Secure consumer NAS solution wanted

[kuzzikan]

Hello fellas,

due to tragical family reasons, I was 'promoted' as the IT guy for the family. Basically I'm an IT guy, a devops engineer with experience on supporting enterprise services for major companies. 

 

Yes I do know how to build an enterprise infrastructure for the needs of my mother to have a mirrored raid NAS solution for our family history storage and also her work related stuff. So backup and also utilities to be able to be reached from anywhere. So security is key on exposing this to over the net ofcourse. 

My problem is not my capabilities but my lack of knowledge on consumer level easy to use solutions. Like something I know I could build with a Synology solution, with openvpn and certificate protected security zones on the samba share, but no idea whether there are out of the box solutions out there to fullfill my needs. 

My requirements on this:
easy to use:  my mom will need to be able to easily and always be able to use it from various devices both LAN and remote

cost: I don't want to cheap out on security and memories trust me, but although I'm working for a wealthy Western European country I do it from the Eastern part of the continent and you know, salaries... I'm thinking on 2*4TBs of storage in a 2 disk solution, yet again mirrored raid.
 

If configuration is not easy, no issues just maintenance should not occur because of solving issues regularly, only on security level regularly.

Sorry I know that all the information is available through the net I just want at least some traces on which way should I start myself on researching based on your experiences.

Many thanks for all the inputs in advance! :)

[Radium_Angel]

11 minutes ago, kuzzikan said:

easy to use

 

11 minutes ago, kuzzikan said:

reached from anywhere

 

11 minutes ago, kuzzikan said:

So security is key

Pick two.

Ask the pipeline guys how well "access from anywhere" worked out for them.

Seriously, why does the NAS have be accessible remotely? I have yet to see a use case for a home (single user) system that needs to have 24/7 access from anywhere.

[Kid.Lazer]

3 minutes ago, Radium_Angel said:

Pick two.

Ask the pipeline guys how well "access from anywhere" worked out for them.

Seriously, why does the NAS have be accessible remotely? I have yet to see a use case for a home (single user) system that needs to have 24/7 access from anywhere.

I second this. Convenience =/= Security. Anything with internet access will be compromised; it's just a matter of when.

[kuzzikan]

My mom is a school teacher and she works from various devices. She has like 10 pendrives and 5 external HDDs she is currently carrying syncing sending her data to and from. She is obviously not like a public figure or storing the initiation codes for the nuke strikes towards russia on it, so a targeted attack has very very if not likely zero chances. I want it to be as secure as it can.

Setting up a VPN with a personal cert and a user/pw combination then restricting accessing it locally only (pretty sure I can do that with OpenVPN), I think pretty well would fill in that. 

 

Or am I missing something?

[Radium_Angel]

1 minute ago, kuzzikan said:

so a targeted attack has very very if not likely zero chances.

They aren't targeted attacked these days, they are automated bots running around probing for known exploits, and reporting back to their owners.

2 minutes ago, kuzzikan said:

Setting up a VPN with a personal cert and a user/pw combination then restricting accessing it locally only (pretty sure I can do that with OpenVPN), I think pretty well would fill in that. 

This would work.

2 minutes ago, kuzzikan said:

She has like 10 pendrives and 5 external HDDs

This is a problem. You are introducing another device into the mix. She may simply now have 10 pendrives and 11 external HDDs. You need to instruct her on proper data organization before you throw in a VPN username/pw combo etc. (I have 300 users who are as disorganized...more tech is the last thing they need. Training first, tech later)

[kuzzikan]

I know about the bots are we are quarterly auditing internally and annually with an external provider all of our services we work on. I know enterprise cyber security bots are not as up to date as hackers, but we do have exposed services to www, with approx 1.5mill requests per day, so if not a security expert, I'm kindof familiar.

VPN I think would work. 

I want to de-introduce her of the clutter that she uses, and introduce tech to be organized once and for all. Putting her tech into a domain (dunno if that is the windows equal, I'm a linux guy), and giving her a pendrive that hey if you stick it in you have access to all of your data. Organization would be the utility part of the solution I want to reach, having our familiy memories in safe with raid1 and only reachable from like her home LAN IP only, is the safeguarding for that data.

[Radium_Angel]

You know her better than we do, is she receptive to this solution? Will she put up with the VPN login issues or will she ignore it completely and just keep using what she "knows" just works?

 

That's only something you can answer.

As to your solution, it's sound, but getting her trained to use it, that's a different story.

[kuzzikan]

You got a point there. It got me thinking that maybe I should just split the 2 entirely. I want to have a mirrored raid solution for our family memories so I could go with a Synology NAS with just ripping off the drives currently holding that data from her computer after migrating as a cold backup. 

Meanwhile for her replicating the work stuff, I think maybe a RasPI could do with a basic remote access to it on Samba level, while setting up a daily backup locally to her PC. So if something happens to work stuff, only a day of work is gone, while the family memories are kept completely isolated and also having a cold backup.

edit: of course I would use the raspi in this case as somewhat of a DMZ solution on the hierarchy level, to avoid any issues in case that get bot hacked. That ofcourse means that if someone is hacking it he can use all of the class materials for teaching english for hungarians freely