Skip to main content

security audit

NAS Security Audit & Architecture

Date: 2026-01-07
Topology: Option B (Deco = home router, GL-iNet = enclave)

NAS Discovery Status

Current Finding: NOT VISIBLE IN NETWORK SCAN

Discovery Attempts:

  • Not found in Tailscale device list
  • Not found in ARP table (by name)
  • Port scan needed to identify by open ports

Recommended NAS Architecture (Option B)

Network Placement: [object Object]

Internet  ISP Modem  Deco Mesh Router (Primary)
   Network: 192.168.68.0/22
   SSID: Deco-Home (trusted)
   Devices:
      BlueFly Mac (192.168.68.69)
      NAS (Synology)  PLACE HERE
      Other home devices
   WAN  GL-iNet Router
       
       GL-iNet Router (Agent Enclave)
        Network: 192.168.8.0/24
        SSID: AgentMesh (untrusted)

Why Deco LAN:

  • Trusted network (not AgentMesh)
  • High-value asset protection
  • Wired connection preferred
  • Not exposed to agent experiments

Remote Access Model: Tailscale on NAS (Recommended)

Architecture:

  • Install Tailscale on Synology (package or Docker)
  • MagicDNS: nas.tailcf98b3.ts.net
  • Access via Tailscale ACLs (admin devices only)
  • No QuickConnect (replaced by Tailscale)

Tailscale ACL Configuration:

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:admin"],
      "dst": ["nas.tailcf98b3.ts.net:5001", "nas.tailcf98b3.ts.net:443"],
      "proto": "tcp"
    }
  ],
  "tagOwners": {
    "tag:admin": ["bluefly-m4.tailcf98b3.ts.net", "gitlab-m3max.tailcf98b3.ts.net"]
  }
}

Synology Hardening Checklist

Identity & Authentication

  • Disable default admin account
  • Enforce 2FA for all admin accounts
  • Enable account lockout

Patch & Packages

  • Keep DSM updated
  • Update packages regularly
  • Disable legacy protocols (SMB1, Telnet)

Network Exposure

  • No UPnP
  • Disable QuickConnect
  • DSM firewall: Allow only Deco LAN + Tailscale tag:admin

Storage Safety

  • Enable snapshots (Snapshot Replication)
  • Backup strategy: Local + External + Offsite
  • Test restore monthly

Agent Access to NAS (Controlled)

Recommended Pattern: Gateway Host

AgentMesh (192.168.8.0/24)
   (Tailscale)
Gateway Host (BlueFly Mac)
   (Local network)
NAS (192.168.68.x)

Do NOT:

  • Give AgentMesh subnet blanket SMB access
  • Allow agents to access admin shares
  • Expose DSM admin UI to agents

Discovery Commands

# Check ARP table
arp -a | grep -iE "synology|dsm|nas"

# Discover SMB services
dns-sd -B _smb._tcp local

# Port scan (replace IP)
NAS_IP="192.168.68.X"
for port in 22 80 443 445 5000 5001 2049; do
  timeout 1 nc -vz "$NAS_IP" $port 2>/dev/null && echo "Port $port: OPEN"
done

Related Documentation