-2

I'm looking to build my first nas. And i intend to connect over the internet to it.

Because i will have some work documents too on it i want to make it as secure as possible.

I have no particular preference for the nas OS (other than it be free).

The nas will have multiple users (2+the master which will only be allowed to log locally ) and each user will have certain MAC adresses associated with it ( including *). Depending on the (user,mac) the user will have certain permissions.

Furthermore i would like to prevent cases where my mac spoofed and the data eavesdropped or modified. So i'm thinking of the folowing scheme. The nas content is encrypted with a master key. When a certain (user,mac) requests data from, the data is decrypted and encrypted again with a key corresponding to (user,mac) table found on nas. The content is thus supposed to be sent encrypted over the internet and transparently decrypted on a device which 90% of the time will be a win7 pc.

What combination of tools can achieve this combination ( i could only think of a truecrypt +fuse-encfs but it does not achieve what i need) ? As an extra question what kind of security measure do you recommend or use for your network storage?

Regards,
CR

Crobb
  • 1
  • No. Encrypting the data with transparent encryption, like Truecrypt is typically used for, isn't going to protect your data against remote attackers. If they can get in, they can see the unencrypted data. What you probably want is certificate based-encryption to control access to the OS level, and once in, you mount an encrypted volume or file to access what you want and unmount the volume again. – HopelessN00b Mar 19 '13 at 18:49
  • @HopelessN00b define getting in...if they get the user's aes key he will only be able to eavesdrop on his traffic.In order to gain acces to the system he would supposedly need the master password and you're supposed to be able to use master account only locally, as in using keyboard and moitor on nas box – Crobb Mar 19 '13 at 18:56
  • 2
    Yeah, none of that works the way you seem to think it does. You're out of your depth; either hire someone to do it right, or don't do it. – HopelessN00b Mar 19 '13 at 18:58

1 Answers1

1

The "Standard" way of doing this, such as there is involves:

  • An encrypted local file-system
  • A server, likely HTTPS-based, configured to use SSL with client-based certificates
  • A client with a client certificate

This encrypts the traffic between the server and the client device, and also prevents the MAC spoofing attack since the traffic only transfers between devices with the right keys. In this instance you get two layers of protection in the form of the client certificate AND an address-based access list.

This does leave the NAS as the location of the clear-text, and you have to decide if that's acceptable risk for you.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296