ZyXEL → NAS security

I have USG 100 managing a network with a few workstations and a couple of NAS's.
They are all on LAN1.
I've turned off all the services in the NAS's that allow them to be accessed remotely, but they are accessing each other.
The firewall rules don't allow accessing the NAS from WAN.
But if a workstation becomes infected it can access the NAS with any port.
If I put the NAS's on LAN2, then I can control which ports they can be accessed by.
NAS security is paramount to me.

My question is whether I gain any additional security by putting the NAS's on LAN2?

But if an infected machine had access to the NAS before it became infected, then it can still access the NAS after it has been infected? How does limiting ports help you? Would not an infected machine try to use the same ports?

Maybe the NAS is vulnerable and can be attacked in ports I don't know about?
If both are on the same LAN, then the PC can try to access the NAS on any port.
If I put the NAS on LAN2, then I can limit the ports.
I can limit the admit port of the NAS to be used only from one ws.
I can even turn off the admin port for when I'm not using it - a little inconvenient but pretty secure.

I am asking if anyone thinks there is any additional gain to such an exercise?

But the NAS can be vulnerable on the ports that you allow also.
And what ports do you have available on the NAS that is not used?
Why not just close those?

But, yes limiting the ports accessible to a workstation, reduces the attack vectors. But how much do you want to reduce it to? You can also just connect HDD to your workstation with usb, then only your workstation will have access.

I am 100% committed to NAS for reasons of safety (not security).
However, recent mass ransomware events really freaked me out.
I believe I've done very much to protect my machines from criminals.

I'm just thinking now about my LAN2, why it's not doing anything and how it can be doing something useful.

It seems to me data access preformance can be significantly worse if workstations need to go through two switches and a router to get to their data.

Good questions........
Can you effectively access the NAS on LAN from LAN1 from specific PCs that only have one way access.

In other words LAN1 to LAN2 (for group of users) to access NAS shares on specific ports only.
LAN2 to LAN1 would be blocked by default.

FOr yourself as admin you may want to have full LAN1 to LAN2 access and vice versa so that you can read and upload etc.........

Is there anything one can do with VLANs such that LAN1 and LAN2 are separated by VLANs but both can access the NAS..............

Your NAS is most likely running linux based OS through some HTTPS / SSH management port. That you can easily restrict and that is not your problem.

You problem are the shares that you share out. Those need to be writable only for clients that need write access and all shares should be regularly scanned for viruses. Typical NAS has AV capability built in.

As for restricting access from certain subnet or VLAN that really is simple to answer ...if you have user on that subnet or VLAN you need to open access from that subnet or VLAN for one or multiple users ... thus coming back to previous point to share security and who has access to do what.

> Is there anything one can do with VLANs such that LAN1 and LAN2 are separated by VLANs but both can access the NAS

Could you explain that one?

VLANs wont do anything different than putting it on LAN2.

I will explain my thinking again:

Workstations and NAS on same LAN - workstations can access LAN on ALL ports, firewall doesn't block.

Workstations on one LAN and NAS on other LAN - only the ports for data share are open. They are open to all users on all stations. Admin port (not regular https - I changed it) can be opened only from my workstation.

All workstations have dynamic IPs now.
I could give them static IPs and allow each one to access only what it needs.
But a workstation with static IP might have DNS problems?

There really is no way to 100% secure anything.

You can limit ports etc but you still want to access it. Ransomware does not use hidden features, they use bugs/weaknesses in ports/processes and so forth that you have to have running to actually use your device.

If you close all ports that are not in use on your NAS and have authentication with strong passwords or two step authentication etc. That is as safe as you will get and you are at the mercy of the vendor that creates your device in regards to exploits on services that you are running.

It was my understanding that ransomware commonly gains access by port scanning and using remote access - those are two doors that I have closed already. I will admit that I don't know very much about this type of hacking. I don't really know if doing what I am proposing and blocking those ports will make any real difference. I understand in your opinion it wouldn't.

I just tried putting the NAS on LAN2 with firewall free, and I was not able to access it.
Does it require a routing policy?

Blocking external access at the router would be expected to help, but it makes no difference whether the block is to a NAS on LAN1, LAN2, or a VLAN. My NAS block is WAN to LAN1 dest NAS deny.

What a VLAN or second LAN can achieve is a router firewall separation among your LANs such that you can limit which computers have access. (This partially depends on VLAN setup in your smart switch.) But if those computers become infected, then potentially the infection can try to penetrate the NAS.

I'm not sure a "one-way" router firewall LANx to LANy limitation is helpful here, and may interfere with normal operation of SMB or NFS, depending on which you use.

kirby

Edit: SNB to SMB

Assuming a Windows environment, if your NAS is on a different subnet, you will need to point the Windows PCs to the NAS(es) through a WINS server (with DHCP or manually). You can always use the IP address of the NAS directly, but it ain't as pretty.

Also, don't forget that an USG 100 maxes out at about 10MB/s when routing, so the apparent performance of your NASes will be severely limited (that 10MB/s will be shared between all the PCs).

Most secure is to make all shared folders read only. On PCs I set up one folder that is read/write and everything else is read only or not shared. If PCs must have access to a folder having it (and the server) on another subnet doesn’t provide addition security.