Naim music servers. - security ?

Posted by: PBenny1066 on 10 October 2011

I am very wary about Internet security on my home network and rarely leave anything permanently on. Lots of electrical storms here too, which means I don't even leave the NAS permanently switched on.

The device that is on for most time is my Unitiserve HD. So my question is - is there any security installed on the U/ S ? E.g. My NAS has its own firewall. The router (Apple) also has it's own firewall of course.

Am I waorrying over nothing ? Views appreciated, especially from those more knowledgable about networks than me.

Cheers, Paul

Posted on: 10 October 2011 by Simon-in-Suffolk

Paul, when you say 'security' what are you referring to exactly? Are you referring go the integrity of the media on your NAS? Or are you worried about your Internet firewall or viruses or Trojans infecting other machines on your network? Or are you worried about authentication of users on your LAN and gaining access to your media?
If you run an Internet firewall, ana a PC firewall and a good virus guard on your DMZ host/primary surfing or web facing PC and don't execute anything downloaded in a web page or downloaded zip or executable unless absolutely certain about it you should be safe from issues from the Internet. If you are worried about neighbours hacking your wireless then use WPA2 enctyption, and if you are worried about plugging into your LAN, use port security offered on Cisco switches and similar.
Most Internet issues are caused by people downloading and running rogue apps. Easy to prevent, just don't do it.
Simon

Posted on: 11 October 2011 by okli

Hi Paul,

I think you are talking about the Internet connection necessary to synchronize the metadata with the external databases. Honestly speaking I don't have any idea what protocols / ports are necessary for these activity, because I don't own Naim server product. I'm of course wary as you are about my NAS and I simply setup my router to prohibit Internet connections from / to its IP - usually you can do this on the routers' config interface. However, this will cut your Internet connection to your US completely, so I'm afraid you'll need some way to synchronize its database - I'd ask Naim what should be open on your firewall for US in order to be able to synchronize the metadata - or perhaps there is some document describing the necessary network configuration (perhaps even in the manual?). It could be that you only need outgoing http connection, which won't compromise your security at all.

Hope this helps,

Ilko

Posted on: 11 October 2011 by PBenny1066

Simon, Ilko,

Thanks for the replies, I should have been more specific. I really meant viruses, trojans and the like entering my system through the U/S which is connected to Internet. The wireless is encrypted with WPA2, so no worries there. So I guess it comes down to how good is the firewall on my Apple Extreme router. Most of the time my MacBook is not connected to Internet, but the U/S is.

Cheers, paul

Posted on: 11 October 2011 by Peter_RN

Hi Paul…….If you wish to check the general security of your system including its acceptance/rejection to pings etc you could take a look at the ‘Shields Up’ website. Google ‘Shields up’ and take a look; they offer a port scan of your system that can be used to identify the state of your service ports. If you have a NAT router then you are half way there but it may just need tweaking. There is a lot of useful info on the site.

This is something extra you could check and in no way alters the advice /info that Simon and Okli have given. I have used this site over several years to good effect.

Peter

Posted on: 11 October 2011 by DavidDever

Originally Posted by PBenny1066:

Yes–no need to worry; music servers make lousy targets for hackers, especially when there are more lucrative opportunities.

More importantly, Wi-Fi is an easy vector to compromise network security. Do make sure that you are using WPA2 encryption at a minimum; if you have any wireless devices that do not support WPA2, gently push them into the bin. (It's also a good opportunity to insure that said devices also support 5GHz 802.11n Wi-Fi as well.)

Posted on: 11 October 2011 by Simon-in-Suffolk

Hi Paul, without checking I can't confirm, but I suspect met data fetching is HTML post based or possibly WSDL based, but either way as far as the network or firewall is concerned it looks like regular web traffic. There is no executable. Also meta data is fetched from trusted sources. The worst rogue meta data could do is crash your ripper, if not properly written to handle errors.
On your router firewall, if you want to disappear from the Internet, just need to make sure you have no default host address on your LAN that incoming traffic is routed to. If you initiate all queries from your LAN to the Internet your Internet router will use PAT ( not NAT ) to map ports to addresses on your LAN to addresses on the Internet. Not only is this important with IPv4, it is a good security measure. (sometimes the term NAT is mistakenly used in consumer routers when they mean PAT that doesn't help :-( as NAT itself is not a good security measure )
Simon

Posted on: 11 October 2011 by Jack

Paul,

It's unlikely that there is any firewall running on the US. I would image that Naim have removed all unnecessary services on the US not with security in mind but probably for performance and SQ reasons. So from that perspective and given they don't know the topology of everyone's network a firewall would do little to help in reality. As other have said it's highly unlikely that your US would be hacked (although not beyond the realms of possibility) and so long as you undertake best practice from a security perspective in other aspects of your network/PCs etc then don't really need to worry.