Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
12 juin 2014 4 12 /06 /juin /2014 09:41

This serie will explore NAS technologies, and the related issues. This first part will study the NAS functions of the DIR-626L, a neat 40 $/€ featurefull Router, with complete IPv6 capabilities.

 

The DIR 626-L Firmware tested here is : FW v1.03

The SharePort Mobile App version is : June 12 2014

 

Edited June 21 2014

NAS 1 : DLink DIR 626L

1. The USB Shareport


The USB SharePort™ supports FAT32 and NTFS, with a 500GB limit.


There are two menu categories related to the Shareport functions :


    . Media Server
    . Shareport

 

2. The Media Server


There are only two options here :


. Enable / Disable
. Media Server name

All medias added on the USB Shareport ( USB dongle or USB-HDD ) will be published by the DNLA Server.
The DLNA catalogue is re-indexed with the DIR-626L reboot. You need to reboot to have new added medias instantly indexed. ( Waiting a little time seems to do the reindexing automatically too )


The Media Server is independent from network share permissions (Shareport Menu ). Everything is read-allowed. There is no restriction.

The Media server can't be accessed from WAN / there is no option for this.

The DLNA access is very intuitive :

Under Windows ( Windows7+ ) go to network places.
Ubuntu / Gnome3 has no native tools yet.  Still VLC is a good DLNA client.


Do note that DNLA only streams media files ( video, audio and pictures ), documents ( .doc, .rtf, .txt, .pdf ) are not supported. Furthermore, some media formats are not supported.

The DIR 626-L is certified DLNA 1.5


Understanding DNLA


DLNA is short for Digital Living Network Alliance. It is an access API, for system and vendor independence, but the files are downloaded, as with a regular http access ( mp3, ... ), it is not a netcast.
DLNA aim is to offer simplified media sharing/interoperability


DLNA is derived from UPnP. It is more restrictive than UPnP (less media formats supported ) and adds some features (like copy protection, DRM, ...).


It defines a standard for moving movies, photos, music and other media from device to device. One of its aim is being zeroconf.


More finely, DLNA defines three concepts/roles : Server, Renderer, and Controller :

Server : content storage

renderer : Displaying the movie, playing the music, ...

Controller : Remote Control ( may be part of the renderer, or be a separate entity : Tablet, Smartphone, ... )

 

Theorically, DNLA messages have a TTL of 4, thus supporting a few hops. In practice, I haven't seen any multi-hops  ( ie Cross-Router ) implementation or success.

Finally, here are the DLNA specifications about supported medias ( source www.dlna.org ) :

NAS 1 : DLink DIR 626L
NAS 1 : DLink DIR 626L

 

 

3. The Shareport Menu

The Shareport menu is where we can do all the management : ports used, users, permissions, shares, wan access, ...

 

The first section is to allow shareport, setup http and https ports, and allow/disallow remote access :


Web file Access : Enable / Disable ( basic switch for the function )
HTTP port
HTTPS port
Allow Remote Access : Enable / Disable ( allows Wan access )

The default port for HTTP is 8181 and for HTTPS is 4433.

 

User management section :


beside the default :
. admin account ( read/write on all folders )
. guest account ( read access on (no folder yet ) )
We can create additionals users with passwords, modify passwords, or delete users.

Passwords are 15 characters long maximum, and support special characters ( except for the SharePort Mobile App, see below ).


Shares ( mounting points ) and permissions section :

If the guest account or new users are to be used, share-point permissions are to be created, to give permissions and scope.

 

Do note a little tricky aspect : After creating/modifying a user, you have to hite the 'SAVE' button on the top of the page, or the changes will be discarded. Same for share-points permissions.

 

4. Enhanced Security: using custom ports

For a better security, it is wise to change from the defaults ports used.

First, a few notes about ports selection :

 

quote : " The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future. "
see http://www.iana.org/assignments/port-numbers


We won't use well known ports (  0-1023 ). We neither use registered ports ( Ports 1024-49151 ). Let's change the default settings to use private ports. Just pick them randomly in the 49152-65535 range.
I use an Excel Spreadsheet for easy and fast random draws. The OpenCalc formula for private ports used here is : =ENT(ALEA()*16384+49152)

Hold F9 to roll the dices :

NAS 1 : DLink DIR 626L

( Do note that this formula is simplistic, as it is not even time-seeded. Use seeded formulas for better entropy ).

 

 

5. Practical tests : Lan Access

Let's check the Local ( Lan ) functionning, using a PC and a Tablet as clients :

 

 

NAS 1 : DLink DIR 626L

Using a web browser, the NAS user GUI is accessed using ( with 192.168.2.1 as the NAS LAN IP, keeping default ports ) :

Using these addresses for IPv4 :

http://192.168.2.1:8181
https://192.168.2.1::4433

Using these addresses for IPv6 :

http://[2001:db8:0:2::1]:8181

https://[2001:db8:0:2::1]:4433

 

 

the https is functionning ok, and IPv6 is supported.

Still, two issues quickly arises :

Uploading files


Using a browser access, or the D-Link Shareport Mobile, only allows to upload one file at a time.
DNLA gives no write access.

What are the options to upload multiple files at once ( like a music album ) ?

One solution is to turn-off the router, take-out the usb-dongle and plug it in a computer.

Another solution, that is quite worrisome to me, is through smb :
You just manually map the drive using :

\\192.168.2.1\                                  ( for Windows )

smb:\\192.168.2.1\                          ( for Linux or Mac )


There is no login, and it gives all read/write access over the whole storage space.
It doesn't seem to leak to the WAN side still.

 

DLink SharePort Mobile App

Beside the Web GUI, DLink provides for an IPhone/Android App. There are a numbers of limitations to the SharePort Mobile App :


1. The https port doesn't seem supported ( thus no crypto !! )
2. It doesn't seem to support IPv6
3. It doesn't work with passwords using special characters ( only numbers+ letters upper/lower cases ). Maximum length : 15.

The positive aspects :
1. It does use credentials

 

 

6. Practical tests : Local Wan Access

Let's check the Local Wan functionning, staying inside the Home Network, using a PC and a Tablet as clients :

 

 

NAS 1 : DLink DIR 626L

Nothing much changes here, we just have to allow WAN access in the Shareport Menu.

One funny interesting and very logical TIP to note :

using the DIR 626L WAN IP in our brower/app settings, allows the PC and the Tablet to freely roam through both subnets, as :

. When on the Wan side of the DIR 626L, they access the Wan IP

. When on the Lan side, they just cross the router to reach its Wan side

Thus no reconfiguration is needed.

 

 

7. Practical tests : Remote (Internet) Wan Access

Let's check the Global Wan functionning, accessing from the Internet using a PC and a Tablet as clients :

NAS 1 : DLink DIR 626L

Nothing changes from the In-Network Wan access, except that we need some port forwarding for IPv4. As for IPv6, we only need to take care of our Internet Gateway's firewall.

As a quick reminder, here is the port forwarding topology. Notice we did choose random, private ports, for the Intenet Gateway to forward :

 

NAS 1 : DLink DIR 626L

Everything works OK, and as expected.

Using these addresses for IPv4 :

http://203.0.113.27:53546
https://203.0.113.27:54505

Using these addresses for IPv6 :

http://[2001:db8:0:1::254]:53546

https://[2001:db8:0:1::254]:54505

 

The SharePort Mobile App still doesn't support the https port, neither IPv6.

 

 

8. Security Issues

 

We finish our tour with security issues, in the Wan Internet Access scenario. This for the three types of access ( Web HTTP, Web HTTPS, SharePort Mobile App ).

As a reminder, here is what is to be expected from HTTP and HTTPS :

HTTP Web Access :

          login : cleartext

          password : cleartext

          data confidentiality : no

          data integrity : no

 

HTTPS Web Access :

          login : encrypted

          password : encrypted

          data confidentiality : yes

          data integrity : yes

 

The SharePort Mobile App using only the HTTP port, it is tied to its fundamental insecurity.

 

 

9 Final Thoughts

 

The DIR 626-L is a great little piece of hardware for a first step in the NAS technologies world, being fitted with a full IPv6 capability, and an intuitive and easy to use firewall, as we've seen in previous posts.

My only concerns comes from the SharePort Mobile App and the SMB access :

While really cool and funny to use, the SharePort Mobile App doesn't support IPv6. It doesn't support special characters in passwords. Worse, it isn't able to use the https port. For all these reasons, I deem it as totally insecure, and unfit for any Wan use. As for using it inside your personnal Lan, it's your choice ( and the amount of trust you have in your Lan security). Waiting for an update of this app.

As for the Open SMB access, it defeats any Lan-side user-management. As much as it may be a welcomed solution to the 'uploading multiple files at once' problem, it creates a real Lan insecurity, as any Lan host may write and delete any files and folder. You have again to be trusting your Lan.

So I'm waiting for an update to the App and to the DIR-626L Firmware, to perfect this great piece of hardare.

 

 

 

Partager cet article

Repost 0
Published by computer outlines
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens