Synology DiskStation

You have to open firewall ports to the Synology box, unless you run wide open, which I don't think is a good idea. Unless you have a DMZ, you have outside traffic on your internal network. Synology can't fix that.

You are right. I am more worried about local web servers and local networks being compromised than I am about either Google Workspace being compromised or somebody at Google taking my images.

It doesn't work that way. All you have to do is join the free 'connect.to' service of Synology and they provide some sort of tunnel from their servers to the DiskStation through the CloudStation app. I do not know how it works exactly, although I wondered. If you cut the power to your DiskStation you get an email stating 'connection to ... was lost at ... time'.

I used to have a DMZ with a small Synology running a website where clients could order images while the large original files and database were on a large Synology on the local network. So I do know what you talk about, but this CloudStation scenario works differently.

Guess it's a VPN (Virtual Private Network)

How does the Synology box get to the internet if not through the firewall?

Are you saying VPN solutions are unsafe by design?

Not by design. I don't know of anyone who has set out to design an unsafe VPN. VPN quality is variable, and hard for IT people to understand, especially if not widely implemented with many customers. I wouldn't necessarily trust Synology's implementation. Do you know where their technology came from?

If people can access the Synology-served photos from a web browser, it needs more than a VPN connection to the internet. If they are doing their own hosting for the web users, then the VPN connection is sufficient.

What ports does the server use for the outbound private connection?

And I guess that as long as the Synology and other computers are on the local network the files never touch the Internet but are exchanged between the CloudStation apps on the Synology and the computers. As you also have to install a CloudStation app on each computer that want to participate.

To see the photos you need to open the standard http: or https: ports. It's a web service and not a part of the CloudStation app.

I have to open up ports for my email clients. There are a lot of ports that email clients can use.

6690
kb.synology.com/en-global/DSM/tutorial/What_network_ports_are_used_by_Synology_services

I've been meaning to watch this:

www.youtube.com/watch?v=VOL-GLi8Qqw

About Synology and photos. I've watched some of this blokes stuff and he seems largely sensible. To me at least. He pins a lot of BTRFS snapshots.

Thanks. That is a lot of ports if you look at all the services. UDP ports make me nervous. Do you just open 6690 to just the Synology box?

So the Synology box acts as a web server, and needs to be isolated like a web server, right?

Cloud Station - 6690 - TCP

What are you trying to prove Jim?

Nothing. I thought people were saying that Synology did all the security, and the user didn't have to worry about it. I don't see how that's possible. The user needs to open the ports the Synology needs open, and figure out a way to not have those ports open to other boxes than the Synology boxes. That sounds like the user needs to be responsible for the security of the network.