In my case, it’s a NetGear ReadyNAS 2100, but generally speaking I haven’t seen much discussion on this. What could go wrong?
Not very. I run an enterprise NAS from 2009. Software hasn’t been updated since 2012.
As long as you don’t exspose it to the interwebs, you’re fine.
If you can completely isolate it so that only management network+ unRAID are reachable, then it’s fine.
Outside network is one attack domain, however don’t forget that if your PC or other mobile devices on network are infected by virus or malware, they can initiate attack from inside, look at the case of WannaCry in the past.
I have an old ReadyNAS I use for offline backups. Only turn it on to xfer already encrypted folders to it, then turn it off.
You should be able to even unplug the CAT and xfer with usb
It is only as risky as it is attackable.
If you use it internally and segment things so that only your server can reach it, then it is essentially impossible to attack.
Then on the other hand, is your network secure? How easy would it be to get in? Where is the weak point? You have to remember that this is a home. It is not likely to be a large target and generally as long as you have any kind of intelligence you will be fine.
So realistically, you will be fine as long as you don’t host it out to the internet in any ways.
You will be fine with just a few simple things to make sure of:
- The hardware will probably be just fine.
- Just dont hang your data out on the internet . If you just need remote access to manage the NAS then a jump sever like Gucamole in a DMZ or container somhow will be great. If you want remote access to your actual data over SMB and such then options like Tailscale may be useful to you.
- Look into other backup methods like Backblaze or similar if the data has any value. You could even setup rync to another location.
You can update that to v6 that should be safe enough, there are guides online
See this post:
As long as it is not reachable from any untrusted network like the Internet. It’s as safe as your home network is.
Give it a hardening so that it has a resilient configuration. Allow only internal access from needed devices only. No security updates don’t means that your are affected from the next vulnerability