to the configuration because it's actually really easy to set this up right now we have land one land two and they've set up one's on static ip one's dhcp but as long as you understand what subnets they're in and it matches just like the diagram now let's actually talk about the system i have over here which is a windows computer on the same network that 10 13 37 now right now everything's at default analogy i have access to the web interface here i can go and ping it at this address right here so we'll go ahead and pull this up and hit ping i'm able to talk to it so i have full access because that's the default house analogy does this there's no firewall rules on analogy out of the box everything has to be configured implicitly so once we have the ip addresses and the lans set up we go over here to security firewall enable firewall we can go ahead and hit apply now the default rules are pretty simple it allows all so here's your all interfaces lan one lan two and the default rule and synology for everything is allow so that's not exactly what you want so when you're gonna go ahead and manage firewall rules you could edit the default but for purposes of just doing things here so i don't have to do anything like to fix the default rules later this is youtube demo and now we can start creating rules the all interfaces i'm going to leave empty lan 1 i'm going to leave like this allow access because it's my trusted network so just it has access to everything i'm not going to create any lock down rules on there lan 2. all right let's start with this scenario of maybe i'm doing some file sharing maybe i'm doing some media streaming maybe i have mb or plex and i want those interfaces accessible but on the less trusted network i don't want accessible is the admin interface that way you know none of the kids computers or whatever devices are over there that people that you don't want even attempting to admin the machine only have access to the other services that are running synology so we're going to go ahead and create and we're going to create a block rule so go ahead and select applications and we'll go management ui so that's actually five thousand five thousand one that's your dsm you could block other things too if there's maybe other things you don't want them to have access to yeah if you get ssh enabled maybe that as well and any other services that you go you know i do have these other things enabled but generally speaking unless you've enabled ssh which is not enabled by default or you just have the management interface which is enabled by default you just check these boxes here and hit ok so now we've decided those are the things we want to deny access to then we're going to go ahead leave it at that so it's a deny so management ui and done those things are blanked now down here if no rules are matched allow so the first rule is going to match things trying to hit that management interface we're hitting okay close changes to the youtube demo ones apply so now it's turned on to these rules go back over here we're going to go ahead and ping it i'm still able to talk to it i'm sorry to ping it but let's go ahead and reload this management interface doesn't log this is it just going to sit here for a second and it's going to fail because we've now implicitly blocked on this network the management interface and obviously we know we haven't blocked it over here on my computer because i'm still in here still able to get to it pretty simple how the rule system works just go to each interface and then implicitly list or deny the different things that you want access to now as i said we could always make an exception we'll even add another rule so if we create another rule specific ip so 10.13.30 37.10 hit okay and we want to say all and we put it above this so right now it's below it so we have to actually drag the rule up put it above it all any other device except this one ip address can get to this so hit ok again reload the page again and now it's able to get to it but if any other system tries it wouldn't work now the problem with doing this of course is if any other device knows what ips have access if you were to switch an ip address on this network they'd be able to get to the interface so wouldn't really be that secure so i really recommend having a separate management network where you do the management for the dsm and set the rules up now what about if this was for cameras i wanted to cover that because they're a little bit different when you do it for cameras because it's actually simpler let me go over here to lan two we're going to see delete these so we'll go ahead and delete this and delete this and the question would be what rules do i need for cameras nothing at all you can build a camera network and if lan 2 is a camera network we can say deny access hit ok and it would actually work and let me explain by showing you how my system at home is set up as i referenced in my previous video where i talked to my home firewall rules and literally showed you my home firewall rules my camera lan is 192.168.60.10. so if you go over here to security and we go to firewall rules and we're going to go ahead and edit the rules and i left them just called basic if we go and switch over to that lan 4 which is the camera you'll see there are no rules it's completely denied and the reason this works is because the way synology handles rules is these are all inbound rules coming into this knowledge system when you're doing something and specifically we mentioned cameras you're reaching out from the system and going to the cameras to log into them by doing that you are creating the connection that's sourced at this analogy to the cameras log in grab the camera data at the request of the synology streaming it back to this analogy so if you're worried about your camera network it is nice to keep it very narrowly locked down but then my other networks for example my if you want to call it less trusted network where all the devices and chromecasts are i've only denied the management interface because no one on that network needs to try to manage my synology that is restricted to the lts tom as i call it or the trusted network that i have which only has just my laptop in it so if you're looking at a better way to lock it down just take the time to learn the synology firewall rules they're rather simple to implement they can boost your security and if you need to have remote access to your synology do that off of the trusted network as well for example if you were to do any port forwarding because just so you know if for example i wanted to put forward i wouldn't want to use the network where i've also denied anything coming in from that network it's a little side note that may be really important when you're setting these things up secondary if you're setting up a static ip in each of these networks you don't need a gateway in each of these for it to broadcast on that network the gateway is only needed if you need it to go out the internet via that interface you can actually leave for example on the camera network or the untrust network you can omit the gateway just put a static ip address to assign the synology and ip address in that interface and obviously each interface is plugged in directly to wherever you have those ports on your network whether it's a separate switch or a series of vlans it goes on a scope to describe the physical layer of network of where you're plugging these in but essentially you're plugging them into however you've segmented up your network whether you've segmented with a series of unmanaged switches that are completely separate or you've created a more advanced network with a series of vlans it's all about what subnet it's in and restricting it to that those like i said a little scope of this video but hopefully this is helpful and gives you a better understanding of how to better secure your synology through firewall rules built in with the synology all right thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you

Info

Channel: Lawrence Systems

Views: 50,841

Rating: undefined out of 5

Keywords: LawrenceSystems, synology nas firewall, lawrencesystems, synology firewall, synology security, how to secure a synology nas, secure synology nas, synology nas, synology nas security, network attached storage, how to, secure your synology nas, synology nas firewall setup, synology nas firewall settings, synology nas firewall rules, synology nas security firewall, firewall synology, synology nas firwall, synology nas security settings

Id: A1I1k9Nct-A

Channel Id: undefined

Length: 12min 12sec (732 seconds)

Published: Fri Dec 31 2021