The topic of Data Security is consistently high in the headlines and many things that were conveniently ignored are now forcing the masses to wake-up, pay attention and take action. Email encryption, insecure Whatsapp, cloud storage and NAS feature among these now deafening headlines.
Buffalo is an established leading manufacturer of NAS devices and Security of its customers data is, and has always been of the utmost priority. Buffalo NAS are secure devices in many aspects. We did not just start now to make our devices secure – they always have been.
The Heartbleed Bug
Heartbleed* is a bug named after the ‘heart beat’ extension in the TLS/SSL protocol. The heart beat extension keeps a SSL connection alive. For servers it makes sense because re-establishing a connection requires more system resources than checking the connections and cut the connection only if the client does not answer any more. The intention was to improve performance of servers and safe resources. However, this extension has a design flaw, hence the name heartbleed. If an Open SSL version is installed that utilises this particular extension the system is potentially vulnerable. The extension was already released in 2012 so is used by many parties and SSL has been vulnerable for the time until April 2014 if you used the versions based on the standard.
Our software engineers are extremely conservative regarding security aspects. When the ‘heartbeet’ extension was launched they decided not to use it. From a technical point of view it did not make sense to use the extended Open SSL version, because our products do not focus on web server services. So instead we kept the tested, stable and very secure Open SSL versions in our OS for AirStation, LinkStation and TeraStation. This turned out to be a good choice.
Buffalo NAS Operating System vs. Bitcoin Miners & Co.
Lately there were Bitcoin miners and other software found on many NAS. The software was remotely installed for the benefit of criminal users.
The first important mechanism in our NAS devices is a hidden place where configuration and settings are saved. When you reboot the unit your LinkStation or TeraStation will look to see if the running configuration matches the saved one, and if not, it will pull the settings from the saved ones. That means that if somebody manipulates the running system or inserts code all changes are gone after reboot.
One of the most significant features to highlight, is that the NAS system is closed and not even the system administrator has root rights. It is difficult to smuggle codes to relevant places under this condition.
We have no software interfaces by default to change the OS. In NAS network settings you limit the available services to the ones you need and on the network settings you can enable/block services. By keeping this also to the minimum you can minimize points for possible attacks.
GENERAL SECURITY FEATURES
Buffalo are an established leading manufacturer of NAS devices and Security of its customers data is, and has always been of the utmost priority.
Security starts with the setup. Buffalo always used local setup for AirStations, LinkStations and TeraStations. It is not necessary to have an internet connection for the setup or create an account (like you need to do for some other vendors) to use the device for remote management what holds user names and/or passwords that could be targeted by attackers.
Secure remote access – private Cloud via WebAccess
With the setup of WebAccess you automatically receive an account on Buffalonas.com – this is your Private Cloud. This means that you can access your data from anywhere in the world where you have an internet connection, but your data is solely stored on your device at home and nowhere else. Technically, the only task of this account is to authenticate a LinkStation and memorise the IP and Port number and forward all requests accordingly between your NAS and, say, your tablet or smartphone. Afterwards it is a point to point connection between your LinkStation or TeraStation and you. The NAS could be also secured with HTTPS. It ensures that Buffalo does not store user passwords and has no access to data. The perfect combination of easy access and privacy!
- easy access to your data at home and anywhere in the world
- automatically ‘read only’ rights for anonymous users on folders you make public
- rights can be inherited from LAN share settings or you can provide data for registered users only
Cloud Storage vs. private Cloud – NSA & other spies
Of course there are many articles written already about the subject. In summary – if your data are hosted in the US a US agency can request it and they would not need to tell you. That means that some of the big international hosting companies and cloud services like Dropbox, Google Drive or One Drive are out of consideration for hosting any kind of confidential material in a company even if you have to take care of the backup yourself. Combined with the latest issue in the SSL protocol it makes all smile who took a little more conservative approach and hold all business relevant and confidential data well protected in the company on internal storage. Considering that it will be not the last time we hear about software vulnerabilities, questionable collecting of data from agencies of any country etc. it seems to be still a good way. Of course there is a use for online storage to share easily material among colleagues. However, this should not be used for anything confidential.
Security on AirStation Operation Software
Buffalo AirStations have many features designed for enhancing security. They have the usual NAT/SPI firewall, guest net with internet only, in addition you can prohibit configuration from LAN or internet. (Configuration from internet is off by default). Buffalo routers do not have interfaces, by default, that allow a user to change anything on the software, on command line level or install additional packages.
Protect data on the TeraStation
Securing the embedded Operation System is an important side of a security concept.
If a company’s security policy allows its employees to use their own devices for work purposes and are accessing the network (so called BYOD – Bring Your Own Device), it should be of primary concern that these employees do not store Windows malware infected data on the network storage device.
Buffalo offers a professional solution from Trend Micro with its TeraStation NAS devices, to protect all data against malware. It comes as a full-featured software with live scanner, scheduled scanning, sandbox, repair options and more. A 30–day free trial is offered at which time you have the option to purchase the full software version from Buffalo.
*For more details see e.g. heartbleed.com