By Akash Jain in Synology

How the Logical Air gap works on Synology ActiveProtect Manager (APM)

How the Logical Air gap works on Synology ActiveProtect Manager (APM)

Synology’s ActiveProtect Manager (APM), which powers the ActiveProtect appliance (similar to DSM on other Synology NAS devices), introduces an innovative logical air-gap solution. This feature enhances protection against ransomware by ensuring that the backup server remains isolated during specific periods, while still allowing critical backup operations to proceed seamlessly.

This concept may sound intriguing—isolating a server while still performing backups. Let’s break it down for better understanding, there are 2 key points to understand

Key Point 1 : Airgap between Primary Server and Backup Server

In Synology’s air-gap solution, two servers are involved:

  • Primary Server: The main device where your operational data resides.
  • Backup Server: The secondary device where backups are stored.

The air-gap is applied between the primary server and the backup server. If ransomware attacks a device on your network, it could potentially reach the primary server , but the backup server remains unaffected during the air-gapped duration . While air-gapping the primary server is theoretically possible, it may slow or halt backups during the air-gap duration ( depending on if you opted for isolation or server shutdown during airgap period - more on that in a while)

Key Point 2 : Airgap on Data Port, Management Port remains accessible


The key difference between APM and DSM lies in port separation. Unlike DSM, where all network ports handle both data and administration, APM distinguishes between two interfaces:

  • Management Port: Used exclusively for server administration and essential communication between the primary and backup servers.
  • Data Port: Dedicated to data transfer for backups.

This separation allows you to enforce air-gap settings specifically on the data port, isolating it during designated periods.

Together they make Logical Air-Gap Work

Now you know there are 2 servers and 2 network ports on each. Essentially the Air-gap works by isolating the data port of your backup server during the air-gap periods ( except when you opt for server shudown in which case the entire backup server is not accessible during air-gap) During this time, the primary server can still access the backup server via the management port and will also use it to backup . An analogy I can think of is a reverse proxy where only your reverse proxy can access your application server.

Ways to Isolate your server During Air-Gap Periods

Administrators can select one of three isolation settings for the backup server during air-gap periods:

1. Deny All Connections (least strict setting)


This Blocks all connections to the backup server’s data port. The management port remains accessible, allowing the primary server to continue transferring backups while isolating the data port. All other devices will be denied access on the data port

2. Deactivate Network Interface Cards (NICs)

This Disables the network interface cards responsible for the backup server’s data connections. In this case too the management port remains operational, enabling backup data to continue flowing. The data NICs are fully deactivated, so any other device on the network will not be able to access the data port

3. Shut Down the Server ( most strict setting)


This isolation mode will Power off the backup server entirely and keep it so during the airgap period.This is complete isolation where all your backups to backp server will stop and it wont be accessible from any port at all.

Synology APM Airgap vs QNAP Airgap

QNAP also offers an air-gap solution (read more here). However, there are key differences between QNAP’s and Synology’s approaches to air-gapped backups:

  • Device Requirements

The QNAP air-gap solution works with their standard devices in combination with a QHora network switch. The switch handles the isolation of the backup server, making it possible to use existing QNAP NAS devices. In contrast, Synology’s air-gap solution requires their ActiveProtect series appliances, as the isolation is handled directly on the device itself.

  • How Isolation is Achieved

On QNAP Isolation is managed externally by the QHora switch, which disconnects the backup server from the network during the air-gap period.
On Synology isolation occurs on the ActiveProtect device itself.

  • Backup Continuity

On QNAP During the air-gap period, backup servers are completely isolated, and no backup operations take place. This ensures maximum isolation but temporarily halts data protection. on Synology backups continue through the management port even when the data port is air-gapped. This feature provides a balance between isolation and operational continuity.

Conclusion

Synology’s ActiveProtect Manager (APM) has a unique approach to logical air-gapping by separating data and management ports. The biggest benefit is that the backups can continue even during isolation periods. Even though management port is only 1G , critical backup could still happen during isolation .