Categories
Disasters strike without warning, and human errors happen. Everyone knows that, no matter how secure the NAS or cloud storage is, backups are still essential. Otherwise, if a file is accidentally deleted, there’s no turning back. It’s gone for good.
How to back up? Is copying data to an external drive enough? Every time we discuss backups, it’s worth revisiting the 3-2-1-1-0 backup strategy. Here’s what 3-2-1-1-0 means:
- 3: Keep at least three copies of your data (the original data + two backups).
- 2: Use two different types of storage media (e.g., hard drives, NAS, cloud storage) for backups.
- 1: Store at least one backup off-site (at a different physical location from the original data, e.g., in the cloud or storage devices at another location).
- 1: Keep one offline and inaccessible backup to protect against ransomware.
- 0: There should be zero unverified backups (regularly test and verify backups to ensure they are usable).
One key concept is “having at least one offline backup”. It’s like backing up data to an external hard drive and then unplugging it, rather than leaving it connected. If the computer is infected with a virus or ransomware, the external hard drive will be isolated from the unsafe environment, just like the seed bank on Noah’s Ark.
In the context of data backup within a networked environment, “offline” doesn’t necessarily mean physically unplugging a cable; it can also mean placing the backup in a state of “no network connection”, which achieves the same effect.
The reason is simple and easy to understand, but manually implementing it can be quite cumbersome. Especially if the tasks above need to be completed within a few hours or performed once daily, it would consume a significant amount of manpower and time.
Fortunately, QNAP offers a comprehensive backup solution that requires only a one-time setup to automate all the above tasks on a regular schedule. Many users are already familiar with QNAP’s Hybrid Backup Sync (HBS 3), which can manage synchronization and backup tasks across local storage and multiple cloud services all at once, fully meeting the practical requirements of the 3-2-1-1-0 strategy.
Airgap+, the solution we’re now introducing, further enhances the security of this approach. As the name implies, Airgap+ refers to creating an “air gap”, which is a deliberate “separation or barrier” in network connection. Unless absolutely necessary, backup nodes should be kept offline. This is an intuitive and effective defense strategy.
(Caption: Airgap+ disconnects unnecessary network connections via the QHora router, and only reconnects them during backups.)
Let’s use a more intuitive example to explain this concept. Imagine you run an accounting firm. Naturally, the firm is open to the public, and every day all kinds of clients or various visitors come in for consultations. Inside the firm, there are numerous client accounting records and files. For security reasons, “copies” of these records and files need to be stored in a separate physical location. That’s why there is also a warehouse located near the firm, physically isolated from the firm.
Why is isolation necessary? It hardly needs explaining. It’s just like how we don’t leave all our keys in the same place when we go out. First, it spreads the risk; second, it prevents others from guessing their locations. As the saying goes, don’t put all your eggs in one basket.
However, even with physical separation, there are still practical operational risks. For example, imagine if the firm had an obvious sign that says, “Our warehouse is located at XX Street, Floor X,” or if all personnel who have access to the firm could also access the warehouse freely, and even with no restricted access hours. In that case, the security of the warehouse would be significantly compromised.
Sounds ridiculous, right? Who would openly post sensitive information in a public space? Well, there are more users with weak cybersecurity awareness than you’d think. The truth is, not everyone is a network engineer, nor should they be expected to understand all the technical details of cybersecurity. However, if you are responsible for protecting important data or hold a network administrator role in a company, you must clearly understand that, as long as there are exposed IPs and ports, it is like leaving the front door of your home open and unlocked, making it easy for malware or malicious actors to break in.
What Airgap+ does is manage access control between different nodes, as well as handle backup, data transfer, or replication tasks. By disconnecting the network during non-essential periods, it ensures that personnel in the firm cannot directly access the warehouse, and the primary NAS and backup NAS cannot be connected. They can only connect and communicate at designated times or when there is a specific need. It’s similar to how a bank closes at 3:30 p.m. Naturally, outside of business hours, no outsiders are allowed in.
If you have three or more NAS devices to meet the “3” requirement in the 3-2-1-1-0 strategy, Airgap+ can implement “isolation” more effectively. Imagine adding a “mailroom” between the firm and the warehouse to temporarily store records. Personnel at the firm only know where the mailroom is, while only mailroom personnel know the exact location of the warehouse. This effectively hides the true location of the warehouse and implements multiple layers of protection to secure the data.
When applied to NAS backups, the primary NAS exposed to the outside is like the accounting firm, the Bridge NAS acts as the mailroom, and the backup NAS is the warehouse. The primary NAS only connects to the Bridge NAS at scheduled times, and the Bridge NAS synchronizes with the backup NAS at designated times. There is no situation where “all three devices are connected at the same time”, and the primary NAS does not know where the backup NAS is located. Effectively using time separation and connection control to create a “firewall space” is the essence of Airgap+, both literally and in practical application.
(Caption: When the primary NAS needs to sync data with the Bridge NAS, a connection is established, and the backup NAS is not involved at this stage.)
(Caption: The Bridge NAS then syncs data with the backup NAS while the primary NAS is no longer involved. The connection to the primary NAS has been disconnected.)
Implementing Airgap+ isn’t difficult. All you need are two or more QNAP NAS devices and a QHora router specifically designed to manage connections. First, the QHora router can seamlessly integrate with QNAP NAS to directly align with security policies; second, it helps prevent users from adopting routers with lower security, which could lead to other problems.
At this point, some sharp readers may have already realized: isn’t this essentially a flexible and secure form of cold storage? Indeed, this is just one of many ways QNAP’s product lineup can help implement cold storage. Other techniques and approaches will be covered in future discussions.
So, are there any difficulties or hurdles in adopting Airgap+ immediately? To begin with, it is quite common for a company to have two or more NAS devices. In fact, any QNAP NAS that supports Hybrid Backup Sync (HBS 3) is already compatible with this feature. What really needs to be done is the deployment of a QHora router equipped with QuRouter 2.4.2 or later. Once that’s in place, the framework can be implemented right away.
Of course, the QHora router wasn’t built solely for Airgap+. It’s a fully featured, enterprise-grade router, and it’s even more affordable than some flagship gaming routers. In addition, the QHora router also enables more unified and consistent virtual network management. Its applications are very diverse and are definitely not just for assisting with backup.
One final note. The concept of an “air gap” in network management isn’t new. You could achieve it by manually disconnecting a router, unplugging a network cable, or even powering off a NAS. But let’s be honest, that’s simply not practical. Automation, including unattended operation, remote control, and scheduled tasks, is essential to truly meet the demands of the 3-2-1-1-0 backup strategy. Only then can businesses reduce costs. After all, if we often find ourselves impatient waiting for a large file to copy, how realistic is it to rely on manual operations?
Just leave it to Airgap+!
