RE: Synology Disk DS211J
Thanks everyone for the input. I've seen some very good responses, and this NANOG newbie appreciates the take... :-) -Original Message- From: Nick Olsen [mailto:n...@flhsi.com] Sent: Friday, September 30, 2011 1:05 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J It's updates, I've got a 1511+ here and at the office. It phones home to check for updates. I noticed this the day I got it. Blocked the dst IP and that was the only thing that broke. Nick Olsen Network Operations (855) FLSPEED x106 From: Pierre-Yves Maunier na...@maunier.org Sent: Friday, September 30, 2011 8:32 AM To: Jones, Barry bejo...@semprautilities.com Subject: Re: Synology Disk DS211J 2011/9/29 Jones, Barry bejo...@semprautilities.com Hey all. A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there. Maybe it's for checking new firmware update availability... -- Pierre-Yves Maunier
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: On 9/29/11 17:46 , Robert Bonomi wrote: From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
Re: Synology Disk DS211J
2011/9/29 Jones, Barry bejo...@semprautilities.com Hey all. A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there. Maybe it's for checking new firmware update availability... -- Pierre-Yves Maunier
Re: Synology Disk DS211J
- Original Message - From: bmann...@vacation.karoshi.com Tell me how that flys with the customers in your household... They are freeloaders, not customers. If they -PAID- for service, then it would be a different conversation. I'm pretty sure that was a wife approval factor/not everyone's a geek observation, Bill. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RE: Synology Disk DS211J
The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the end user devices On a separate VLAN, and then treat that as an open DMZ. Then everything operational (ironic in a home) on your secured production network (restrict all outbound/inbound except what is needed). If you really want to complicate it you should even put your wireless into a separate VLAN as well, and secure it as appropriate. Gives you the ability firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they use, it doesn't spread through the rest of the network. Also means you can deploy some form of content filtering policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD addition. This assumes that most people reading this email have the ability to run multiple routed subnets behind their home firewall. Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act independently. Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no end user network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound. Blake -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Friday, September 30, 2011 12:19 AM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: On 9/29/11 17:46 , Robert Bonomi wrote: From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
Re: Synology Disk DS211J
In a message written on Fri, Sep 30, 2011 at 01:56:42PM +, Blake T. Pfankuch wrote: Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no end user network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound. You've inspired me to go invest in Alcoa stock. NYSE AA for anyone else interested. The tin-foil demand in this thread alone must have them running an extra shift. :) -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpxU1jSo8iK8.pgp Description: PGP signature
Re: Synology Disk DS211J
On 09/30/2011 06:13, Jay Ashworth wrote: not everyone's a geek Right! Doug (wait, what?!?) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Re: Synology Disk DS211J
It's updates, I've got a 1511+ here and at the office. It phones home to check for updates. I noticed this the day I got it. Blocked the dst IP and that was the only thing that broke. Nick Olsen Network Operations (855) FLSPEED x106 From: Pierre-Yves Maunier na...@maunier.org Sent: Friday, September 30, 2011 8:32 AM To: Jones, Barry bejo...@semprautilities.com Subject: Re: Synology Disk DS211J 2011/9/29 Jones, Barry bejo...@semprautilities.com Hey all. A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there. Maybe it's for checking new firmware update availability... -- Pierre-Yves Maunier
Re: Synology Disk DS211J
On Fri, 30 Sep 2011 04:14:39 -, bmann...@vacation.karoshi.com said: Tell me how that flys with the customers in your household... They are freeloaders, not customers. If they -PAID- for service, then it would be a different conversation. Time to cue up Move it on over by George Thorogood, 'cause that kind of talk will leave you sleeping in the doghouse tonight. ;) pgpaWTFE1d6S6.pgp Description: PGP signature
Re: Synology Disk DS211J
On Fri, Sep 30, 2011 at 05:35:52PM -0400, valdis.kletni...@vt.edu wrote: On Fri, 30 Sep 2011 04:14:39 -, bmann...@vacation.karoshi.com said: Tell me how that flys with the customers in your household... They are freeloaders, not customers. If they -PAID- for service, then it would be a different conversation. Time to cue up Move it on over by George Thorogood, 'cause that kind of talk will leave you sleeping in the doghouse tonight. ;) the doghouse will have net then... :) /bill
Re: Synology Disk DS211J
On 09/30/2011 08:56 AM, Blake T. Pfankuch wrote: The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the end user devices On a separate VLAN, and then treat that as an open DMZ. Then everything operational (ironic in a home) on your secured production network (restrict all outbound/inbound except what is needed). If you really want to complicate it you should even put your wireless into a separate VLAN as well, and secure it as appropriate. Gives you the ability firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they use, it doesn't spread through the rest of the network. Also means you can deploy some form of content filtering policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD addition. Packet fence. Per user vlans. RADIUS back end auth with one time passwords. I'm trying to package all this into a turnkey distro for my own deployment across hundreds of sites. As such I need it anyway and don't mind open sourcing it. It's been an on again/off again project but it's really close to release. This assumes that most people reading this email have the ability to run multiple routed subnets behind their home firewall. Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act independently. Routing on a stick to pfSense for me. Though I could use my l3 switch I guess. *shrugs* Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no end user network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound. No. You aren't paranoid enough. See above. If it was turnkey, more people would use it. Blake -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Friday, September 30, 2011 12:19 AM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: -- Charles N Wyble char...@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
Synology Disk DS211J
Hey all. A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. So far, I've not been able to find much information on their support sites, or Synology's wiki, but I wanted to put it out there. GET / HTTP/1.1 Host: 59.124.41.245:81 Accept: */* HTTP/1.1 200 OK Date: Thu, 22 Sep 2011 00:11:00 GMT Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/1.0.0c PHP/5.3.3 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 103 Content-Type: text/html Barry Jones - CISSP GSNA Project Manager Sempra Energy Utilities www.sempra.com (760) 271-6822 P please don't print this e-mail unless you really need to. The content contained in this electronic message is not intended to constitute formation of a contract binding Sempra Energy. Sempra Energy will be contractually bound only upon execution, by an authorized officer, of a contract including agreed terms and conditions or by express application of its tariffs. This message is intended only for the use of the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the sender of this E-Mail or by telephone.
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt
RE: Synology Disk DS211J
And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it.
Re: Synology Disk DS211J
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. Why not? You can poke holes in it specific to *workstations*; anything that isn't a workstation doesn't generally need to be phoning home without you knowing about it... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RE: Synology Disk DS211J
Yep! -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt
RE: Synology Disk DS211J
Or, open those specific ports as needed, then close. PITA though (pain in the @ss) -Original Message- From: Jones, Barry [mailto:bejo...@semprautilities.com] Sent: Thursday, September 29, 2011 4:14 PM To: 'Matthew Palmer'; nanog@nanog.org Subject: RE: Synology Disk DS211J Yep! -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: A little off topic, but wanted to share... I purchased a home storage Synology DS1511+. After configuring it on the home net, I did some captures to look at the protocols, and noticed that the DS1511+ is making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 89) on a regular basis. These addresses are owned by Synology and Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt
RE: Synology Disk DS211J
From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Blocking outgoing port 80, _except_ from an internal proxy server, is not necessrily a bad idea. If the legitimte web clients are all configured to use the proxy server, then _direct_ external connection attempts are an indication that something not so legitimate may be runningunning.
Re: Synology Disk DS211J
On 9/29/11 17:46 , Robert Bonomi wrote: From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Tell me how that flys with the customers in your household... Blocking outgoing port 80, _except_ from an internal proxy server, is not necessrily a bad idea. If the legitimte web clients are all configured to use the proxy server, then _direct_ external connection attempts are an indication that something not so legitimate may be runningunning.
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: On 9/29/11 17:46 , Robert Bonomi wrote: From: Nathan Eisenberg nat...@atlasnetworks.us Subject: RE: Synology Disk DS211J Date: Thu, 29 Sep 2011 21:58:23 + And this is why the prudent home admin runs a firewall device he or she can trust, and has a default deny rule in place even for outgoing connections. - Matt The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it. No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Tell me how that flys with the customers in your household... They are freeloaders, not customers. If they -PAID- for service, then it would be a different conversation. /bill
