Due to the recent vulnerabilities that are found in the WD My Cloud collection, I have disabled cloud connection. Therefore, my nas is behind my router’s firewall and only accessible in the local network. The firmware is up to date (albeit I was forced to install it manually, sadly).
However, sometimes I want to have a remote cloud connection. Can one provide me a honest and fair advise in how safe it is to enable cloud connection? Some questions:
How is it possible that I can access a device behind the firewall?
Is the connection over tls?
can anyone outside access my nas when I enabled cloud connection, but disabled remote dashboard?
If it is not safe (due to the latest findings), please let me know. For me, security is over comfort. Lastly, is it safe to leave the nas on in the local network or should I turn it off, when I am not using it?
First of all, nothing on a computer network is 100% safe; not your router, computer or NAS, etc.
That said, my WD NAS is safe enough for me, because it is not bare of any protection and I do not have any sensitive personal data on it. It is used as a server for my media files only, and the data on it are copies from the original files.stored on my hard drives. In a sense,data on NAS is a backup of the original media files.
So, my NAS is never turned off and Cloud and Remote Access are always on so I have access to my data from anywhere at any time.
My home system has been this way for over 10 years, so it works for me.
Yeah, in my opinion, that seems very unsafe. One can hack the MyCloud without a lot of effort (see latest vulnerabilities). As a consequence, one can enter the nas and, therefore, the internal local network if it is not separated by vlans. Unluckily, I am not able to use vlans with ease since my isp provided a router that does not support that.
I know that nothing is 100% safe, but I am trying to determine whether I can use remote access somehow en still being relatively safe. Could you elaborate on this perhaps?
so go back to you original intentions. All I can add is I know my Asus router has been updated for a security flaw it had over five years ago and the flaw was fixed, and WD firmware has been patched quite a few times for issues. Plus my 10 years experience makes me feel safe enough.
Good luck to you.
One alternative suggestion if you’re not comfortable with the NAS security is to disable its remote access, but use a seperate VPN server running at home to instead connect your device remotely to your network and then access the NAS as normal as if you were at home on your network.
Of course you’ve still got any potential issues from the security of the VPN, but if you want remote access at some point you have to open up ports or some other way into your network from outside to get it. And of course whilst that allows you access, it can provide a path for anyone else with the suitable skills to make use of it (depending on how securely you set it up plus any relevant vulnerabilities that could be exploited).
Personally I’ve got all cloud services disabled on my MCM (both for security purposes but mainly to give the rather feeble processor in the thing the best chance of efficiently serving up files rather than having to support all sorts of other services). In parallel I’ve got a Pi3 sat on my network running as an OpenVPN server, and if I want remote access I just connect via that and then go about things as normal as if I was at home and on the network there.
Thank you for your detailed advise. A personal VPN server seems very interesting. However, although I own a Pi, I am a little bit scared of configuring my own VPN server. I have to force myself to keep it up to date and, moreover, I believe it should be port forwarded from the router? I have read that the latter might open some security implications (the Pi is connected to the big outside world), although I must admit that I do not know that for sure.
Do you know if the default remote access is safe to use?
For a Pi VPN server, OpenVPN isn’t too bad to set up. You can start at http://www.pivpn.io/ and see if that fits your bill as a dedicated device.
Yes you do have to port forward to it, but only specific ports and if the Pi is set up correctly (and not doing something dumb like using the default username and password for the default user) then it’s as secure as anything else.
In the end if you want to access anything on your network from outside it, you need to forward some port or ports, either manually or via UPNP or similar protocols. UPNP is easier but can be a security nightmare (as you don’t know what might be being opened by request, especially if something does slip in onto your network via an infected email or USB key or similar). Doing it manually (and disabling UPNP on the router) of course limits opened ports to what you actually open, but consequently you need to do the opening and some software may not work properly if the ports it needs aren’t open.
It’s always a good practice to open as little as possible, and to be careful with login credential set-ups etc so that anything that is open needs good strength passwords or similar ways to gain access. As to the default remote access, I don’t use it. But that’s more due to the low power nature of the processor in my MCM NAS so I limit what I try and get it to do.
