Storage and File Serving
I hoped the file sharing side of the ASAP / BOSS twins would offset the weaker routing side. But instead I found file sharing to be just as problematic.
Figure 11 shows the first NAS Management screen, which allows you enable file sharing, adjust the drive idle power down time, intialize the disk and monitor the total available space. There's no ability to set quotas or have a warning issued when disk capacity is running low.
Figure 11: BOSS HD Initialization
The Advanced Settings (Figure 12) consist of enables for the supported file sharing protocols (NetBIOS, AppleShare over IP and NFS) and the built-in FTP server.
Figure 12: BOSS NAS Advanced Settings
But I was shocked to learn when I port-scanned both products that enabling each of these services also exposes those ports on the WAN side of the router! This is totally unacceptable from an Internet security viewpoint, since exposing any of these well-known ports virtually guarantees that your network will be come a target for a variety of unwelcome attention.
Update 3/5/2004 - Tritton and ioGEAR have released firmware updates that they say fix these security problems. I have not verified that they work.
Once the ports are exposed, only your username / password combination stands between the Internet and your LAN's security, which is a position I certainly wouldn't want to be in. Forget using the IP Filter capability as a patch, since I tried it and it doesn't appear to apply to any of these services.
It's also important to note that user / group permissions apply to all services. I found this out when I enabled FTP and found that anonymous read / write access was turned on! It turned out that the default guest user account that I was using to enable file sharing access without a password also left my files wide open to the Internet via FTP.
When I pointed out this problem to both vendors, ioGEAR said the open file sharing ports were "needed for file sharing via SAMBA" and Tritton didn't answer the question. Tritton also didn't respond to my query regarding anonymous FTP access and ioGEAR's response said, in part, "This is not a security type product". I found this a curious response, given that the product has the security features of both PPTP and IPsec endpoints built in.
To ioGEAR's credit, however, they also said they'd work on improving security and would issue a TIL (applications note) and product insert that would describe the issue. Since I suspect this issue will be passed back to the OEM / ODM that actually makes the product, I can only hope that any security improvements will appear in both products.
Figure 13: ASAP NAS File Access Control
Figure 13 shows the extent of the Access Control you have over files stored on the ASAP / BOSS. Only folder (directory) level permission can be set, though you can define Group level privileges for groups of users. As I mentioned before, these privileges apply to all protocols.
The ASAP recently added webserving capability (Figure 14) to its feature set, but the BOSS hasn't.
Figure 14: ASAP Web Server setup
Enabling the webserver and setting a port number automatically creates a "www" folder assigns it "guest" (i.e. no password) permissions, and opens the selected port in the ASAP's firewall to allow access from the Internet. But since permissions can't be set by service, the "guest" permissions also allow anonymous FTP access - another very insecure default setting.
Removing "guest" permission shut off anonymous FTP, but left the webpages accessible by anyone. Anyone, that is, using Internet Explorer. When I tried hitting the index.html page that I uploaded, Mozilla presented me with the actual HTML for the page instead of the rendered HTML! Neither IE nor Mozilla automatically displayed the "index.html" page when I entered the ASAP's WAN IP address into my browser, contrary to what the printed web server instruction sheet that came with the ASAP said.