Best method to isolate/protect backup nas server?

Currently reading
Best method to isolate/protect backup nas server?

DS1621+, DS1621+, DS918
Operating system
  1. Windows
Mobile operating system
  1. Android
I was going to post this as a reply to another thread, but this deserves a new post. The title says it all, but: If I have source nas backing up to target nas, both on my lan, how/what is the best way to protect the backup target nas? The idea being that someone has compromised my lan, attacking my source nas.. at this point my main source nas is compromised by <insert problem here> and the best scenario is wipe the source nas and restore from the target nas which has a daily HB repository. Since the lan was compromised, how can I keep my target nas, which is solely there for the backup purposes of source nas, safe from the rest of any potential lan danger, but still be accessible by the source nas.
My nasses are in different locations.
Also, the backup nas switches off outside office hours but for sure you can extend that to just the 30 minutes that the backup is running. Difficult to hack when it is powered down.
Then I do have a few 100gb essential data backed up to a secure cloud service as well.
All versioned backups.
First - NAS to NAS over LAN backup best scenario to protect backup target NAS:
If I have source nas backing up to target nas, both on my lan, how/what is the best way to protect the backup target nas?
1. The Backup target must be operated as a pure backup-only host. No additional services.
It doesn’t matter if it’s NAS or a home-brewed storage system.

2. The LAN backup target is operated in specific time slots (up to your backup schedule). The rest of the time is Off. No Wake on LAN services. Just manual update of services (automatic update of services is disabled, as usual for any devices in my operation).

3. Strictly defined user rights (named users only), firewall settings (exact IPs), Block services (users, max. 2 failed attempts only, ...)

Second - LAN and WAN part hardening:

1. Router with advanced management. Never use the router from IPS for the management of your Network (just for WAN over a bridge). You can find plenty of topics here.

3. Firewall for WAN IN/OUT, LAN IN/OUT rules. Specific (shaded) rules for router management systems who and when a what is able to connect to the system (diff from previous rules) from WAN or from LAN.

2. Fully managed Switch with Layer 3, you can manage which IP is allowed for what, otherwise it's about L2 (MAC addresses level only).

3. For any activity, when any devices are connected over LAN to WAN you need to use advanced security tools in your Network setup:
IPS Treat management on the Router level (or independent appliance/sw)
DNSSEC on router level
Secure DNS
Cloudflare umbrella
Pi-hole or similar for local DNS and outgoing communication supervision
Ntop - supervision of network activities

4. Guest account activities:
try to consider when you need to use a guest account for LAN connections (e.g. Guest WiFi)
when yes, use the strictly defined PORT, VLAN, ROUTING and Isolation from your LAN

But, here is a big but:
First of all, you need to protect the primary NAS, because this will be a potential transfer of vulnerability to the backup NAS.
Then it's about the way you create the backup:
Snapshot first, then Hyperbackup. Up to your data value. Drive ShareSync to backup NAS will keep all your versioning. I have also rsync of my entire Docker environment (better than nothing).
Additional External HDD (manually plugged in USB or eSATA) for some valuable data is a suitable method.
And then here you will find tons of material on how to make backups not only over the LAN, but also over the WAN to various targets, to reduce the problem of losing various resources. Of course, it's all about how you value your data.
In the case of WAN, other protection techniques are introduced IPSEC tunnel vs SSL VPN, ...

All mentioned affecting whether you can reliably find your data in the backup NAS in case you need it.

As you can see, there isn't a simple guide "to the best way to protect the backup target nas".

You can start here:


Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!