Mistaken Purchase: How to Mitigate?

[jmichael]

After much research, I bought a Synology 1513+ unit and a DS414 (for backup) for an internet-facing SMB-class system. I got 5x3TB WD Re enterprise drives (12 GB in RAID-5) for the primary unit and 3x4TB WD Red NAS drives for the backup (12 GB in JBOD), a UPS and so forth. Total cost: $3000.

I played with the 1513 to test setups, etc. Everything was GREAT. Then I installed our SSL certificate and tried out FTPS/SFTP/HTTPS. OUCH. Transfer speeds went from 100-150 MiB/s to 3-8 MiB/s on the local network. Why? The Atom processor just is not up to the task, and there is no hardware encryption in the 1513. Synology support confirmed that these are expected transfer rates with encryption. We simply can't run plain FTP or HTTP.

So, I've returned the (thankfully unopened) 414 and purchased a QNAP 870 Pro to serve as the primary unit, and will use the 1513 for backup. QNAP claims ~100 MB/sec AES 256 on these even though the i3 3220 doesn't support AES-NI. Total cost will now be about $4K.

So, before I open the box for the 870 (i.e., while I can still return it!), I'd appreciate any thoughts on whether it will be a good setup for a small office fileserver with TLS transfers, or if there might be some other "gotcha's" I've not foreseen.

 

[stevech]

After much research, I bought a Synology 1513+ unit and a DS414 (for backup) for an internet-facing SMB-class system. I got 5x3TB WD Re enterprise drives (12 GB in RAID-5) for the primary unit and 3x4TB WD Red NAS drives for the backup (12 GB in JBOD), a UPS and so forth. Total cost: $3000.

I played with the 1513 to test setups, etc. Everything was GREAT. Then I installed our SSL certificate and tried out FTPS/SFTP/HTTPS. OUCH. Transfer speeds went from 100-150 MiB/s to 3-8 MiB/s on the local network. Why? The Atom processor just is not up to the task, and there is no hardware encryption in the 1513. Synology support confirmed that these are expected transfer rates with encryption. We simply can't run plain FTP or HTTP.

So, I've returned the (thankfully unopened) 414 and purchased a QNAP 870 Pro to serve as the primary unit, and will use the 1513 for backup. QNAP claims ~100 MB/sec AES 256 on these even though the i3 3220 doesn't support AES-NI. Total cost will now be about $4K.

So, before I open the box for the 870 (i.e., while I can still return it!), I'd appreciate any thoughts on whether it will be a good setup for a small office fileserver with TLS transfers, or if there might be some other "gotcha's" I've not foreseen.

I suspect cockpit trouble, based on years of reading the vendor's user forum on this.

I don't think many use SSL/TLS on the LAN - just out the firewall for VPN.

 

[thiggins]

Why not use a VPN router and let it form the secure connection?

 

[jmichael]

Hi Thiggins- that was my initial thought, but they also want to replace an (insanely expensive) Box enterprise account which they use for sharing files and data with external collaborators. So, they don't want external collaborators to have to login to VPN in order to access shared resources. But maybe I don't understand how these systems are actually implemented? Would external users need to actually login to a VPN server in order to offload TLS to another device (i.e., have a TLS endpoint at the gateway).

I was the one who insisted that if resources are to be internet-facing, they be done with TLS. CIFS and their databases (which sit on a different server) are only accessible from the intranet (or, of course, VPN).

I should add that I'm neither a hardware nor a software guy (I'm a silly industrial engineer), but I'm all we've got so doing my best.

 

[jmichael]

I suspect cockpit trouble, based on years of reading the vendor's user forum on this.

I don't think many use SSL/TLS on the LAN - just out the firewall for VPN.

Sorry, what's cockpit trouble? English isn't my native language, sorry.

 

[stevech]

Sorry, what's cockpit trouble? English isn't my native language, sorry.

cockpit trouble... like airplane pilot's error. Not a broken machine.

 

[thiggins]

I may be misunderstanding the network topology. Do you want secure connection to the NAS for both local LAN users and remote users?

What are the internet connection up and down speeds?

 

[jmichael]

...Do you want secure connection to the NAS for both local LAN users and remote users?

Just remote users, and just to replace their Box enterprise account i.e., FTPS and HTTPS sharing mostly.

What are the internet connection up and down speeds?

That's part of the issue. They are on Internet2 and get insane speeds between peers. They even achieve near 1 gigabit with regional non-peers, at least according to speedtest.net. In practice transfers are a bit slower, but they are used fast sharing and get antsy if things slow down (I was told 5 MiB/s is "unbearably painful"). Even remote (but network peer) collaborators are expecting to hit 100 MiB/S! (from a $700 plastic box no less)

So yes, they are expecting enterprise class performance at SOHO prices, but I do want to do the best I can and not waste any $, especially since their budget comes from charitable non-profit (and I feel guilty for suggesting they cancel their surprisingly expensive Box account without having understood the hardware requirements of duplicating the functionality).

 

[jmichael]

I suspect cockpit trouble, based on years of reading the vendor's user forum on this.

I don't think many use SSL/TLS on the LAN - just out the firewall for VPN.

Yes, now that I understand this idiom, that is the most likely cause.

So, it is true then that these Atom-based devices just cannot handle on-the-fly encryption? So much so that it is "pilot error" (aka stupid) to expect them to do it reasonably well (either drive encryption or TLS or, heaven forbid, both at the same time)?

Please tell me where the pilot error is. I'm a neophyte with regard to these SMB-class NAS boxes, but have done my time in the server farm. In the past, I've barely even noticed the encryption overhead on real servers, much less seen it decrease throughput by a over an order of magnitude. Unless I wholly misunderstand what these devices are for and/or how they should be properly implemented (and that is quite possible!), the Atom-based NAS boxes are not up to the task of doing anything except home and maybe SOHO tasks (fair enough, as they are usually < $1k).

Why don't the manufacturers of these devices just say that they are intended for use only behind a firewall ? I really think I must be misunderstanding something as I love the Synology software, but they offer NOTHING that can handle encryption (at least not in the sub-$5k range). Why?

 

[thiggins]

100MB/s encryption bandwidth is way beyond Atom capability.

Are you sure QNAP is referring to secure FTP / HTTPS / rsync encrypted performance and not volume encryption? I suspect the latter.

If you are not going to require authentication of some sort, I think you are going to be in for a world of hurt.

At a minimum, the NAS should be on a private VLAN to protect other LAN resources.

I will ask my vendor contacts whether they have products that support 100MB/s encrypted connections.

 

[jmichael]

Thanks again for your patience and helpfulness... this is a great forum.

Are you sure QNAP is referring to secure FTP / HTTPS / rsync encrypted performance and not volume encryption? I suspect the latter.

To be clear, they claim 100 MB/s for their new i3-based systems, not for the Atoms. For example, see this comparison of the 669 Pro and the 670 Pro. The main difference seems to be the 669 Pro has an Atom and the 670 Pro has an i3. Their "Windows Upload" and "Windows Download" speeds are exactly the same, but their "AES 256-bit Encrypted Windows Upload" and download speeds are very different (with the i3 being 3-4 times faster than the Atom).

I have no idea why it matters what the client OS is (i.e. why specify Windows?), but I digress.

If you are not going to require authentication of some sort, I think you are going to be in for a world of hurt.

No, sorry if I mistyped. All users will be authenticated. Local users will not require encryption though. There seems no other way to keep gigabit speeds they are used to for local transfers. Remote users will be authenticated via the HTTPS interface or FTPS rather than VPN (but maybe that's not right?).

I will ask my vendor contacts whether they have products that support 100MB/s encrypted connections.

Thanks.

 

[thiggins]

To be clear, they claim 100 MB/s for their new i3-based systems, not for the Atoms. For example, see this comparison of the 669 Pro and the 670 Pro. The main difference seems to be the 669 Pro has an Atom and the 670 Pro has an i3. Their "Windows Upload" and "Windows Download" speeds are exactly the same, but their "AES 256-bit Encrypted Windows Upload" and download speeds are very different (with the i3 being 3-4 times faster than the Atom).

QNAP confirmed that data is for encrypted volume transfers, not encrypted connection. They are going to try to get encrypted connection data.

 

[jmichael]

QNAP confirmed that data is for encrypted volume transfers, not encrypted connection. They are going to try to get encrypted connection data.

Thanks Tim.

So, I guess I do fundamentally misunderstand how these devices are usually implemented. From this thread, I take it they are typically only accessible via the intranet (i.e. either local or VPN required). I'm now wondering if trying to replace a sharing service like Box enterprise with a NAS is a really bad idea as getting the security (and performance) right will be difficult.

 

[thiggins]

Thanks Tim.

So, I guess I do fundamentally misunderstand how these devices are usually implemented. From this thread, I take it they are typically only accessible via the intranet (i.e. either local or VPN required). I'm now wondering if trying to replace a sharing service like Box enterprise with a NAS is a really bad idea as getting the security (and performance) right will be difficult.

It's not that it's a bad idea. Many NASes have "cloud" features that enable (relatively) easy secure remote access.

Your problem / miscalculation is the performance expectation.

 

[thiggins]

Synology also said that is does not have performance data for encrypted connections.

 

[Kris404]

Vendor encryption claims (software or hardware) are usually for volume encryption (data-at-rest).

They usually don't benchmark data-in-flight secure connections because of possible network congestion factors.

 

[AcostaJA]

The whole thing to expose the Nas to a dmz port on the network is against Data Security, period.

The best thing you can do is to re-think the security question and opt for a dual VPN, you don't need to open your entire net to an VPN, just the ports in one nic on the server, and 2nd port to the regular VPN and internal network.

Not only solves your performance dilemma, also warrant your server only accessible to authorized people.

Furthermore you need an high performance router if you want an VPN moving high volume data (as fpsense with an core i3 cpu)

 

[AcostaJA]

You can also try new collaboration technology as btSync (which can encrypt connections by default) , safe don't require VPN and while not as fast as ftp it's deliver a very reliable service, much more simpler easy to deploy and virtually requires no learning, this case your NAS it's like an cloud storage provider keep an shared folder and it's content replicated among all the clients (based on bittorent protocol / technology)

 

[jmichael]

Thanks for the help.

The whole thing to expose the Nas to a dmz port on the network is against Data Security, period.

Why is that? I am starting to see that it is axiomatic that a NAS is not used to serve outside the local network, and there are probably good reasons for that. But, why could the NAS not be trusted to authenticate users and encrypt transmission just as well as VPN? So, I do understand how it could be a performance issue, but not how it would be a data security issue.

So, for a concrete example, suppose I expose Synology's (or QNAP's) "filestation" HTTPS port via an internet-accessible IP. Users would need to login, and their connection would be encrypted. Isn't that what the filestation system is for? (as local users would likely use CIFS)

 

[AcostaJA]

Thanks for the help.



Why is that? I am starting to see that it is axiomatic that a NAS is not used to serve outside the local network, and there are probably good reasons for that. But, why could the NAS not be trusted to authenticate users and encrypt transmission just as well as VPN? So, I do understand how it could be a performance issue, but not how it would be a data security issue.

So, for a concrete example, suppose I expose Synology's (or QNAP's) "filestation" HTTPS port via an internet-accessible IP. Users would need to login, and their connection would be encrypted. Isn't that what the filestation system is for? (as local users would likely use CIFS)

In theory ssl login and certificate it's an acceptable security and privacy, by experience what actually you're doing is giving to an high value asset (a nas) direct unsupervised access to the network, you expose it directly to: DDNS attack, direct exposure which could be used by an yet unknown bug to alow access or may open a route to an Trojan horse Tru another bug, endless possibilities. An ftp server use to be behind a firewall which supervises packages and identify attack, direct connection of an ftp server leaves the ftp alone vs the world. A simple Nas don't have resources/power to handle high security, and given the role of being the hub of your data it's an big temptation for hackers. So a savvy option is to rely on other collaboration technology than a 40yr old protocol.