RE: Synology Disk DS211J
Thanks everyone for the input. I've seen some very good responses, and this NANOG newbie appreciates the take... :-) -Original Message- From: Nick Olsen [mailto:n...@flhsi.com] Sent: Friday, September 30, 2011 1:05 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J It's updates, I've got a 1511+ here and at the office. It phones home to check for updates. I noticed this the day I got it. Blocked the dst IP and that was the only thing that "broke". Nick Olsen Network Operations (855) FLSPEED x106 From: "Pierre-Yves Maunier" Sent: Friday, September 30, 2011 8:32 AM To: "Jones, Barry" Subject: Re: Synology Disk DS211J 2011/9/29 Jones, Barry > Hey all. > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some captures > to look at the protocols, and noticed that the DS1511+ is making outgoing > connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a > regular basis. These addresses are owned by Synology and Chungwa Telecom in > Taiwan. > > So far, I've not been able to find much information on their support sites, > or Synology's wiki, but I wanted to put it out there. > > > Maybe it's for checking new firmware update availability... -- Pierre-Yves Maunier
Re: Synology Disk DS211J
On 09/30/2011 08:56 AM, Blake T. Pfankuch wrote: > The easy way around the unhappy significant other/minion shaped offspring > solution is to put all of the "end user" devices On a separate VLAN, and then > treat that as an open DMZ. Then everything operational (ironic in a home) on > your secured production network (restrict all outbound/inbound except what is > needed). If you really want to complicate it you should even put your > wireless into a separate VLAN as well, and secure it as appropriate. Gives > you the ability firewall between networks, thus making sure that when your > minions eventually get something nasty going on the PC they use, it doesn't > spread through the rest of the network. Also means you can deploy some form > of content filtering policies through various solutions to prevent your > minions from discovering the sites running on the most recent TLD addition. Packet fence. Per user vlans. RADIUS back end auth with one time passwords. I'm trying to package all this into a turnkey distro for my own deployment across hundreds of sites. As such I need it anyway and don't mind open sourcing it. It's been an on again/off again project but it's really close to release. > This assumes that most people reading this email have the ability to run > multiple routed subnets behind their home firewall. Be it a layer 3 switch > with ACL's or multiple physical interfaces and the ability to have them act > independently. Routing on a stick to pfSense for me. Though I could use my l3 switch I guess. *shrugs* > Personally I run 8 separate networks (some with multiple routed subnets). > Wireless data, management network, voice networks, game consoles, storage, > internal servers, DMZ servers and Project network. Only reason why there is > no "end user" network is that there are no wired drops anywhere in the house, > so that falls under the wireless data. That network gets internet access and > connectivity to file sharing off the internal servers and all internet > traffic runs through Anti-Virus/Anti-Spyware before going outbound and > inbound. No. You aren't paranoid enough. See above. If it was turnkey, more people would use it. > Blake > > -Original Message----- > From: Matthew Palmer [mailto:mpal...@hezmatt.org] > Sent: Friday, September 30, 2011 12:19 AM > To: nanog@nanog.org > Subject: Re: Synology Disk DS211J > > On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: > -- Charles N Wyble char...@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.
Re: Synology Disk DS211J
On Fri, Sep 30, 2011 at 05:35:52PM -0400, valdis.kletni...@vt.edu wrote: > On Fri, 30 Sep 2011 04:14:39 -, bmann...@vacation.karoshi.com said: > > > > Tell me how that flys with the customers in your household... > > > > They are freeloaders, not customers. If they -PAID- > > for service, then it would be a different conversation. > > Time to cue up "Move it on over" by George Thorogood, 'cause that kind of > talk will leave you sleeping in the doghouse tonight. ;) the doghouse will have net then... :) /bill
Re: Synology Disk DS211J
On Fri, 30 Sep 2011 04:14:39 -, bmann...@vacation.karoshi.com said: > > Tell me how that flys with the customers in your household... > > They are freeloaders, not customers. If they -PAID- > for service, then it would be a different conversation. Time to cue up "Move it on over" by George Thorogood, 'cause that kind of talk will leave you sleeping in the doghouse tonight. ;) pgpaWTFE1d6S6.pgp Description: PGP signature
Re: Synology Disk DS211J
It's updates, I've got a 1511+ here and at the office. It phones home to check for updates. I noticed this the day I got it. Blocked the dst IP and that was the only thing that "broke". Nick Olsen Network Operations (855) FLSPEED x106 From: "Pierre-Yves Maunier" Sent: Friday, September 30, 2011 8:32 AM To: "Jones, Barry" Subject: Re: Synology Disk DS211J 2011/9/29 Jones, Barry > Hey all. > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some captures > to look at the protocols, and noticed that the DS1511+ is making outgoing > connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a > regular basis. These addresses are owned by Synology and Chungwa Telecom in > Taiwan. > > So far, I've not been able to find much information on their support sites, > or Synology's wiki, but I wanted to put it out there. > > > Maybe it's for checking new firmware update availability... -- Pierre-Yves Maunier
Re: Synology Disk DS211J
On 09/30/2011 06:13, Jay Ashworth wrote: > "not everyone's a geek" Right! Doug (wait, what?!?) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/
Re: Synology Disk DS211J
In a message written on Fri, Sep 30, 2011 at 01:56:42PM +, Blake T. Pfankuch wrote: > Personally I run 8 separate networks (some with multiple routed subnets). > Wireless data, management network, voice networks, game consoles, storage, > internal servers, DMZ servers and Project network. Only reason why there is > no "end user" network is that there are no wired drops anywhere in the house, > so that falls under the wireless data. That network gets internet access and > connectivity to file sharing off the internal servers and all internet > traffic runs through Anti-Virus/Anti-Spyware before going outbound and > inbound. You've inspired me to go invest in Alcoa stock. NYSE AA for anyone else interested. The tin-foil demand in this thread alone must have them running an extra shift. :) -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpxU1jSo8iK8.pgp Description: PGP signature
RE: Synology Disk DS211J
The easy way around the unhappy significant other/minion shaped offspring solution is to put all of the "end user" devices On a separate VLAN, and then treat that as an open DMZ. Then everything operational (ironic in a home) on your secured production network (restrict all outbound/inbound except what is needed). If you really want to complicate it you should even put your wireless into a separate VLAN as well, and secure it as appropriate. Gives you the ability firewall between networks, thus making sure that when your minions eventually get something nasty going on the PC they use, it doesn't spread through the rest of the network. Also means you can deploy some form of content filtering policies through various solutions to prevent your minions from discovering the sites running on the most recent TLD addition. This assumes that most people reading this email have the ability to run multiple routed subnets behind their home firewall. Be it a layer 3 switch with ACL's or multiple physical interfaces and the ability to have them act independently. Personally I run 8 separate networks (some with multiple routed subnets). Wireless data, management network, voice networks, game consoles, storage, internal servers, DMZ servers and Project network. Only reason why there is no "end user" network is that there are no wired drops anywhere in the house, so that falls under the wireless data. That network gets internet access and connectivity to file sharing off the internal servers and all internet traffic runs through Anti-Virus/Anti-Spyware before going outbound and inbound. Blake -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Friday, September 30, 2011 12:19 AM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: > On 9/29/11 17:46 , Robert Bonomi wrote: > >> From: Nathan Eisenberg > >> Subject: RE: Synology Disk DS211J > >> Date: Thu, 29 Sep 2011 21:58:23 + > >> > >>> And this is why the prudent home admin runs a firewall device he > >>> or she can trust, and has a "default deny" rule in place even for > >>> outgoing connections. > >>> > >>> - Matt > >>> > >>> > >> > >> The prudent home admin has a default deny rule for outgoing HTTP to > >> port 80? I doubt it. > >> > > > > No, the prudent nd knowledgable prudent home admin does not have > > default deny rule just for outgoing HTTP to port 80. > > > > He has a defult deny rule for _everything_. Every internal source > > address, and every destination port. Then he pokes holes in that 'deny > > everything' > > for specific machines to make the kinds of external connections that > > _they_ need to make. > > Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
Re: Synology Disk DS211J
- Original Message - > From: bmann...@vacation.karoshi.com > > Tell me how that flys with the customers in your household... > > They are freeloaders, not customers. If they -PAID- > for service, then it would be a different conversation. I'm pretty sure that was a "wife approval factor"/"not everyone's a geek" observation, Bill. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Re: Synology Disk DS211J
2011/9/29 Jones, Barry > Hey all. > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some captures > to look at the protocols, and noticed that the DS1511+ is making outgoing > connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a > regular basis. These addresses are owned by Synology and Chungwa Telecom in > Taiwan. > > So far, I've not been able to find much information on their support sites, > or Synology's wiki, but I wanted to put it out there. > > > Maybe it's for checking new firmware update availability... -- Pierre-Yves Maunier
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: > On 9/29/11 17:46 , Robert Bonomi wrote: > >> From: Nathan Eisenberg > >> Subject: RE: Synology Disk DS211J > >> Date: Thu, 29 Sep 2011 21:58:23 + > >> > >>> And this is why the prudent home admin runs a firewall device he or she > >>> can trust, and has a "default deny" rule in place even for outgoing > >>> connections. > >>> > >>> - Matt > >>> > >>> > >> > >> The prudent home admin has a default deny rule for outgoing HTTP to port > >> 80? I doubt it. > >> > > > > No, the prudent nd knowledgable prudent home admin does not have default > > deny > > rule just for outgoing HTTP to port 80. > > > > He has a defult deny rule for _everything_. Every internal source > > address, > > and every destination port. Then he pokes holes in that 'deny everything' > > for specific machines to make the kinds of external connections that _they_ > > need to make. > > Tell me how that flys with the customers in your household... Perfectly fine. My users know not to go plugging random devices in, and I properly configure the firewall to account for all legitimate traffic before the device is commissioned. - Matt
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote: > On 9/29/11 17:46 , Robert Bonomi wrote: > >> From: Nathan Eisenberg > >> Subject: RE: Synology Disk DS211J > >> Date: Thu, 29 Sep 2011 21:58:23 + > >> > >>> And this is why the prudent home admin runs a firewall device he or she > >>> can trust, and has a "default deny" rule in place even for outgoing > >>> connections. > >>> > >>> - Matt > >>> > >>> > >> > >> The prudent home admin has a default deny rule for outgoing HTTP to port > >> 80? I doubt it. > >> > > > > No, the prudent nd knowledgable prudent home admin does not have default > > deny > > rule just for outgoing HTTP to port 80. > > > > He has a defult deny rule for _everything_. Every internal source > > address, > > and every destination port. Then he pokes holes in that 'deny everything' > > for specific machines to make the kinds of external connections that _they_ > > need to make. > > Tell me how that flys with the customers in your household... > They are freeloaders, not customers. If they -PAID- for service, then it would be a different conversation. /bill
Re: Synology Disk DS211J
On 9/29/11 17:46 , Robert Bonomi wrote: >> From: Nathan Eisenberg >> Subject: RE: Synology Disk DS211J >> Date: Thu, 29 Sep 2011 21:58:23 + >> >>> And this is why the prudent home admin runs a firewall device he or she >>> can trust, and has a "default deny" rule in place even for outgoing >>> connections. >>> >>> - Matt >>> >>> >> >> The prudent home admin has a default deny rule for outgoing HTTP to port >> 80? I doubt it. >> > > No, the prudent nd knowledgable prudent home admin does not have default deny > rule just for outgoing HTTP to port 80. > > He has a defult deny rule for _everything_. Every internal source address, > and every destination port. Then he pokes holes in that 'deny everything' > for specific machines to make the kinds of external connections that _they_ > need to make. Tell me how that flys with the customers in your household... > Blocking outgoing port 80, _except_ from an internal proxy server, is not > necessrily a bad idea. If the legitimte web clients are all configured > to use the proxy server, then _direct_ external connection attempts are > an indication that something "not so legitimate" may be runningunning. > > > >
RE: Synology Disk DS211J
> From: Nathan Eisenberg > Subject: RE: Synology Disk DS211J > Date: Thu, 29 Sep 2011 21:58:23 + > > > And this is why the prudent home admin runs a firewall device he or she > > can trust, and has a "default deny" rule in place even for outgoing > > connections. > > > > - Matt > > > > > > The prudent home admin has a default deny rule for outgoing HTTP to port > 80? I doubt it. > No, the prudent nd knowledgable prudent home admin does not have default deny rule just for outgoing HTTP to port 80. He has a defult deny rule for _everything_. Every internal source address, and every destination port. Then he pokes holes in that 'deny everything' for specific machines to make the kinds of external connections that _they_ need to make. Blocking outgoing port 80, _except_ from an internal proxy server, is not necessrily a bad idea. If the legitimte web clients are all configured to use the proxy server, then _direct_ external connection attempts are an indication that something "not so legitimate" may be runningunning.
RE: Synology Disk DS211J
Or, open those specific ports as needed, then close. PITA though (pain in the @ss) -Original Message- From: Jones, Barry [mailto:bejo...@semprautilities.com] Sent: Thursday, September 29, 2011 4:14 PM To: 'Matthew Palmer'; nanog@nanog.org Subject: RE: Synology Disk DS211J Yep! -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some > captures to look at the protocols, and noticed that the DS1511+ is > making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 > (port 81 & > 89) on a regular basis. These addresses are owned by Synology and > Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
RE: Synology Disk DS211J
Yep! -Original Message- From: Matthew Palmer [mailto:mpal...@hezmatt.org] Sent: Thursday, September 29, 2011 2:31 PM To: nanog@nanog.org Subject: Re: Synology Disk DS211J On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some > captures to look at the protocols, and noticed that the DS1511+ is > making outgoing connections to 59.124.41.242 (www) and 59.124.41.245 > (port 81 & > 89) on a regular basis. These addresses are owned by Synology and > Chungwa Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
Re: Synology Disk DS211J
- Original Message - > From: "Nathan Eisenberg" > > And this is why the prudent home admin runs a firewall device he or she can > > trust, and has a "default deny" rule in place even for outgoing connections. > > The prudent home admin has a default deny rule for outgoing HTTP to > port 80? I doubt it. Why not? You can poke holes in it specific to *workstations*; anything that isn't a workstation doesn't generally need to be phoning home without you knowing about it... Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
RE: Synology Disk DS211J
> And this is why the prudent home admin runs a firewall device he or she can > trust, and has a "default deny" rule in place even for outgoing connections. > > - Matt > > The prudent home admin has a default deny rule for outgoing HTTP to port 80? I doubt it.
Re: Synology Disk DS211J
On Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some > captures to look at the protocols, and noticed that the DS1511+ is making > outgoing connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & > 89) on a regular basis. These addresses are owned by Synology and Chungwa > Telecom in Taiwan. And this is why the prudent home admin runs a firewall device he or she can trust, and has a "default deny" rule in place even for outgoing connections. - Matt
Re: Synology Disk DS211J
In a message written on Thu, Sep 29, 2011 at 12:11:48PM -0700, Jones, Barry wrote: > A little off topic, but wanted to share... I purchased a home storage > Synology DS1511+. After configuring it on the home net, I did some captures > to look at the protocols, and noticed that the DS1511+ is making outgoing > connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a > regular basis. These addresses are owned by Synology and Chungwa Telecom in > Taiwan. > > So far, I've not been able to find much information on their support sites, > or Synology's wiki, but I wanted to put it out there. > > GET / HTTP/1.1 > Host: 59.124.41.245:81 > Accept: */* Perhaps a little further digging was in order? For instance, putting the IP and port in a web browser (http://59.124.41.245:81) which returns: Current IP CheckCurrent IP Address: REDACTED Looking at Synology's web page we find: http://www.synology.com/dsm/internet_connection.php?lang=us If they are going to do things like UPNP to open a port, and then DDNS to let you get there from the outside world than the box needs to know your outside NAT address, and simple relays like this are the best bet. It's another ugly hack to get around the problems of a NAT in the middle. I bet the box also checks for a new version of software from time to time. While I would like vendors to better disclose the "phone home" behavior of their devices, virtually every computing device does this in some way or another if only to check for new software. Windows and Mac's check a web server to know if you are "connected to the internet" or not. NAT traversal often uses a relay. DDNS registrations need the real IP, and so on. Not much to see here, really, other than how ugly some of our protocols are in the real world. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpvnsTqkv2ad.pgp Description: PGP signature
