Physical Security for my NAS

[Jaybird180]

After posting here awhile back, researching on my own and brooding over the decision, I decided to purchase a Synology NAS. I have my reservations and special circumstances under which I would recommend it to others, but I feel that it’s the lesser of all the other evils out there for what I needed. At the beginning of March, I purchased a (then new) DS-214Play, along with the 3-3TB drives (2 in a RAID-1 configuration (mirroring) with 1 cold spare) and a CyberPower UPS with its brilliant blue light that is irresistible to 1-1/2 year olds (more on that later).

I had already been thinking about theft, fire and other loss protections but reasoned that my biggest risk at that moment was the simple loss of my data on the devices where it was residing and I had to get it moved onto a RAID capable location as soon as possible. With that purchase decision made, once it arrived I began thinking, ”Where am I going to put this thing?”

I decided to put it on the floor in my home-office in a corner (or so I thought) out of the way. I didn’t set it on the floor, I thought that I’d “test” install it on top of a milk crate, then after an initial testing period, I’d mount it inside the milk crate to discourage a child’s hands from getting touchy feely. However, I never completed the flipped over installation because my hands are too big to get all of the cables routed though and plugged back into the UPS and NAS. Of course, my wife thinks that milk crates are tacky and wants nothing to do with it and has hinted that I find another solution, and I will, eventually.

Fast forward to needing to upgrade my physical security. My 1-1/2 year old, showed me how easily he can perform a DoS attack on dad by simply pressing that blue (power) button on the UPS, as it shuts down the whole operation (and causes an entry in the log…it doesn’t like it when you do that). So, I need to upgrade NAS physical security (really, the entire office physical security, as I also have a file cabinet of information that we need to keep that may need protections) and thought about purchasing a small lockable rack, something I can secure in a way that at least causes a burglar to instead go after other items that are in plain view and easier to steal and/or delays them in time for the police to arrive.

A safe would be nice, except the NAS needs air for cooling. I thought about putting it in a closet on the shelf secured with a Kensington Cable and calling it a day. Thoughts?

 

[momalley]

something like this....

 

[Bob Noel]

DOS attacks can also be made by little hands pulling out the plug from the outlet.

One (unattractive) solution is to always lock the office. You probably should do that anyway if you have sensitve information. Think about how you would secure the room if you left firearms unattended on a table in the room.

 

[Derek Zeanah]

What you need to do is get the data off-site in case the building floods. Or a flaming SR22 parachutes through the roof...

Look at Amazon Glacier. Cheap off-site storage that can be automated, and I think the Synology has an app you can install that works well with it. Might cost a few dollars per month, but I think the peace of mind is well worth it.

 

[jesse]

Put it somewhere the kid can't get to it (up high) and use encryption so that you don't care if someone steals it. Putting a cheap lock on it is only going to ENCOURAGE someone to steal it.

 

[Jaybird180]

What you need to do is get the data off-site in case the building floods. Or a flaming SR22 parachutes through the roof...

Look at Amazon Glacier. Cheap off-site storage that can be automated, and I think the Synology has an app you can install that works well with it. Might cost a few dollars per month, but I think the peace of mind is well worth it.

My Bro-in-law has a similar need that we plan to provide for each other.

 

[Jaybird180]

Put it somewhere the kid can't get to it (up high) and use encryption so that you don't care if someone steals it. Putting a cheap lock on it is only going to ENCOURAGE someone to steal it.

Encourage? I'm interested in your rationale given the scenario.

 

[momalley]

Encourage? I'm interested in your rationale given the scenario.

I'm guess that he's implying that if it's valuable enough to lock up it must be worth stealing

 

[jesse]

Encourage? I'm interested in your rationale given the scenario.

A Kensington style lock wouldn't secure anything and one could simply grab onto the nas and forcefully break it by hand without issue. Seeing the lock on it would indicate to people that it contains data that is sensitive or has value.

If you're a thief and you break into a room and you see something poorly locked but obvious someone went through the extra intent of locking that one thing you're going to target that, especially if it's not actually increasing security whatsoever. Better off with things hidden then that.

Sensitive data is protected by strong encryption, not locks.

 

[GeorgeC]

As my 21 month old is increasingly able to defeat physical security, more and more stuff gets moved to the attic. Our NAS is already up there.

 

[Derek Zeanah]

My Bro-in-law has a similar need that we plan to provide for each other.

That will work well. Backing up from box to box is as good. Mostly.

 

[airdale]

A safe would be nice, except the NAS needs air for cooling.

Not much. Those boxes are pretty low power and mine (DS212+) is in automatic power-down much of the time too. A large metal box, aka cheap gun safe, would probably work just fine. Like: http://www.amazon.com/Stack-On-GCB-900-Steel-Pistol-Cabinet/dp/B002TOKR2Q You could test by putting your NAS into a similar-sized cardboard box for a day and monitoring the temperature. My guess is that the temp rise would not be excessive.

Look at Amazon Glacier. Cheap off-site storage that can be automated, and I think the Synology has an app you can install that works well with it. Might cost a few dollars per month, but I think the peace of mind is well worth it.

Yup. All that sounded great. I did no calculations, just got the Amazon account, set up the Synology backup, then discovered that with my DSL the backup could only upload about 5GB per day. Too expensive to upgrade the DSL just for this, so I am using Synology backup to occasionally copy the critical RAID drive shares to a docked SATA drive which then goes to live in my fire-resistant gun safe. So if the low-probability, high-impact event occurs, I lose some data but have most of it.

Another option would be a second NAS with just one drive, with the main NAS backing up to the second NAS on a schedule. The second NAS could be hidden almost anywhere in the house, virtually eliminating the burglary risk thought you'd still have fire risk. Life's a tradeoff.

 

[momalley]

I did no calculations, just got the Amazon account, set up the Synology backup, then discovered that with my DSL the backup could only upload about 5GB per day.

That would most likely only be a limitation while initially getting the data into the cloud. Once that has completed I doubt that you would see a bottleneck on your real time replication.

 

[dans2992]

Amazon Glacier/S3 - much better (and cheaper TCO) than trying to do it yourself.

 

[airdale]

That would most likely only be a limitation while initially getting the data into the cloud. Once that has completed I doubt that you would see a bottleneck on your real time replication.

True, but for backups I like to see a full backup once in a while rather than relying on a huge chain of incremental backups. Plus, taking two weeks for the initial/full backup was just too off-putting.

That's at home, where the local telco is only selling me less than 1meg up. It would be a different situation at our lake place, where the rural co-op telco has fiber to the house and the slowest connection I can buy is 20meg each way!

 

[Jaybird180]

A Kensington style lock wouldn't secure anything and one could simply grab onto the nas and forcefully break it by hand without issue. Seeing the lock on it would indicate to people that it contains data that is sensitive or has value.

If you're a thief and you break into a room and you see something poorly locked but obvious someone went through the extra intent of locking that one thing you're going to target that, especially if it's not actually increasing security whatsoever. Better off with things hidden then that.

Sensitive data is protected by strong encryption, not locks.

Nothing defeats a determined thief. Better strategy is to distract him to something of lower value (to you) and delay him enough to get the boys in blue to give him a moment of pause.

But you did give me an idea. I just may hot glue gun the stuff to the top of a board and screw that into the top of my bookcase. Except post #2 looks so purdy.

I recommend that you not trust your life on encryption. The formula for data loss is: (time) + (computing power) = broken cipher.

 

[jsstevens]

For the NAS in the attic, how is it coping with the high temperatures? My experience with hard drives is that they don't like heat and after a while will fail. My attic (central FL) would be way to hot.

I would have the same concern in a sealed box like a gun safe. Heat bad.

I think Jesse's on the right track for theft security. As for small hands, put it out of reach.

John

 

[jesse]

Nothing defeats a determined thief. Better strategy is to distract him to something of lower value (to you) and delay him enough to get the boys in blue to give him a moment of pause.

But you did give me an idea. I just may hot glue gun the stuff to the top of a board and screw that into the top of my bookcase. Except post #2 looks so purdy.

I recommend that you not trust your life on encryption. The formula for data loss is: (time) + (computing power) = broken cipher.

I think you'd be surprised how easy one could steal the nas no matter how many wood screws you put in. If you aren't afraid of breaking things it's going to be rather simple since none of it was designed to be physically secure.

As to your average thief breaking strong encryption, lol, that's not going to happen. They'll just realize they can't read any data and will format it then sell it on Craigslist as a new drive.

Encryption is how you handle this sort of thing. I deal with protecting credit card numbers for a living.

Read this: http://www.reddit.com/r/theydidthem...e_and_energy_required_to_bruteforce_a_aes256/ now tell me what you think is going to be easier for the thief.

Defeating your wood and screws or that "locked" rack:
- 5-30 seconds with a few simple hand tools

I've busted open locked racks like that probably 10 times in my career because someone lost the key and something was failed inside it. Only takes a few seconds.

Defeating your single instance of AES-256 encryption:
- One billion GPUs required
- 150 nuclear reactors required
- More time then the universe will exist for, required.

Yes it's possible the NSA might have a few tricks up their sleeve. But even those tricks would require massive amounts of work. Much more difficult than some screws and a cheap lock.

Don't let the tv shows fool you. Properly implemented encryption is some pretty strong stuff.

 

[wsuffa]

Rule #1 at this point in evolution: assume that a hacker has access to/is in your network. Regardless of the firewall.

While you need perimeter protection, you also need encryption. Best if you can do it file-by-file. If that's impractical, whole disk encryption is an option.

I like Truecrypt. YMMV.

 

[Jaybird180]

After further analysis, my best option is to:
1- Keep out of reach of small children
2- Implement an offline backup solution

And if I gave the wrong impression that I didn't think encryption was necessary, please allow me to clear that up...it is important, but it's not the panacea that many people make it out to be.

Prompting this thread, is the fact that later this week I'm going to grant someone access to my home and I won't be there. We thought about the things that we cannot replace, if our trust is misplaced. The digital recordings of my children being born and growing up is amongst those irreplaceable sentimentals.

 

[denverpilot]

They can destroy it to the point it might not recover with a glass of water. They can make sure with a hammer. If something is truly irreplaceable you keep multiple copies of it and one must be offsite.

One of my favorite InfoSec friends used to remind execs that the easiest threat to any data center is an employee or contractor with access who puts a super soaker under a trench coat.

 

[bluesky74656]

Get one of these:

It wall mounts so you can put it higher up on the wall out of reach. It's also got a basic lock on it, but that lock won't stand up to a battery powered drill. You can also put your other networking equipment up in it to make the office look nice and clean.

 

[jesse]

Get one of these:

It wall mounts so you can put it higher up on the wall out of reach. It's also got a basic lock on it, but that lock won't stand up to a battery powered drill. You can also put your other networking equipment up in it to make the office look nice and clean.

The lock won't stand up to a screw driver either.

 

[Jaybird180]

That's what insurance, remote backups, and encryption is for.....Oh and don't forget, locking the front door to your house!

I think it looks very nice. High corner mounted would be sweet