QNAP Adds Air-gapped Backup Feature Airgap+ in Hybrid Backup Sync

[btarunr]

QNAP Systems, Inc., a leading provider of computing, networking, and storage solutions, today announced the launch of Airgap+, an advanced air-gapped backup feature integrated into Hybrid Backup Sync (HBS). This innovative solution offers businesses enhanced data security, rapid recovery, and robust ransomware protection. As cyber threats continue to escalate in their sophistication and impact, air-gap backups have become essential for safeguarding corporate data. Air-gap backup represents the "1" component in the 3-2-1-1-0 backup plan, where one backup copy is stored offline and disconnected from the network. Airgap+ addresses this need by creating a logical air-gap between NAS systems, providing an extra layer of backup security and enhanced integrity. Airgap+ works with QNAP's QHora router series (supported models listed below). QHora permits connections between the source NAS and the backup destination NAS only during the backup process, and blocks connections at other times.



Features & Advantages
Airgap+ offers several key benefits over traditional LTO tape and cloud-based backups:

• Easy Setting: Users can easily enable Airgap+ and select physical ports in the HBS backup job settings on the NAS.
• High-Speed Network: QNAP NAS supports 10/25/100GbE connections, significantly increasing backup speed compared to LTO's 1GbE.
• Faster Data Recovery: Enhanced network speeds facilitate quicker recovery times, minimizing downtime.
• Data Immutability: Activate WORM (Write Once Read Many) to add an extra layer of data protection.
• Expandability: QNAP NAS allows for easy storage expansion through hot-swapping drives or migrating to a larger NAS, accommodating growing business needs.
• Simplified Maintenance: Unlike LTO tape backups, Airgap+ requires no additional hardware or cabling, reducing maintenance complexity.
• Power Control: NAS devices can be remotely powered on and off, offering convenience and efficiency.

Amol Narkhede, Director of SAAS Backup and Data Management BU describes: "Airgap+ is a game-changer for businesses looking to bolster their data protection strategies. By providing HBS with Airgap+, along with existing data integrity checks, QNAP NAS solutions assist businesses in extending their backup plan to a modern 3-2-1-1-0 strategy more easily."

Compatibility
Airgap+ is currently supported by the QHora-321 and QHora-322 routers with the QuRouter operating systems v2.4.2 (or later).

• QHora-321: 2.5GbE Router with 6 x 2.5GbE ports
• QHora-322: 10GbE Router with 6 x 2.5GbE ports and 3 x 10GbE ports
• This feature is available in Hybrid Backup Sync (HBS 3) v25 and later.

View at TechPowerUp Main Site

 

[outlw6669]

Airgap+ addresses this need by creating a logical air-gap between NAS systems, providing an extra layer of backup security and enhanced integrity. Airgap+ works with QNAP's QHora router series (supported models listed below). QHora permits connections between the source NAS and the backup destination NAS only during the backup process, and blocks connections at other times.

Ok, so not actually Air-Gapped then, got it

 

[Wirko]

Ok, so not actually Air-Gapped then, got it

You add a five-dollar non-IoT mains timer switch to each of your backup NAS boxes, then they are airgapped.

 

[outlw6669]

You add a five-dollar non-IoT mains timer switch to each of your backup NAS boxes, then they are airgapped.

True, but by that point, what is the point of this Airgap+?
Every time you boot the backup system to perform a backup, it will be exposed to any vulnerabilities present...

 

[Alan Smithee]

So the only difference between Airgap+ and QuFirewall (which comes with every QNAP NAS) is that QuFirewall can be configured to let only traffic from the source NAS through, while Airgap+ will let only Hybrid Backup Sync traffic from the source NAS through.

What they're trying to protect from, is someone gaining control of the source NAS and using it to access the destination NAS. So why not just use a different account on each? You can already specify an account/password for HBS, the two NAS don't have to use the same accounts, let alone admin accounts.

 

[evernessince]

You add a five-dollar non-IoT mains timer switch to each of your backup NAS boxes, then they are airgapped.

That's still not air-gapped. To airgap you need to physically remove the network connection. Turning off the power still leaves the network connection in place. It's feasible that someone can still retrieve data from a device with the mains off, particularly because ethernet is suitable and used to carry power. Even assuming your switch isn't PoE capable, that doesn't means there couldn't be some exotic hack that would make it possible. Not saying you have to make these considerations as an individual but for large companies and the government, these are possibilities they have to consider and hence why actual air gapping might be considered for devices with sensative information.

Also, assuming that someone has access to your network I don't see using a mains timer as making a difference. At that point you are making them or their script wait a bit but they've already defeated your defenses. The timer relies on them getting board and leaving but in most cases you are likely not the only mark wherein they are fixated on getting you ASAP and it might just be a script that doesn't care about waiting however long it need to extract data. Plus the whole point of a NAS is having easy access to that data on your network (or online if that's what you want). You are reducing the benefit of your NAS by turning off the power, at some point you might as well be using a DAS or just plugging the drive into an adapter when you want to run backup if the data is truly that sensative. Everything else can go on the NAS.

True, but by that point, what is the point of this Airgap+?
Every time you boot the backup system to perform a backup, it will be exposed to any vulnerabilities present...

Yep, a power timer won't help protect you against exploits or a potential intruder. You are better off employing multiple layers of defense. Actually air gapping requires too much sacrifice for normal users to justify. You can't even connect a printer to an air-gapped network due to the fact that they can be connected to the internet or other internet enabled devices wherein exploits may be used to access your data via the printer.