2

Some of you may have seen/hard of Western Digital's MyCloud NAS solution for home networks. This comes with a proprietary app suite for mobile devices and workstations alike. This allows the consumer a "dropbox"-like experience with a storage medium they themselves privately own and operate.

I've been toying with this idea, simply to get around the storage limitations hosted solutions impose at which point you'd start paying subscription fees. Not to mention the ability to take responsibility for my own security and off the hands of a third party.

But given that this device is intended to be accessed from the Internet, would it make sense to design and implement a DMZ-based home network for additional protection?

How would you securely store/access your data in this way?

Of course, assume the drive is encrypted, or at least, storing Truecrypt-protected volumes.

Thanks.

4ensicLog
  • 23
  • 1
  • 5
  • All very good answers, and of course some great insight. By the way, I hope to stick around this community for a while. Thanks for your input! – 4ensicLog Jan 15 '14 at 19:55

2 Answers2

1

While this makes some sense, I wouldn't do it myself.

I presume you already have an internal home network with your laptops, desktops, tablets, internal NAS, etc. The normal way to setup at DMZ is that it's a separate network, with firewall rules that allow specific ports. So, if the MyCloud NAS uses port 443, you'd probably allow port 443 from the internet to the NAS, and also port 443 from the internal network to the NAS.

The benefit of this is that if the NAS is hacked then the hacker doesn't get access to your internal network. It doesn't help protect data on your NAS: if the NAS is hacked then the attacker will be able to get all the data; using a DMZ does not help you.

Three questions to ask yourself to help make a decision:

Is protecting your internal network an important benefit? On my home network I don't greatly mind untrusted devices being on the network. The laptops have a personal firewall - it's needed when I connect the laptops to untrusted hotspots. And the NAS and router are password protected. So, simply being on my internal network does not gain a hacker much. I prefer things this way, as visitors often ask for the WiFi password.

How likely is the NAS to be hacked? Many of these kinds of devices have had vulnerabilities, but if you apply security updates as they are released, and use strong passwords, then your risk is limited. If you have Windows laptops that you connect to the Internet, they are at higher risk.

How much will it cost to implement a DMZ? Most home routers do not have DMZ capability. If yours does and the port is currently unused, then it's cheap for you to implement the DMZ. But if you need to buy a new router, maybe it's not worth it.

paj28
  • 32,736
  • 8
  • 92
  • 130
0

I would first check if a DMZ is even needed. If they designed it for home use, there is a good chance that they have implemented a call out system where the NAS establishes a connection with Western Digital that can then be used to cut back across the firewall (similar to how instant messaging applications allow people to contact you).

If you are worried about the NAS being used as a launch point for an attack if compromised, then it might not hurt to put it in an isolated network segment (but still behind your firewall if they do have a firewall traversal built in already). I would only put it in a DMZ if it is required to function, otherwise, I would keep it behind the firewall to limit the surface area available to attack the NAS itself.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110