Analyzing optimal protection for two NAS units requiring remote access.
Analyzing optimal protection for two NAS units requiring remote access.
I organized four Synology file servers in two locations, each handling local access and storage, with a backup server at the opposite site. Previously I relied on QuickConnect for remote access, but I realized it poses security risks. I now configured DDNS for all devices, verified that only required ports are accessible through your router, and disabled SMB1, IPV6, and enabled DoS protection. Snapshots are set up to protect against data loss in case of a breach. Backups remain encrypted locally using 30-character passwords stored securely in 1Password, while encryption keys stay offline on an SSD I carry with me when away from home. My concern is whether this setup meets my safety needs. I’m considering adding a site-to-site VPN using Ubiquiti Security Gateways and would appreciate hearing from the community about this approach. I just want to ensure my data stays protected without creating unnecessary hassle.
You don’t require advanced tools unless it’s for a business or enterprise setup. What you really need is a VPN or SSH access to the servers, and if you have SSH access you can route any additional ports through that tunnel. I favor SSH.
I haven't tried any of those NAS units yet, so I'm uncertain about its compatibility. However, I have a home and a work storage server that connect to a third server acting as a communication link. This setup allows IP changes without needing DDoS protection since the clients will simply connect to a fixed host with no data. I can't go into too much detail, but it's similar to how cloud services operate. The connections are secure, and both sites have dedicated 500 Mbps links. They also switch IP addresses every four hours and run behind a hardware firewall that blocks all other traffic. I just hope you have backups for those keys. SSDs aren't immune to damage, and temperature extremes can mess with file structures.
I’m already gathering additional flash drives for backups and storing them safely.
I’m updating the keys each day since it’s essential for work operations. The office safe is visible but lacks the correct keys. If any are used, the information vanishes. When the opposite side can’t get a valid link or manual command, it locks itself to require a physical key (another drive). Restoring data usually takes around a week. We perform daily backups on paper and discs where possible, just in case. So far this setup seems excessive, but I’m used to it and responsible for its maintenance. I’ve heard of a firm using metal punch cards to decrypt server data. They need someone with access to press the key into a specialized sheet behind secured doors. The process involves solving a complicated equation. Both inventors are physics and chemistry professors. This level of complexity is overkill.
I would definitely configure a VPN. I was considering WireGuard, but any option works as long as you're confident in it. Also, secure the management interface with a jump host at each site, and ensure that jump host operates under its own VPN. My suggestion would be to use solutions like F5's VPN because they're straightforward to set up. Alternatively, OpenVPN is a solid choice. Another important step is to establish a central logging server (or multiple) and consolidate all NAS syslogs and jump host logs there.