tl;dr
Use Pfsense.
Check out Sandboxie.
Use an Ad blocker like uBlock Origin.
Check into whole disk sandboxing.
Become a backup freak.
Learn what Shodan and Censys are, as well as Zmap to help know your potential enemy. Go beyond that with metasploit. Though, not required.
Ditch traditional anti-virus software.
Check out the software Hash Tools to generate the SHA256 hash of a download and search for that hash at Virus Total. If no hash available at Virus Total, upload the downloaded file to Virus Total. (Though, they'll get a copy of the file and will be probed via any researcher and what have you. I uploaded something called a
canary token and I saw a lot of China...).
I'm not going to try and answer questions one though two because there's a lot of conjecture mixed with lack of knowledge. So I'll state what you should look into and offer my opinion on this whole setup. However, I can answer question number 3. You do not want to use IPSEC or PPTP. If you don't know what those protocols are, then use the power of the Internet and look them up. You'll probably find yourself at Wikipedia. What you should use (and I'm assuming you are already) is OpenVPN 128, or for the super paranoid 256. 128 is all you really need. 256
may degrade speed, but I doubt it. OpenVPN also offers XOR and ECC and one of those would work as well, especially in conjunction with port 443 trying to get passed a restrictive firewall while making a connection to the NAS.
I've run XP in a netbook with Internet access that used a program for a local FTP server and a software called PhoneTray. This little netbook was connected to an external mouse, keyboard and monitor and ran 24/7 I called the "Kitchen Kiosk." Did it ever get hacked or somehow magically get a virus? No. And I knew that to be true because I'm not ignorant on the fact that just because a computer runs XP, Windows 98se or something else it just gets
pwned. What it comes down to is how you use and operate the machine! Most of the time it's the operator, not the software, hardware, or firmware, but they do play a roll depending on the situation. I even ran ten, count them 10 instances of XP in a virtual machine for a project and no hacker crap, viruses and what have you. Yes, they all had Internet access.
About Windows Defender - or any anti-virus software for that matter. It's all crap! Yes, that's right, c-r-a-p, crap. For the most part they are only definition based. Meaning if they don't have a definition for what ever virus was packed in that downloaded image or what ever you downloaded or interacted with, you're infected. It's called polymorphic and it's how ransomware works. Now because anti-virus companies know about this limitation they introduce another technology called heuristics. What that does is constantly monitor your interaction on the computer and if the anti-virus thinks there's a nasty no, no, it stops the execution of a program or what ever. Problem with this is that nine times out of ten they are all false positives and serve to be nothing but a major annoyance, create a lack in productivity, and probably for some, a certain sense of paranoia that "something bad" is going on when in fact it isn't. Ask yourself something. When was the last time your anti-virus REALLY stopped a major threat just surfing the Internet and not messing around with a torrent and other junk? Something else is that anti-virus software is now-a-days massively over bloated, and is a major privacy concern. Yes, they are watching what you do since the software intercepts your Internet connection. What? You thought that padlock in the address bar meant secure? Not when there's anti-virus software involved. Here's just a quick read on Kaspersky.
US government bans agencies from using Kaspersky software over spying fears | Technology | The Guardian It doesn't really matter what software it is. All report to a server with telemetry...
So what's the mitigation strategy here since traditional snake oil anti-virus software is out? Well, that depends on the how the computer/s are used. The first would be proper training and continued training of employees. And that's easier said than done. -rant on- Most people just don't understand computers and what have you.
Let alone know who the vice president was during George Washington's administration... Point being, most people could tell you all about season two of Fear The Walking Dead and yet could give two shts less about computer security, privacy and what not. Especially true for a phone, tablet or router. Yet somehow these same people with a no two F's about it mentality vilify the NSA and praise Edward Snowden like he's some kind of savor. All he did was confirm what I already knew. -rant off-
So, education is one thing about security. The next is software that
can help mitigate the crap before it hits the proverbial fan. In my opinion sandboxing the infrastructure could go a long way. Whether that's in the computer or at the server level. The goal here is that if there are any shenanigans, it doesn't stick to the environment. A quick reboot and it's gone. For my browser I use something that is now free and open source called Sandboxie. But you need to read all about it. And it can be cumbersome at first. This is true for all security. There's always an element of cumbersomeness. There's also other software out there for whole disk sandboxing. This is where nothing gets committed to the hard drive unless A) specific paths are whitelisted, or B) you manually commit the file changes. And this should be invoked with a password or combined with another user access method like a smart card, 2FA, etc. Note, I said COMBINED.
Another powerful software that may not seem like it, is simple Ad blocking. For that I use uBlock Origin in my browser and I have custom rules for certain things. Like, all Facebook domains are blocked. So are web socket connections and links that will use java script to mine for cryptocurrency in your browser using your computer resources. The reasons why an Ad blocker is a great door before the other security software is that Ads can be laced with malware and that's probably how a lot of drive by ransomware makes it into your computer. Your browser parses the Ad, the payload in the malicious Ad is executed and before long your computer is looking for bitcoin or Monero. And like I mentioned, with uBlock Origin you can add custom rules sets to further increase your security if you know what you're doing. It sucks it has to be this way because Ads are what drive the Internet. It's why websites are mostly free, and it's how Google et al make money to offer you those products like YouStupid (YouTube). With uBlock Origin you can allow Ads on a per domain basis, but that really isn't wise unless uBlock is interfering with the website's functionality which it can. The problem with allowing Ads on a per domain basis is that Ads are usually not served from that website. They come from all kinds of domains outside of the control of the website owner that placed the Ads there in the website code. If for example one, just one of those Ad servers that serve the Ad gets hacked and serves up a malicious Ad it's curtains. It'll infect hundreds upon thousands of unsuspecting users in quick succession.
The next approach (and this is by far the best of them all) is to simply become a backup freak and ¾. What I do is backup all important data to multiple different types of media on a regular basis. So what I do is utilize optical media, a couple cloud providers, a couple other computers on the FTP server at home, USB thumb drives, and a couple hard drives. ALL, and I mean ALL media is stored in $35 fireproof safes. I own three. They make them for electronics. Get one that is UL listed. The safe is not meant to keep anyone out. As a person who knows how to pick locks, I didn't buy them for secure storge. Its for FIRE and WATER damage mitigation and nothing more. Now besides the peridoc important data backups, I also do a full whole hard drive clone. There's all kinds of software that does this. My cloned hard drive is cloned to another external hard drive and that too is stored in a fireproof safe. I also take it up a notch and encrypt everything but that's not important unless it's needed and that's a whole other topic. Bottom line, don't trust proprietary encryption and do your research with lots of reading. There's so many things it's not even funny. Just look up TEMPEST.
It's my guess you're using the default VPN port of 1194. Bad idea. Look up Shodan and Censys and you'll know why. Look up Zmap. Even if you change the port to something way up there like 54000, that too can be found out, and it may be a PITA to get access to that port behind someone's firewall if you need access to the NAS externaly. I even think cell phone Internet may not let you make a connection way up there either, but I haven't tested this. The ideal way of doing this is via something called port knocking. I guess an IPv6 adress can be used for ther WAN, but you need a router capable of NAT64 or you're really exsposing yourself.
What I would do is learn about the hardware based firewall Pfsense. You can take it for a spin in VMware Workstation Player. It has Snort and that's an adventure and a half, let me tell you. But pretty damn powerful. Once Pfsense is deployed I'd change the default VPN port to somethign else. That way you lessen your attack surface and your Pfsense logs won't fill up from the defult VPN port 1194.
If your laptops aren't browsing websites, and their sole function is NAS interaction, I really wouldn't worry too much that Window 7 no longer has the coveted updates. Most of which are absolutely worthless anyway and can cause more problems than they're worth. You'd want just the criticals or any needed updates that pertain to the functionality of software or hardware. Guess how many updates I have in my Windows 7 machine? No more than four or five. Have I been hacked? Gotten a virus? Nope! I don't even use an anti-virus as you should have known by now. I monitor network activity. I watch the hard drive with hard drive monitoring software, use Sandboxie for all my browsers, and a whole slew of other far out nerdy crap beyond what the normal computer user does. Despite not paying homage to the patch Tuesday God, and not having an anti-virus software, I do run a pretty tight ship. Not saying it's fullproof, nothing ever is. That's why I'm a backup freak.
Since I don't use an anti-virus, one thing I do though is with every download (and I'm carfull with the data type) I use a program called Hash Tools to get the SHA256 hash of the file. I just right click the downloaded file and generate the SHA256 hash. Now I take that hash and search for it at the website Virus Total. If that file was uploaded to Virus Total already, that hash will match and I'll get a report on what if any anti-virus engines mark the file as bogus. It's great becasue you're not reliant on just one anti-virus engine. The problem here is the risk of a false positive. Depending on what you got there, the general rule of thumb is four hits at Virus Total and you toss. But really crafty malware may only hit one anti-virus engine. Then you have to deep dive into the flow chart thing there and see what that file does and know how to read it all. By in large the file check strategy at Virus Total will be a lot better than a privacy evading, bloated, computer slow down anti-virus software.
Anyway, time to squeeze the squid for more ink. I think I coved the basic stuff here. There's also the email client and how that can own you, i.e., infect your computer.
