Synology Inc. Online Community Forum

[zukkster]

I managed to ge tDS File/Audio/Photo and WebDav setup up and working, so I can now access my diskstation remotely. I'm a home (self employed) user so I want to allow remote access for my laptop, Android phone and my wifes phone, and tablets the whole family use in the house. Can anyone give me advice please on how best to setup security, I'm new to the whole networking and port forwarding so the original setup I got working after a lot of internet reading and I just want to be sure I haven't opened up any gaping holes in my network

The specific questions I have are:

DS Audio and DS Photo - I don't seem to be able to get these working on HTTPS (although DS File worked), and I've seen lots of post that have the same issue. Is HTTP acceptable for Photo and Audio?

Logon accounts - to get things working I've been logging on remotely through the admin account. I'm thinking I should probably set all of the mobile devices to use the guest account and only grant read permissions, that way there's no nasty file deletion problems from either my big fingers on a little screen, or the kids not knowing what they are dong, and it doesn't mean lots of … they aren't very old. Does that sound a sensible approach? I'm not exactly thrilled that the android apps remember your password - surely they should default to prompting for it every time. It's a bit scary that should I lose my phone, then unless I've got a password setup for access to the phone then anyone could use the DS apps without needing to know any passwords - this feels like an asstoundingly bad feature for the software

Ports - The options for inbound traffic were Specific, Range or Any IP address. I set mine to any because I can't really control the IP range of the mobile phones I want to be able to connect, although I don't feel entirely comfortable with that. I set up IP blocking which means someone can't just hack until they are successful. Is this the correct setup, or have I missed something?

Many thanks for any help offered. I've done most of the hard work getting things setup, it's just I'm a complete newbie to port forwarding and the likes, so I'd apprecaite advice on whether I've created a security nightmare.

[Jeff Lee]

Try to port forwarding 443 to your DS and then have try. Also open the HTTPS in DSM.

[labashosky2010]

HTTPS is important because you don't want to send you username/password in plain text.

HOWEVER I can't find where to enable HTTPS on photo station.

[labashosky2010]

I think i found it where to enable HTTPS for Photo Station

DSM -> Control Panel -> Web Services -> HTTP Service -> Enable HTTPS connection for web services

[Tom620]

It is far better to access your DiskStation through a VPN connection. DSM supports a VPN server, OpenVPN (recommended) and PPTP (for mobile devices like iOS).

[RajanPB]

The synology PPTP VPN setup is not better than https by any strech of the imagination (OpenVPN is another story).

The only choices for PPTP VPN authentication are PAP (which sends out passwords and used id's unencrypted) or MS-CHAP v2 with MPPE encryption. The latter is so easily cracked even its creator (Microsoft) said that anything sent by that method should be considered unencrypted.

Sadly, there is no secure VPN option of iOS users. I wish Synology would get off their butts and fix that. It's been more than a year now!

[MrDC]

The synology PPTP VPN setup is not better than https by any strech of the imagination (OpenVPN is another story).

The only choices for PPTP VPN authentication are PAP (which sends out passwords and used id's unencrypted) or MS-CHAP v2 with MPPE encryption. The latter is so easily cracked even its creator (Microsoft) said that anything sent by that method should be considered unencrypted.

Sadly, there is no secure VPN option of iOS users. I wish Synology would get off their butts and fix that. It's been more than a year now!

So, what can we do to make VPN secure?

[RajanPB]

The synology PPTP VPN setup is not better than https by any strech of the imagination (OpenVPN is another story).

The only choices for PPTP VPN authentication are PAP (which sends out passwords and used id's unencrypted) or MS-CHAP v2 with MPPE encryption. The latter is so easily cracked even its creator (Microsoft) said that anything sent by that method should be considered unencrypted.

Sadly, there is no secure VPN option of iOS users. I wish Synology would get off their butts and fix that. It's been more than a year now!

So, what can we do to make VPN secure?

Unfortunatly, I have not found any way to address this with Synology equipment. You can't fix PPTP; it is fundamentally flawed. OpenVPN is supposed to be very good, but it's not available for iOS so I haven't really bothered learning about it.

I don't think Synology cares about user security. I recently reported a serious security flaw to them about their iOS apps. Basically, their apps do not verify any of the security certificate information when using https. The app should be checking the certificate it recives (from the DS) against its trusted certificate store, and it should be confirming that the web address on the certificate matches the web address you navigated to. This is critical to implementing SSL/TLS and preventing man in the middle or phishing attacks. However, the app just assumes that if there is any certificate at all everything must be ok! The Synology rep has spent the last 2 weeks trying to tell me that this is a "ease of use feature" and that warning users when these issues are observed by the app (like every web browser on earth does) would just confuse users despite the fact that their own tutorial on https says how critical these warnings are to ensuring user security! (See items 1 and 4 here: http://www.synology.com/support/tutoria ... p?q_id=464)

I have totally given up on them. I'm actually planning to contact Cnet, PCmag, and a couple tech blogs about this. It's one thing to say oh thats a flaw we'll fix it. It's another thing entirely to lie to users and claim everything is ok when your own tutorials say it is not... I purchased a cisco router, setup my own certificate authority, and setup a cisco IPSec VPN to access my home network (including my diskstation) securely. On a side note, IPSec is the only way to create an "always on" VPN for maximum security when using an iOS device (but Apple doesn't make it easy to setup!).

The short answer is, if you care about network security, Synology is the wrong brand for you!

[syno_strh]

OpenVPN client for iPhone. Works once configured.

https://itunes.apple.com/us/app/openvpn ... 79981?mt=8

Cheers
Simon

[RajanPB]

OpenVPN client for iPhone. Works once configured.

https://itunes.apple.com/us/app/openvpn ... 79981?mt=8

Cheers
Simon

Thanks Simon! That will help alot! Looks like they released version 1.0 in January this year.
I'm still disapointed with synology security, but at least now their product can be easily wrapped up in a secure VPN soultion.

I also got another email from the Synology team last night. They said "I think there was some confusion because we already know that the warning is not there, however we will consider a option to have the warning appear." We'll see how long that takes. Synology never fixed their VPN issues, they just waited for OpenVPN to get an iPhone app...

To address the original post form zukkster; Based on what I've seen from Synology I would only open the network ports required to use OpenVPN. Don't open port 80 or port 443 (you might as well put a giant target on your back). I would not trust Synology's login page and software for protection (it does not apear to be a company priority). To access your DS use OpenVPN to access your home network, and then use the local IP address of the DS (need router to assign a static one) for the various apps (photo, audio, etc.).