@gwicksted - eviltoast
  • 0 Posts
  • 4 Comments
Joined 1 year ago
cake
Cake day: November 16th, 2023

help-circle


  • VPNs are complicated enough that security experts are the only ones typically working on them… and they have a relatively small surface area with few 3rd party dependencies. So it’s about the best you could hope for. I agree there’s still a deep amount of trust. Your OS is generally a greater threat though… and your network gear probably a lesser one.

    Where something like synology’s web admin involves a webserver running their software on a runtime (php? Python?) possibly with a database where the webserver, runtime, db drivers, db engine, orm, web framework, and all their third party modules are under continuous development and may not be patched. Plus they’re a targeted system because of their popularity. And they’re meant to be user friendly more than secure.

    But having a Cloudflare reverse proxy helps a little. So would running something like fail2ban on the logs or a software level firewall configured to detect abnormal data.

    Better would be to simply require a client certificate that you generate and distribute from an offline CA and have cloudflare do tls termination then whitelist only their IP(s) and your intranet IPs on the synology firewall.

    Or… just use a VPN lol


  • I have a camera outside, I’m a pretty big guy, and my rack was built inside my office so it can’t be moved quickly.

    Oh, you mean digital security? Lol I have a lot of subnets and don’t forward in much traffic. The WiFi password I give out gets you on my kids network. Plus I run DPI and IDS. I use cloudflare DNS (sometimes operating an internal pihole too). And I don’t browse social media on PCs only on mobile. The only holes punched from WiFi to internal are for printing. And even the wired clients are segregated from my work network.