NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Premissions--- NAS 2120
We just got hit with Ransomware last Thursday. It was the .CRYPT version. I have putting the network back together ever since….what a mess. Small company running a Dell server with Windows Server 200...
To your 1st question......At the present I focussing on the security portion of the equation.
I like the idea of the cloud, but it would probably take a full day to download a full back up before we could get the store process going. Because what would be considered a "good" download speed 30mbps?....
I am currently use 4----2TB drives with RAID 10, seems like the fastest and most redundant plan. This leaves me 4TB of storage. But I am open to ideas. For me restore speed is more important than storage volume. I think 4TB should cover us for awhile.
Windows!!!!!!!!! Sorry, had to get that out...rant completed.
Snapshots are read only correct? So, if someone got to the READY NAS they could still take the data from the snapshot, but can't change or delete it, correct?
Sounds like I need another 2120. 1 to store backups on and another that is not "shared" that would reach into NAS 1 and make a backup of it.
So, I can access the NAS using \\NASname with user account john and \\192.168.123.123 with user account server on the same PC? I will try this as soon as I get in.
Is a mapped drive letter anymore or less secure than jumping to the NAS from the "Network" tab in win exploder?
Of course an effective defense from ransomware just means that your next crisis will be from something else :smileyfrustrated:
FG wrote:
I like the idea of the cloud, but it would probably take a full day to download a full back up before we could get the store process going. Because what would be considered a "good" download speed 30mbps?....
Whether its practical on the backup side does depend on the amount of data churn. Restore will of course take a long time, so I view this as a last-resort option. I use crashplan at home for disaster recovery - my speeds vary greatly, but average closer to 15 mbs than 30. The deduplication does reduce the bandwidth needed (especially for my PC image backups - done with Acronis Trueimage). Note I am not using their enterprise product.
FG wrote:
Snapshots are read only correct? So, if someone got to the READY NAS they could still take the data from the snapshot, but can't change or delete it, correct?
The snapshot is read only (and you can block snapshot access on a share-by-share basis). But that doesn't fully protect it. When the snapshot is created, it actually takes no space. The data blocks are shared with the main share. As files are updated, the original datablocks are in the snapshots alone, with the new data being only in the main share. So if someone over-writes everything in the main share, all the old datablocks end up in the snapshot(s) alone.
If the file system gets too full, the NAS will protect itself by deleting the oldest snapshots - the threshold for that is settable, and is defaulted to 90%. That's why I suggested 60% free-space - if everything is overwritten you should still have 20% freespace (with 40% encrypted data and 40% unencrypted snapshots). But even there, if a second snapshot is made and the main data is over-written again by the ransomware (perhaps from a different pc), then the disk will become completely full and the data you need will be deleted. Note if a second snapshot is not made, the new re-write won't increase the space usage on the NAS.
For your use case, the NAS is doing exactly the wrong thing when the file system fills - because it deletes the unencrypted data you want to protect. You'd much rather make the BTRFS subvolumes read-only at that point. A configuration option to do that would probably be easy (so perhaps put it into the idea exchange).
If you are good with linux tools, there likely are some circuit breakers you could implement that would have a similar result. For instance, you could put a plain-text file in every folder you are backing up. Access that file first, and make sure it still is unencrypted. Then only do the backup if the file hasn't changed. Or do your own monitoring on space usage, and make the volume read-only yourself.
FG wrote:
Sounds like I need another 2120. 1 to store backups on and another that is not "shared" that would reach into NAS 1 and make a backup of it.
That would be a good approach (and at the moment that's an expense that would likely be approved!).
FG wrote:
So, I can access the NAS using \\NASname with user account john and \\192.168.123.123 with user account server on the same PC? I will try this as soon as I get in.
Yes.
FG wrote:
Is a mapped drive letter anymore or less secure than jumping to the NAS from the "Network" tab in win exploder?
The early versions of CryptoLocker encrypted mapped drives but not network shares. So in practice mapped drives might be somewhat safer. Theoretically they are both equally vulnerable.
There are other steps (if you google you'll find quite a few suggestions). Some relate to user training (a lot of ransomware vectors in through a phishing email); some relate to blocking use of macros in office. Setting the windows PCs to open JS files by default in notepad is also easy to do, and might prevent a future attack. You might look here: http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/
StephenB wrote:Of course an effective defense from ransomware just means that your next crisis will be from something else
A ray of sunshine you are...ha ha
For your use case, the NAS is doing exactly the wrong thing when the file system fills - because it deletes the unencrypted data you want to protect. You'd much rather make the BTRFS subvolumes read-only at that point. A configuration option to do that would probably be easy (so perhaps put it into the idea exchange)
I'm feeling way outside my depth/paygrade on this current issues....
Could you provide me with a link/screenshot/instructions to set up the BTRFS?
I don't know that I fully understand what you are explaining regarding snapshots. If someone gained access to NAS they could copy and huge file to the NAS which would bring it to capacity and render the existing snapshots useless?
FG wrote:
I don't know that I fully understand what you are explaining regarding snapshots. If someone gained access to NAS they could copy and huge file to the NAS which would bring it to capacity and render the existing snapshots useless?
If ransomware on machine A encypts a share, and the same ransomware on machine B re-encypts the same share, and then machines C, D, ... at some point the snapshots+main share might fill up the NAS.
The key point is that if the oldest snapshots are where the unencrypted data is, then you don't want the NAS to delete the oldest snapshots. But when the NAS gets full, that's what it does.
I'm not sure what information you want on btrfs setup, Are you asking for share settings?
FG wrote:
...Besides this procedure being a little outside the norm and a little extra wear and tear on the drives themselves are there problem with my idea.
SATA connectors aren't intended for repeated insertions/pulls, so that could damage the drives over time. There are a couple other concerns:
(a) if you have a disk failure when the array is rebuilding, you will lose data.
(b) If you make a mistake and pull the wrong drive pair you will lose data. RAID-10 doesn't handle all combinations of 2 drive failures.
I'd use external USB backup instead of rebuilding the array continuously.
To answer your other question: when you hot insert drives, the NAS will resync the inserted drive from the existing drives.
On 6-3 at 7:47 you said
"You'd much rather make the BTRFS subvolumes read-only at that point. A configuration option to do that would probably be easy (so perhaps put it into the idea exchange). "
I don't understand what you meant about the BTRFS subvolumes, can you explain please.
So I'm using 4---2TB hard drives with raid 10 config. Once synced up raid 10 with continue to operate with only 2 of the 4 drives. Going the logic that the most protected system is one that is disconnected from the outside world……….bare with me for a sec…….what if I had 6--2TB drives and Monday I come in pull out drive 3 and 4 and set those on the shelf. Next slide in drive 5 and 6 into bays 3&4 on the NAS. 1st, since the NAS can ID the serial # of drives and its knows that serial # for drive 3 is 12345 is the NAS going to bark at me when I slide drive 5 (serial #22222) into bay 3…..where drive3 usually resides? And same thing with drive 6, put it bay 4.
Now on Tuesday, I come in and verify that backups from server to NAS were successful….data and network appear to be intact. Once done with that task, I pull drive 5&6 from bay 3&4 on the NAS and set 5&6 on the shelf. Next put drive 3&4 back into the open bays on the NAS. Drives 3&4 are 1 day behind, once put back into the NAS will the data on drives 3&4 be essentially erased and copied over with the data from drive 1&2? In the scenario I am proposing drives 1&2 would be the "master" drives, correct? It wouldn't take the day old data from 3&4 and put it on 1&2 correct?
Besides this procedure being a little outside the norm and a little extra wear and tear on the drives themselves are there problem with my idea.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
