Securing a Synology NAS

I have been trying to polish and tweak the setup of my DS214+, with the focus being security. Rummaging around the net, I came across Mike Tabor's website. In particular this post includes very few simple tips and tricks to increase security. While I haven't gotten as far as installing a signed certificate, the other steps are very simple and straightforward. I will definitely try to install Crashplan next using his simple, step-by-step guide.

Also Synology has something on security on their official blog, and frequently issues updates which fix specific security issues (explanations are in the release notes).

For a while I have been trying to successfully get a VPN server up and running, but despite my best efforts, I am unable to make things click. VPN passthrough and port forwarding are properly configured on my router, the VPN has been installed properly on my device, and I can't really really see what is wrong with it.

Moving to a NAS-based storage solution

I have recently gotten a new Synology NAS (a DS214+ to be exact) with a 4 and a 6 TB HGST NAS to bring order to the chaos that is my data storage solution. Since I think I am not the only one, I hope my blog post (which is the first in a series of posts) will be of help to others who are in a similar situation and are mulling over what to get.

Over the years, storage has increasingly become a problem, a problem that was exacerbated by an upgrade to a Retina MacBook Pro with a mere 256 GB of internal storage and by the desire to share certain data with my significant other. My data was scattered across 3 internal and 5 external hard drives of various sizes, some of them containing duplicate data, and because Backblaze, my online backup service of choice, ignores Time Machine volumes for backups, not all of it was backed up twice.

I had tried earlier to bring some sanity to this chaos by buying a Transporter, but the software has never worked for me: just displaying remote folders would lock up the Finder with the spinning beach ball of death, and transfer rates were catastrophically low. Maybe the software works well if you use it as a private Dropbox, but I needed a remotely accessible network share instead. So it was clear I needed a different solution, and I thought of my different options.

My previous storage setup

Before switching to Backblaze, I used to use two external hard drives (3 and 4 TB in size) for backups, one located at work and another at home. One of them also stored my movie collection and my Aperture library containing older photos. I had multiple copies of my data, sometimes in the form of older versions of files and libraries (leftovers when I was migrating to new hard drives and such). Two of the three hard drives were filled to the brim. I wanted to simplify where and how I store files. Moreover, Backblaze will not backup volumes which also contain a Time Machine backup, and thus, the data on one of my drives is not backed up. In short, it's a mess accumulated over the years.

My wish list

(1) Backups
We have three (soon two) computers in our house, my gf has my old 2010 15" MacBook Pro while I use a new 2014 13" Retina MacBook Pro. We use Time Machine on our Macs, and we would like to store our backups on the NAS.

(2) Storage of movies (shared) I would like to share my movies with my girlfriend and have access to them when I am on the go.

(3) Storage of my big Aperture libary
My MacBook Pro's SSD sports a capacity of only 256 GB, too small to even just hold my photos. So I need relatively quick transfer rates to be able to use Aperture with photos that are stored on my NAS rather than my internal SSD.

(4) Access to my files from across the world
It would really be great if I didn't have to bring my external drives along when I travel, and I could access my data from anywhere.

(5) My own unlimited Dropbox
I would like to keep my Documents folder synced just like a Dropbox would. That includes full access via the web.

(6) Integration with online backup
A NAS is just a sophisticated enclosure for a hard drive. They are not a backup. They may be part of a backup strategy, yes, but if your only copy of a file is on your NAS, you have a problem. That's why I've been using Crashplan and Backblaze, and I would like to have an offsite backup of all the files on the NAS.

Enter the Synology NAS: two bays filled with HGST goodness

Given my capacity needs and my budget, it was clear that I needed to look into two-bay solutions. As far as quality brands go, you mostly hear two suggestions if you are willing to spend some money, QNAP and Synology. I decided to go with the latter, because Synology seems to have the best software support (from Synology directly and the community at large).

The amount of choice is a bit dizzying: just Synology alone offers no less than 6 (!) two-bay NAS solutions, some of which are at the same price point. For instance, the DS214play sells for the same amount as the DS214+, a little more transparency and less choice couldn't hurt. Eventually, I decided in favor of the second model from the top because of its beefier hardware and the second GBit connector. Moreover, the DS214play which features a more powerful Atom CPU and a hardware transcoder for various movie formats did feature the cheaper DS214 (non-plus) built quality.

Now on to the hard drives: I have dedicate one drive to backups and another to network shares. Capacity-wise I opted for a 4 TB backup drive (I need to backup about 1.4 TB, so that should leave ample headroom for older snapshots) and a 6 TB drive for network shares because that was the largest capacity that is affordable -- the 8 TB drives are just too expensive. For the longest time, I haven't much paid attention to the brand of drives I was getting, because for years I was just putting them in external enclosure where performance is limited by the interface for the most part. Fortunately the folks at Backblaze (see also here for the original blog post and here for the latest update) have analyzed the failure rate of hard drives, and found out that by a wide margin they found Segate drives to be the least reliable drives while HGST's are the most reliable. The most telling graph to me is this one:

36 month survival rate of hard drives by manufacturer

Over the course of three years, 26.5 % of all Segate drives fail! Ouch. At least 2 of my 4 external hard drives use Segate drives, so I am glad I am relegating the external drives to a higher-level backup. Of course, there is variability among models, and with newer models the difference isn't as large as before (although it is apparently still a factor of 2 or larger). Moreover, drives which spend their time in one of the Backblaze storage pods will have much more wear and tear than those in my NAS. Nevertheless, Backblaze's data is a clear indication that Segate drives are least reliable and HGST drives are the most reliable. And the difference in failure rates is significant enough to me.

So without looking at benchmarks I had decided on HGST's NAS line of drives. Curiously, the 6 TB model has a 128 MB cache, about half of the total capacity of my first hard drive. That gives me about 10 GB raw storage in total.

First impressions: hardware

The built quality is exquisite: the case is all metal, the hard drive trays are tool-less if you use 3.5 inch drives and slide into place without so much of a sound. Even the power brick feels much more substantial than the POS that is usually included. Very well done, Synology. The hard drive bays are hot-pluggable, so I did not even have to power down the unit when I installed the 6 TB hard drive which arrived a few days after its smaller 4 TB brother. Everything you need (e. g. screws and two network cables) was included in the box, also here a big thumbs up. The unit is relatively quiet, I can only hear the hard drives's platters spinning and heads seeking. The HGST drives I chose sound particularly crunchy and crisp. On the bright side, I cannot hear any fan noise if I put the unit in quiet mode (which is the default).

The only real point of criticism I have is that the CPU (a dual-core Marvell Armada XP MV78230 running at 1.33 GHz) is quite slow compared to the competition, QNAP just announced a unit with an Annapurna SoC that sports two Cortex A15s. More on that below.

First impressions: software

The main advantage of going with an off-the-shelf NAS from manufacturers such as Synology and QNAP is actually the software. You can approximate the hardware yourself, even though whatever you build will be larger and less elegant, you'd probably end up with more powerful hardware as well as a more flexible system. But really, the main selling point to me is the integration of software, hardware and services.

And here, the Synology does not disappoint. Overall, you get a OS GUI-type interface that is delivered to you via html5. I reckon this cuts down the bandwidth requirements significantly compared to a proper VNC solution. The UI is a bit of a mongrel combining elements of Windows and OS X, while the lack of visual polish feels very Linux-y. Certainly, I don't care as much about visual aesthetics in a UI that I'll use sparingly. But is it functional? Yes, the UI is quite fluid, and the settings are grouped logically, and if you change one thing that relies on another, you get sent to another settings page automatically. The UI also prevents you from essentially bricking your system, e. g. at one time when I was switching the firewall on and off (I had to troubleshoot the VPN), I forgot to toggle between »disallow all« to »allow all« after disabling all rules. Sure enough, the settings app wouldn't let me save the configuration and explained very clearly why. Nice. The UI comes with Windows file sharing enabled, and configuring AFP is as simple as ticking a checkbox.

Setup

First setup is quite straightforward in a regular network where the system is assigned an IP address via a DHCP server and you have a connection to the internet. The procedure is straightforward, and I won't detail it here, but the only decision you absolutely need to make yourself is how to configure your logical volumes. I went with one volume per disk because that fit my use case and budget best, but that doesn't mean it's the best for you. The Synology suggests you to make a surface scan on each drive, I quite like that.

Configuring the default services

The defaults are very sensible, after creating a shared volume and a user, you have an SMB network volume ready to go. The more advanced functionality is easy to get to if you understand how networked services work. And even if you don't, Synology tries to lend a helping hand. E. g. if you give it login credentials to your router, it'll automatically create port-forwarding rules. While my router is listed as being supported, this actually did not work for me. But seeing how, ahem, questionable my router's software is at times, I don't think it's quite as simple as blaming Synology.

Also being able to access your files from outside of your home's network is very easy. You essentially register your Synology DDNS service via your NAS's interface. I wouldn't believe it at first, but it just worked. With portforwarding set up manually, I can configure my NAS from any place with an internet connection. You should choose https, though, so that no one who isn't supposed to be peeking into your traffic will have access to your NAS. In principle this also allows you to configure other services such as VPNs. You could open the file sharing service's ports, but you shouldn't. That's what VPNs are for. More on that below.

I could also configure my VPN to take over most of the functionality that I leave to my router (well, routing, DHCP server, firewall, etc.) -- especially since it comes with two GBit ethernet ports. But I don't think it's a good idea to leave my NAS exposed to the raw internet like that. Moreover, you can use it as a print server if you want.

Adding functionality via packages

I haven't counted the number of packages, but they cover the most common use cases such as a VPN, a virus scanner, media server. Some models also offer a Plex server, but sadly, Plex doesn't work on my DS214+. It works on the 213+ and the 214play, but not on mine. Ugh. The virus scanner seems to really push my system, it'll quickly devour half of my RAM and most of my CPU cycles. Nevertheless, the packages work well. Only the media server won't really play ball, but on the other hand, I can play videos from the mounted volumes just as well. I ran into trouble configuring the VPN, and I am not quite sure whether it's my ISP who doesn't want to play ball and allow their customers to create VPNs or if it is a bug or user error.

Problems and complaints

I ran into a few isolated problems. For instance, I noticed that on large copy operations (which you then leave to complete in the background), the status bar in the UI will freeze. Nevertheless, the copy operation is carried out and you will eventually get a notification. Only the first time did I abort the copy operation by hand and start it again. Some of the settings seems kinda fiddly, e. g. in some interfaces, you have to deliberately press save buttons, otherwise your changes are lost.

Missing features and downsides

(1) A modern filesystem
My data is very precious to me, and I would prefer a filesystem that does checksumming, allows for snapshots and features copy-on-write instead of ext4. In short, I would have preferred OpenZFS or btrfs, and since OpenZFS is more mature (it has been in development since 2001) and I am more familiar with it, I would hope for the former. Netgear's newer models use btrfs instead of ext4. I am familiar with ZFS a little, I ran it on my Mac for a while. I would have loved to have more than 1 copy of important files. Moreover, given ZFS's focus on filesystems instead of directories, I could set quotas and such on a per filesystem level instead of the user level. I know that these more modern filesystems come with a healthy appetite for RAM and cpu performance, but these are problems that time eventually will take care of.

(2) More powerful system specs
I am quite glad I got a model with 1 GB instead of 512 MB RAM, because even the few services that I run on my Synology at this time, I use about 50 % of the RAM. What is more, normal operations can easily suck up 50-80 % of the CPU power, and activating the anti-virus software maxes out the CPU. That leaves virtually no headroom, and makes me a bit uncomfortable. The competition is switching to more powerful SoCs, e. g. Annapurna Lab's new Cortex A15-based solutions which are -- thanks to hardware accelerators -- very, very fast. The higher-end models feature two 10 GBit ethernet and 4 cores and outperform comparable x86-based models. Synology is a bit behind here.

(3) Better damping of the hard drive trays
Sometimes I can hear quite annoying harmonics when both drives are active. While the drive tray feature rubber rings around the screw holes to dampen vibrations, they are not as effective as they should be. I hope Synology takes another crack at it and adds more rubber to the drive tray.

(4) ECC RAM
Again, I love my data and the use of ECC RAM would give me a bit more peace of mind. But then again, I know ECC RAM is right now out of the price range for this class of device.

(5) The software needs more polish
At a few places, the software needs a bit more polish. For instance, the Cloud Sync Utility at one point hogged my cpu, it seemed as it was in competition with Dropbox syncing things back and forth. Likewise, the NAS's interface has a few quirks (e. g. the use of save buttons at times) which should be cleaned up.