webdav security and Netdrive

Hi, I got Webdav setup on a Synology diskstation and use it in conjuntion with NetDrive.   Seems to work pretty well.  THough, I don't know how secure Webdav.   I was also considering using Netdrive for large files like Autocad and Photoshop.  Though, I'm concerned with how it caches data and syncs with the file server.  Anyone uses Netdrive for these purposes and can provide feedback?  Also, any thoughts on security for setting up something similar with my Windows Server clients?  VPN is such a pain to use and I like this alternative but I'm very concerned about security.
LVL 1
snoopaloopAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
in fact WebDAV is not secure to start off as most hardening is to disable this provisioning. the key threat is unauthorised access (besides legit users) and abuse of the usage (planting unknown files or codes). Strict ACL, directory browsing and list of user authorised and authentication for access is required to better secure such file access services  exposed to the WWW. This should be a good start regarless of WebDAV or Netdrive https://www.synology.com/en-global/knowledgebase/tutorials/455

But for a start, WebDAV minimally need HTTPS which is to say to access your Synology NAS using WebDAV over HTTPS, a valid SSL certificate must be exported from the Synology NAS first. The certificate must then be imported to your client device https://www.synology.com/en-global/knowledgebase/tutorials/610

But do know that there are also past 2014 cases, where all Synology DiskStations under attack of ransomware known as SynoLocker. It encrypts the files, disabled some services and showed a message that states your files are encrypted. It impact the file sharing and can further escalate the mass infection if not detected and stopped early. So even with Netdrive via local NFS mapped drive, ti can still be vulnerable  has the below consideration are still applicable to measure up to minimal security baseline required hardening for file sharing as a whole.

Measures for consideration
- Maintain latest s/w patch release and timely hotfixes rollout including software (firmware) of your Modem/Router, web service and DiskStation.
- Use your administrators account to administer and use an user account to use your DiskStation.
https://www.synology.com/en-us/knowledgebase/tutorials/615
- Strengthen authentication with strong passphrase - can see my EE sharing
http://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
- Restrict connectivity
e.g. Open only the ports on your Modem/Router that are required by the services you are going to provide. If you stop the service, close the ports immediately.
e.g. Open a port that is not an internet default port (being used by users with unknown origin) you have to use other ports on the internet than the default for the specific service. Use the NAPT to translate the port internally
e.g. Enable the firewall on your DiskStation and configure it to only allow traffic that you want to have. Decline all other.
e.g. Only allow encrypted connections to your DiskStation to eliminate eavesdropping. Your DiskStation already has a certificate installed to be able to encrypt traffic.
e.g. For gaining remote access to delicate services you should use VPN instead of directly opening ports to the services from the internet.

overall summary - https://www.synology.com/en-global/knowledgebase/tutorials/615
snoopaloopAuthor Commented:
Awesome response!  Have you used the Synology VPN services?  Is there a significant decline in data throughput when securing with a VPN connection?

I like Cloudsync but shared folders created on the Synology are not synced by Cloudsync for remote connectivity.  So maybe mix of WebDAV, Cloudsync, and securing WebDAV with a VPN connection is ideal.   Oh, and a solid cloud backup for when data gets compromised or destroyed.

Do you recommend any backup that works well Diskstation to Diskstation?  I currently use iDrive for backing up.
btanExec ConsultantCommented:
VPN connection is a must, strictly speaking if you are accessing remotely and most of the case you (or end user) do it which is why the file sharing exist for access anywhere as internal resource. In short, local has not VPN while remote requires VPN. I say this because VPN is (as you know) is definitely "slowing" the transaction esp talking about remote - why? the tunnel though secure is "smaller" as well as more fragment packet are created to squeeze in the same payload of information (VPN added in auth hdr, encapsulated body content etc leaving smaller space for data).

To  make VPN work the key is to make sure the crypto used at both end is same as they negotiate to establish that secure tunnel pt to pt. FW need to open and allow that below as compared to WebDAV
VPN Server (OpenVPN) 1194 UDP
VPN Server (PPTP) 1723 TCP
VPN Server (L2TP/IPSec) 500, 1701, 4500  UDP

But not to say WebDAV is easier, it is just lesser ports even though it is an extension from HTTP, and most firewalls won’t block it, it is not using standard port like 80/443, instead you need to allow TCP 5005, 5006 (HTTPS).

Regardless, you can do with VPN w/o WebDAV actually. E.g. To open a remote document, simply do it as you would to map a network drive by typing in a UNC path like “\\192.168.0.20\My secure documents”. While you can get instant and transparent access to remote files, just like you would to a local file on your computer, you may want to make sure there’s enough Internet bandwidth to ensure a smooth operation. It is "minimal" changes as you get used to it with VPN access (at least for me).

There is a little catch using VPN though in mounting drive over VPN but I do not see it as caused by VPN
The speed is limited by the way the folder is mounted. The default mount options cannot give you a satisfactory performance. So, we provide the commands as workaround. You can create a scheduled task and run the commands after the VPN connection is active.
http://forum.synology.com/enu/viewtopic.php?f=173&t=95576

Overall, more bandwidth from remote is always better but not to compared if transmitting in a local area network. Basically, no matter if you are using VPN or WebDAV, we just have to make sure the Internet connection is stable and provides high-capacity bandwidth.  Choice between
e.g. WebDAV - simpler, light-weight and firewall-friendly way to access files over the Internet. More of home user which is hassle free and transparent since it is web based browser still..
e.g. VPN - advantage to access various intranet network resources due to its protocol-transparency and better security features. Most SMB or enterprises setup a dedicated VPN server to access remote office resources - also as mobility get into the running.

How to connect to Synology's VPN Server using a Windows PC or Mac
https://originwww.synology.com/en-us/knowledgebase/tutorials/592

What network ports are used by Synology services?
https://www.synology.com/en-us/knowledgebase/faq/299

I do not use Cloudsync as much and I see it more of like "dessert" - good to have in which your main course is still choosing WebDAV or VPN or hybrid. Cloudsync serves (to me) as backup only if I used. I can still do the manual sync if need to and moving forward will benefit esp if I start to have and need to make great changes everyday every moment like a file server hosting to many user access. This is not easier setup with adding in Cloudsync, though some say it runs without specific port requirements. But that is different if you setup outside access to the NAS over a VPN secured connection. This needs specific open ports and hassle to get FW to have that VPN port open and again Cloudsync ports ...(need to find out more to pump holes through your FW).

How many Shared Folder Sync tasks does Synology Product support?
https://www.synology.com/en-us/knowledgebase/faq/542

Just some thoughts though not in depth into Cloudsync - pardon me

Backup wise, Synology has its own that rotate its backups and conserve space with Smart Recycle (e.g. deletes older versions when the maximum limit is reached, but keeps an intelligent mix of backups from the past day, month, and earlier, potentially reducing storage consumption while maintaining greater flexibility for point-in-time recovery). Also data on your Synology NAS can be directly backed up to public cloud services, such as Amazon S3, Amazon Glacier, Microsoft Azure, SFR, and hicloud. May want to consider Glacier Backup as it does file-based deduplication checks for and removes redundant files before uploading a backup task, saving you money and reducing clutter. Its "Explore" feature allows you to look inside each archive, fetch single files, or delete unneeded files without having to restore the entire archive.
Amazon Glacier
•Back up data to Amazon Glacier (China Region and all global regions except GovCloud US)
•Restore backup task at the file-level
•Perform file-level incremental backup
•Schedule backup tasks
•Supports file-based deduplication within the same backup task
•When deleting data which has been uploaded within the past 90 days, a task will be scheduled to automatically carry out deletion 90 days after the file uploading time. This reduces the total cost charged for deleting data that is less than 90 days old.
https://www.synology.com/en-us/dsm/5.2/software_spec

But do catch - Why can't I perform network backup from an rsync compatible server to my Synology product? https://www.synology.com/en-us/knowledgebase/faq/372
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

snoopaloopAuthor Commented:
Welp, my client got hacked yesterday in what I can only assume to be webdav service exploit.  The hackers reconfigured the uverse router/modem and placed the Diskstation in the DMZ.  I reset the router to factory defaults but the private network was altered again to a different network address scheme as soon I plugged the synology back in.   Right now, the synology and workstations that need access to it are off the internet grid so they can perform their work while I figure out how to resolve this issue.  I created a log that a couple minutes to produce and sent it over to Synology support.   Normally, the log take just a couple seconds to produce.  Anyway, I have since took any other lingering webdav IT clients and removed their Webdav services.


Synology Tickets request...

"Hi,
The Synology was hacked and today was placed out on the DMZ for half the day. Please review the logs. It hasn’t been the same since. I’ve changed the router private IP from the 192.168.1.x network to 172.16.x.x network. The synology repeatedly obtains IPs like 192.168.117.x or 172.16.117.x or something like that. It took a couple minutes to generate the logs. That usually isn’t the case. Please review the attachment. Thanks!"
btanExec ConsultantCommented:
WebDAV is not secure as shared or in short file hosting unless you are fronted with web app FW, ddos protection etc measures...regardless, check also the patch level for Synology Diskstation and better to clean it up now as exploit is most lying already uploaded into the storage. I suggest focus on recovery and damage containment now...

- Change all password to still any public facing server and router inclusive.
- Check any default account (that should have been disabled or not using the default password) login access brute force attempts..
- Trace of source IP of hacker likely leads no where since it is private IP (instead of the usual public IP that would gone through anonymiser that lead you no where), instead
- Check for VPN user connection during this hacks and can be infected machine (which client is not aware) conducting lateral spreading and found this WebDAV open to it
snoopaloopAuthor Commented:
As it turned out the slowness of the synology was due to some rogue Ethernet cable randomly was connected during this network debacle.  It just so happened to be coming from the suite next door and handing out IPs.  This doesn't explain how the synology was placed in the DMZ.  The other office suite would have no clue on how to do that.  

Synology support did not see anything obvious in the logs of it being compromised.  I went ahead and did a double button reset to wipe the OS anyway.  Anyway, it may have been some other form of entry like a workstation. With that said, I don't feel confident re enabling WebDAV services.  I'm hoping a sonicwall w intrusion section services plus VPN will help with securing the network and prevent this type of mishap in the future.
btanExec ConsultantCommented:
Thanks for sharing, suggest to check the client workstation(s) and its common mapped drive (for internal n/w) as well since that "naughty" malware may also have infested in the workstation and moved on to other file server machines, if exist in your network at that point of time. Just to make sure that it is really contained to best effort.

Anyway, the principle is back to protecting data at rest, in use and in transit, but be aware that the security box like sonicwall should be able to decrypt SSL to still sanitise and filter so that the malware cannot just hide and bypass as the channel is encrypted, you still have machine endpoint AV but I will not solely depend on that. All back to security regime of regular checks on n/w and endpoint for health posture as always (keep to latest patch too)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.