I am often seen as "the it desk" for relatives and friends but as an F5 employee I am not even close.
I work with experts who know security, know networking, and grew up with (or invented) tech generally.
I don't have any F5 equipment at home...but this is sorta home-lab-ish for someone who "plays IT Support on TV."
I bit off a lot of tech (at least for me) when I bought a Synology NAS DS720+ to manage my personal machine backups and then also the HUGE amounts of photos my family is producing on their phones. I grow weary of paying [insert service provider here] $XX/month to synch that stuff when I have a perfectly capable 4TB NAS in my home. I'm slowly getting used to how it works (I bought it one year ago) and it's doing the basics but I have a few other basic questions that may help me move forward.
Security - I changed the default Admin password but I can't figure out how to *CONFIRM* that my NAS is not open to the internet. My queries to the excellent Synology KB site (https://kb.synology.com/en-us/DSM) are sorta the OPPOSITE of what a NAS is supposed to be for. Until this point I only want Local Network access secure from anyone scanning the internet and using my NAS for their bot army. My DSM (the OS for Synology NAS) version is 7.0+.
How do I confirm this device isn't connected to the open internet but still handling local traffic?
(I have more next-steps-questions like, What is the basics about then turning around and enabling remote Phone backups? How often do I need to look at this system to deal with security patches (the tension between ease of use and security) but..is it weird to ask this here?
By default, your router/firewall isn't going to allow traffic inbound that was initiated from external. If it does, you likely configured this explicitly.
So this is actually more of a question about your router/firewall and whether it's configured in such a way.
Ahhh - explains the dearth of info on the Synology KBs.
I changed the default PWD on my router and I tend to notice when that wants me to update firmware (probably security patches). I don't know if I have a firewall installed unless it's part of my router already.
So that's some peace of mind.
Now, if I want to level-up and allow my iPhone(s) to send regular backups to my Synology NAS & and if I want my daughter at school to be able to do that too - I'd have to get the right stuff going on the NAS and THEN for my daughter open up a specific port(?) on my router I guess?
This help page says "Port Forwarding" - https://help.amplifi.com/hc/en-us/articles/219134387 but (I now understand) that this identifies the device I want to allow access through my router.
And, assuming I do that - how do I stop the internetizens from 'scanning' / 'finding' that open port and then getting into my NAS that way?
There's a lot of unpacking that could be done around the terms firewall and router but I combine the use of them when it comes to home networks because the devices provided by ISPs typically combine the function.
But for some, like myself, I opt to have my ISP deactivate those functions and turn the device into a bridge and I provide my own device to do firewall functions.
Anyways - yes, you will likely need to just do port forwarding for your scenario.
And you will get random, free scans of your firewall from the citizens of the internet so you want to make sure your NAS is always up to date and you have a strong password.
An alternative would be setting up VPN but it's unlikely you want to go through that effort.
ok - I'm good on password strength but maintaining the NAS reliably from in-the-wild exploits is beyond my desire - I suppose I might figure out how it could notify me of needed updates. (yep - figured it out!)
VPN? yep - nope.
Last question, I think, (and thanks Buu). I've always believed in the 3-2-1 backup strategy - although I just learned that term last week. I pay for an off-site backup service (~20-30% the cost of [insert corporate megalith name here] ) - IF that service supports such a thing I suppose connecting my NAS to that backup service would also require a similar hole in the firewall? and...
...like so many other things in this question; now that I'm writing it out, I'm going to guess it won't be a problem since I would be SENDING my content to the backup service rather than that service coming to me - is that right?