Got my internet upgraded to public ip for NAS and NVR , how to make sure my network are secure ?

[TukangKopi]

Hi i'm kinda new for networking stuff and still very confused, got a plan to upgrade my home internet to the public one, which is faster, and i need outside connection to my NVR and NAS , do i need set up firewall or anything after the upgrade ? and how to make sure my internet secure ?

[Levent]

You HAVE to set up a firewall if you want to expose ports to internet. Considering your lack of experience is showing up in the OP, I would recommend hosting a VPN server instead of exposing everything to internet.

[Noah0302]

I would never recommend exposing your NAS.

I work in IT and the Amount of Endusers who did this and got their QNAP ransomwared is insane...

 

I myself expose some Services from my Homenetwork, but those are behind a Reverse Proxy, have 2FA set up and are in their own VLAN, so if something does happen, it will not be able to spread.

 

If you do not have experience with exposing anything to the public, please concider putting everything behind a VPN.

[PorCus]

Agreed with both previous comments :

- Don't expose your NAS or any devices on Internet if you don't have experience doing that,

- Use a firewall and a VPN,

I'd add :

- Before you open anything to the internet, check the documentation of the thing your opening, they most of the time have security consideration that you can look up,

- Be up to date on that device/software, and keep it up to date,

- Once you open access to something from the " outside world " (the internet), verify your logs, check what's happening there, some insight will be spotable,

- Don't forget to backup your data Firewall / VPN aren't perfect, Raid is not a backup, and the internet is full of evil.

 

(Ho and context for the knowledge : I work for an ISP, we have tools to scan our network, and discover a lot of interesting things frequently )

[TukangKopi]

Thx for the info, yep i'll stay within private ip package for sometimes haha , is it enough tho to use base mikrotik firewall ? if i upgraded to public ip but i didn't link any of my device to outside network ? but using a simple portforward ?

[PorCus]

On 5/13/2024 at 6:02 AM, TukangKopi said:

Thx for the info, yep i'll stay within private ip package for sometimes haha , is it enough tho to use base mikrotik firewall ? if i upgraded to public ip but i didn't link any of my device to outside network ? but using a simple portforward ?

I'm not so familiar with Mikrotik's firewall, however I know a friend use it on a decently big infra without any issues. If the option is available there, maybe filter based on location / country, also don't use the default ports for your services. (Security by obscurity isn't that good, but it's a start). 

 

However my advice would be :

- Always prefer a VPN, so the " only " open port on your router/firewall is the VPN.