[clamav-users] Clam AV on NAS/Personal Cloud Device?

Fri Sep 2 15:20:20 UTC 2022

Hi there,

On Fri, 2 Sep 2022, tim.pennick--- via clamav-users wrote:

> Apologies for the OT follow-up.  I attempted to send this off list, but was
> rejected.

Sorry, my mail system is a bit picky about replies to mailing list posts. :)

> Very many thanks for your extremely helpful response.  I wonder if you could
> clear up a point you raise as I'm not a security expert, but am concerned
> that I might be adding unnecessarily to the risks of a security breach.

Concern about these things is good. :)

> You say:
>
> "NAS devices respond to requests to read and write data which come from the
> other devices on the network.  For backup, my own feeling is that I'd much
> rather have something which makes calls to the devices being backed up to
> ask for the data but does *not* respond to devices which try to command it.
> Effectively there's a firewall between the devices being backed up and the
> backup device.  Then if ransomware or similar manages to compromise any of
> the devices being backed up, it can't get to the backup device to do any
> damage there and you have a much better situation to recover from."
>
> Do you have a product or type of product in mind which would satisfy your
> criteria?

Yes.  Something like 'BackupPC'.  It won't quite tick all the boxes without
a bit of work on the box on which it runs, but a little bit of firewalling
can go a long way.  I'm sure there must be others but that's what I've been
using for many years.

> Wouldn't it be just as dangerous to allow a storage device to
> command a client device to perform a particular task, as vice versa?

No, absolutely not.  The ideal would be to harden a backup device so
that, even if the devices it's backing up are compromised, it can't
itself be compromised.  The backup device says in effect "Please send
some data." and it doesn't care a hoot what data gets sent because its
one and only job is to accept any amount of random data that anything
on the network cares to send to it *after* receiving such a request.

If a device tries to connect to the backup box to instruct it to do
something, the backup box ignores it - and hopefully writes a warning
in the logs somewhere, or sends mail, or whatever kind of alert the
system administrator prefers.

We're OT for this list so I won't go into more detail but if you do a
bit of reading about firewalls you'll start to get the picture.  You
can have a firewall anywhere, it doesn't have to be just at a network
perimeter like in your modem/router.  It just seems like common sense
to me to have at least a firewall between the backup and the things it
backs up.  An air gap is better, but more effort and less convenient.

-- 

73,
Ged.