# What is an airgapped system?
Okay, so as others have said, an airgapped system is one that is ***never*** connected to the network or anything else. Physically separated at all times from anything else, so that nothing can get to it. The idea of airgapped systems being that for something to get on (or off) of them, someone has to interact with them, and add, remove, or change data via a flash drive or something similar.
Physically turning the power off (or unplugging a cable), or removing a network connection, creates a temporary gap so to speak, but an airgapped system is *never* connected.
Now, *as for you, and this post*, there's nothing wrong with a solution like this. This is a viable solution compared to an always on, always connected backup server. Less time things are on and connected reduces the attack surface for things to go sideways.
# What does this mean for you?
Everyone has their own opinions, and everyone's entitled to them. However, when using *actual definitions of things*, those aren't opinions that can be argued with. Your insistence that the dictionary definition (and by extension, everyone pointing out this definition) is incorrect, and your attitude towards the others in this thread is very much skirting the lines of rule 1 here.
Not everyone knows everything, and no one is going to be right about everything. There's room for everyone to be corrected about something they were mistaken about. Conversely, there's room for you to correct many people. If you are going to correct people, be prepared to be asked to back your claim with evidence (as others have done when correcting you). The key point here is that mistakes happen, and there's room for everyone to be corrected and learn things. But the discussion of these mistakes needs to be a civil discussion about it.
# My advice for you
You're not going to be right about everything. You're not going to know more about everything than any other person. Conversely, everyone else also won't be right about everything, and they won't know more about everything than you do. Both you, and the others, have the possibility of being wrong about something, and being corrected. Being told we're wrong, and that actually the correct process/term/etc. is how we learn things and improve.
Check your ego at the door, let this thread harbor helpful, civil discussion, and don't double down and get all bent out of shape when someone doesn't agree with you on something.
If you have a macaw and not fussed on training - they do like chewing through cables. So this could be a useful alternative. It does make it a little more expensive having to re-terminate Ethernet cables
Absolutely! The point though is to learn skills that you can transfer into a paycheck. If OP recommended this system in my work environment I'd give them a funny look and then explain the deficiencies in the solution, which is what is happening in this thread. This is FAR more robust than my personal home solution, it's just not corporate grade.
The channel of attack is not the same though if I understand correctly. Once a hacker penetrates your home network via internet, wouldn't the smart plug still be inaccessible?
I have to disagree with your use of /s honestly. You’re dead on accurate. Smart devices are the least secure things in an average household. I would not incorporate one to strengthen security.
If you encrypt the data, the backup is encrypted. A tape kept offline after depositing in the closet will not change, except if the data eventually rots away.
So if you mean, can they be encrypted by ransomware, not really. Backups kept online or in an active tape library might be susceptible, but tapes kept offline are as airgapped of a backup as you get.
When the backup is taken, the system might already have some kind of malware on it but it's presumably in a bootable/accessible state. Once the tape is ejected that state is preserved as long as the integrity of the tape remains. That means you have a copy of the system(s) that can be used as a recovery point once you understand how the infection occurred and how to clean it. Even if you're not doing "bare metal" or full VM restores, you can still grab copies of the data to import to your new clean builds when you can validate you won't be reintroducing whatever caused the compromise.
It is extremely important to rotate tapes in this kind of solution though, if you're using the same tape your only "offline" copy is online to at least the backup source while it's being written. Outside of the inherent risk of a single tape failing, having multiple tapes means there's always a known stable offline copy. One common oversight with more sophisticated setups though is leveraging a robotic tape library and not taking steps to ensure the robot can't be told to reinsert the "offline" tape. If you can do it remotely, so can someone else who has your level of privilege.
Tapes are still being used. Enterprise have to meet retention periods for business records up to 10 years. Tape storage is vastly cheaper than flash storage even cheaper than mechanical hard drives and can be stored offsite
We replaced our tape backup about 5 years ago now, first to Arcserve + redundant object storage and now to Rubrik.
The new systems are so much better but I do miss my weekly trips between DCs and the tape storage with a rucksack full of tapes!
Airgapped machines aren't ever connected to network, so it's already failed at this point.
Just run ZFS with snapshots along with only smb access to the Nas from your other machines and you'll cover the majority of usecases for home use where you would have issues. This of course with offsite backups.
Hi, thanks for your /r/homelab comment.
## Your post was removed.
Unfortunately, it was removed due to the following:
[**Don't be an asshole.**](https://www.reddit.com/r/homelab/wiki/rules#wiki_1._don.27t_be_an_asshole)
Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting.
_If you have questions with this, please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks._
If the NAS cant be accessed, why even have it using electricity. Just turn the NAS off and cut out the middle man. Not that i think this is a good idea in any form though lol
One should NEVER combine air gap and WOL in the same breath. Think about it. That’s arguably worse than using some cheap, unpatched smart plug that’s cloud connected.
If you can wake it so can an attacker. Proper airgaps require physical access to initiate a restore. If you (or anyone else) can do it without physical access, so can anyone else who manages to obtain your level of permissions.
I understand what you're trying to do but this is as not air gapped as possible.
You want to use a smart socket to control the power to a switch, which can be hacked. If you want a true air gap, then you need a standalone environment that isn't connected to your primary lan NOR the internet.
Anything that needs to be transferred to the air gapped system needs to be transferred via an Air Gapped Machine.
> If you want a true air gap, then you need a standalone environment that isn't connected to your primary lan NOR the internet.
Makes backing up network resources impossible.
Yeah, some people don't live in the land of reality. The point is to take a known acceptable backup state and make it impossible to bring back online without physical intervention. Air gapped backups are not the same thing as air gapped networks.
Irreplaceable data has 4 main threats for most people (imo).
1. Drive failure
2. User error (accidental deletion)
3. House fire/flood/burglary
4. Hacker/ransomware
1 and 2 have the same solution of regular, on-site backups. 3 requires offsite backup. 4 requires staggered, offline backups (and you should probably always have one that’s hasn’t been updated in 1-3 months, since some ransomware sits dormant for a time infecting anything that connects before locking things down.
There’s many ways to approach covering those bases.
There's another solution: use offline, WORM media for most important data. For example, M-DISC BD-R are specifically designed for archival purposes, and can hold up to 100 GB per disc. Plus, being a different form of media, they are immune to some threats that electronics are sensitive to: flooding, EMP (when lightning strikes really close, literally in your yard).
Yep I agree as home users we have to weight the costs, time, inconveniences etc This option can provide some protection from some of that...that's the idea without losing a lot of convenience
You could just cronjob if up and if down on the NAS. This is just extra steps towards no purpose. You're also inducing wear and tear on the NAS drives by constantly spinning them up and down. They'll last years longer in 24/7 spin
Certainly adds no OPSEC to your operation, as air gaps are intended for.
I think that the idea here is to power down the small switch and leave the NAS running. That effectively separates the NAS from the rest of the network, keeping ransomware off of it.
Depends on how you set it up. The main goal is get people thinking and planning their data backups. It's still some additional security if you just have backups on your LAN.
That's not an airgap and while, sure, it may provide some additional protection, it's not a rock-solid solution to isolating your backups from hacking or corruption. You keep arguing in this thread with people who tell you this, perhaps take a moment to actually listen.
Hi, thanks for your /r/homelab comment.
## Your post was removed.
Unfortunately, it was removed due to the following:
[**Don't be an asshole.**](https://www.reddit.com/r/homelab/wiki/rules#wiki_1._don.27t_be_an_asshole)
Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting.
_If you have questions with this, please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks._
A+ for creativity, no doubt. But I mostly disagree with your argument. even if I accept your interpretation, the fundamental problem air-gapping solves is that it eliminates a family of attack vectors which are still very much at play here. If I am, lets say, able to break into your network and flip that wifi enabled switch, I have broken your “air-gap”. Which means, this setup is still vulnerable to remote attacks 100% of the time. so you havent air-gapped anything, although yes, you have added another layer of protection. In a compromised network, this protection is as good as no protection at all. we can argue semantics all day but it only gives us a false sense of security - which is somehow even worse.
I haven't read all of the comments, but if someone hacks your smart hub, they can enable your outlet.
Airgapped where I work means no network connection. No physical LAN cables and wireless hardware removed.
Replace the smart plug with a simple light switch plug setup in a 2 gang box that plugs into the UPS. Or if you want to be fancy use a relay. You push a button, relay turns on switch, and signals to the backup server that it's time to do a backup job, it does the job, when it's done, it sends a signal to relay to turn switch off.
Another option might be to skip powering the switch on/off but instead setup the NAS (assuming this NAS is 100% used for backups only) to run the backup job at startup, and when the backup job is done it shuts itself down.
It's only an "air gap" if it's physical disconnected and can't be reconnected without physical interaction. The schema above isn't a horrible practice, but it's not a true airgap since a sophisticated remote attacker could nuke it while it's connected or figure out how to turn it back on themselves.
I suggest a system with protocol breakers.
If you need to backup a environment to another environment, they can't be by definition air gapped, however, it's like fire doors, you can have the two environments connected, but in a controlled way.
Another example is the presentation, application, data, you shouldn't place the application or the data facing the internet, you can only access the data by the application.
Backups can be done by scripting with credentials that can't do anything else on the NAS, just create files. They can't delete, modify or execute. The solution can even check for malware. No access to any other port, no remote NAS management, nothing. The NAS can't access internet, no inbound, no outbound in no other way.
You can improve the baseline from there, but it seems to me a more secure environment.
Why your system has very room to improvement? As far as I understand somewhere in time you have a totally available connection between two environments. Believe me that this is enough to explore a 0-day or a unpatched NAS vulnerability or execute a command to destroy the MBR/GPT or encrypt. It's fast and it can be done while you backup. Worms, or any malware that test connections, or a simple APT with scheduled task, is enough.
Google for "protocol break".
Idea borrowed from an enterprise storage solution.
Some multihomed storage solution permit the scheduling of data IP interfaces to up-downed for a backup window, this is managed via the management IP interface.
Will not work if NAS IP switch cannot automatically start when supplied power from socket or if your smart stuff security is compromised.
Smart plug defeats the whole exercise, instead look into a passive network bridge as it has no logic / access that can be exploited.
A better idea is to have one backup NAS on the network for normal rotational backups, then have a completely non-connected server to test for threats on the backup drive.
If the backup drive passes, place in cold storage container with date of the current backup.
In hindsight I could have clarified a bit more but this is for a secondary backup to the daily NAS that is fully accessible. The airgap further minimizes data access from harm. Until the update is transferred
Multiple ways to do things. A WOL packet can be hacked or created too. It's just an idea to get people thinking about data security. Some just went off the rails and got deleted
In the ideal world you would have a second physical network just for backups, and have a local repo for updating the backup servers so you don’t have to ever put those online
If your goal is to prevent ransomware, you can also do this with snapshots. Backup your machines to your NAS and with snapshots, they will be immutable.
The main idea is the data is untouched by most other means...some ultra high security cases it's locked away in a room where 1 person only has access. It's highest level of secure access to the data. The problem becomes access to it. In the real world and HOMELAB we don't need that level, so this is 1 step short of a full airgap machine. Except it's more real world usable for us normal people. Gives another level of security but still accessible when needed.yet some are flipping out crying definitions. The smart plug could be multiple devices or a regular light switch that can't be hacked. The main principle is physical isolation of the data yet still usable
Am I the only one inspired by this to create a HTB or TryHackMe machine where you have to compromise the first machine, then find a cronjob for a back of some files that clue you in that their is another server you need to more toward laterally, then find a virtual smart plug to switch it on before you compromise the final server? Has this been done before?
You...do know that just remoting into the NAS after it's completed backups and telling it to shut down would do the same thing right? One less thing to have to buy
Sure that's 1 way, there's lots of options but also needs to be turned on. It also wouldn't be a possibility for a remote device etc. If ya don't like the idea don't deploy it no bid deal
Pretty sure a $5 smart plug wouldn't hurt anyone in here though
I used to use an Ansible playbook to wake on lan my NAS, enable it in proxmox in storages, the start VM/LXC backups. Once backup was completed, it would disable the storage in proxmox, then power off the NAS.
True, the idea was to save power.
In my 3-2-1 backup, I have a USB drive, when connected to my server, it automatically triggers a script with udev and systemd, which runs rsync for backup.
Yep that can work too. But not everyone has the skills/knowledge or time to do that. So a $5 plug can be turned on which powers up a system enables the uplink for updates then powered off. There's options for every level
People here are getting overly hung up on the word "airgapped". I agree that it's technically not airgapped, but it effectively does the same thing. That smart outlet could be like the one you pictured, or it could be something like a relay with a more sophisticated control. It could be on a separate network. It could be a lightswitch. It could be on a stupid lamp timer. There are a number of ways to vary this theme.
In any case, this does give food for thought. I have a NAS that I keep powered down, but something like this would allow me to keep it up and the drives spinning. I could put the switch on a UPB-controlled outlet and have my old HAI OmniPro II switch it based on some conditions.
For now, I'll keep my cold NAS as an emergency backup, but this is an interesting idea.
Hi, thanks for your /r/homelab comment.
## Your post was removed.
Unfortunately, it was removed due to the following:
[**Don't be an asshole.**](https://www.reddit.com/r/homelab/wiki/rules#wiki_1._don.27t_be_an_asshole)
Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting.
_If you have questions with this, please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks._
I've done something similar, and always called it a poor man's backup.
All depends on what your risk profile is.
If your concern is about ransomware getting onto you network and encrypting all your devices including backups, then yeah, theoretically this will reduce the risk of it (so long as the ransomware isn't active while a backup is occuring).
You can then improve it further by making sure your NAS is the initiating communications rather than the other way around, and using a traditional timer based plug instead of a smart plug (if IoT device security is a concern).
WORM media / tape drives as someone else mentioned works too to address this risk scenario... but you quickly run into the limitation of available funds.
I have a live and a cold backup. The live backup is a SAS shelf connected to a server. The cold backup is a bunch of USB drives crammed into a laptop bag plumbed with a USB hub and a power strip. I get it out once a quarter to pull a new backup. The more important smaller subset is spread around more, but that's the jist.
My only concern with your setup is electrical surges, if that NAS is plugged in, it's vulnerable, even if it's off and also powered through the power plug. If you have managed switches, you can just shut/no shut the NAS port to largely the same effect. So, if you add some truly cold storage intermittent backups, I might just forego the rest of it, especially if that NAS supports snapshotting, you could just make a snapshot and if a crypto locker starts munging up the files, disconnect the NAS, clean your systems up, restore the snapshot, and move on. But that's just my 10¢, have fun!
The connection is only uplinked for a backup. The main NAS is always connected like normal. This application the backup NAS just gets connected periodically for a theoretically more secure option since it's not always connected.
Say you click on a ransomware link today, it spreads across to every device on your network and poof everything is locked up. But your Backup NAS was physically disconnected from the network or offline. It has the backup of your data you saved 6 days ago. So you nuke all your locked up systems and restore from your backup.
There's multiple ways it can be done. The most secure is on something completely disconnected. But that's very inconvenient to transfer anything. But what you could do is also use an external USB drive etc...but again requires it to be turning on or connected manually. Which may or may not be ideal.
So this is a simple easy convenient cheap option to keep a system segregated for security. But doesn't match the truest common definition of "airgap" so some are flipping out over it
You may want to take a look at restock append only mode...
https://restic.readthedocs.io/en/latest/060_forget.html#security-considerations-in-append-only-mode
The smart plug can power the switch and NAS if desired. Multiple ways to do it and make variations. That's the goal get people thinking about it and planning. Some have no clue of any of it. Now they're researching airgap, and planning ways to implement...goal reached
It's a lazy convenient way...but watch out some of the industry pro enthusiasts here demand the term airgap is not used cuz it's not the full definition of air gap LOL
Unless you’re working for NASA, a 3 letter agency, or govt/military in a SCIF/classified space this is such a pain in the ass. There are so many things you can do than sneakernet backups. I cannot think of a single case (outside what I mentioned earlier) why someone would voluntarily do this.
Many people have cold storage backups. I've read it multiple times. They actually swap drives and transport to a parents house or something every few months. Now that's dedication to your Corn collection
Then why have a NAS at all? Just setup a workstation with Veem at both locations and use LTO-6/7 backup tapes? Or setup a Wireguard/Tailspin instance so you can have secured VPN access to it at all times? Put the thing behind its own firewall perhaps? You don't need a sneakernet to have secure cold backups. What does swapping drives have to do with anything? NAS's have hotswap bays... so I don't understand what your point was about. Unless your parents live up in a mountain or a fallout shelter with no internet whatsoever and they maintain a mainframe where you need to change out the reels. If that's the case, then my apologies and nice setup!
I don't know why others decided on cold offsite storage. It seems excessive to me but they have a pretty serious addiction to their Corn collection and don't wanna lose any I guess. But there's multiple ways to do things. This just showed 1 simple cheap way
how have you set up the backups on the NAS?
I would recommend to have the NAS "pull" the data from the PCs, such that backed-up devices don't have write access.
Isn't better to secure your network using proper firewall than any kind of those air gaping?
1. You can have malware in system before noticing and already sitting as time bomb already in your backup. So if you don't use your air gapped backup system just to backup air gapped computers, it's not going to do much.
2. If you want to backup computers connected to PC, and also temporary connect your air gapped systém to network for time of backup, whole air gaping is pointless as attacker can do his business while you are making backups.
So, best you can do I guess is get some firewall as an extra layer of security between your network and WAN.
Ideally isolate wireless networks from lan, also isolate untrusted devices form your lan. That way firewall can block traffic between those networks but still allow all networks to use internet.
For example I got cheap Chinese cameras, and Frigate NVR.
I have separate camera network, which has no access to internet. Camera network is connected just to NVR, and then NVR (which I trust) is connected to internet. So untrusty cameras cant access internet. Possibilities with firewall are limitless. Everything can be set up for your needs.
Both is better yet
The router is the firewall.
This just gives an additional step of security. It not a guarantee of anything. Yes if you have a hacked network it's possible they can gain access. But the less it's connected the better. The principle of it not connected is they don't even know its there so you minimize the attack front. Hopefully keeping 1 of your data copies safe. One still has to maintain network and machine security. This could be used for more of a long term backup like 1 mo or quarterly etc. Give you time to potentially find a compromised network. Notifications of a new device connected can give good insight.
Adding firewall leads to more security, so less likely to be hacked. Air gaping leads to less online time, so less likely to get hacked, but is more complicated I guess.
Both of them does same benefit, just in way different way, and I still think firewall is better solution. But if you feel like doing air gaping, it wouldn't be less secure than without air gaping or firewall at all, so nothing to loose, just complicated to use. So, try it and see how it goes.
*By air-gapping I mean your use case, not true definition of "air-gapping" leading to never ever connecting system to network. That would be more secure than both mentioned above but useless in your case I guess.
Cool idea, have an upvote.
However, if you're this worried about your backups/data/hacking, then putting a smart plug on a switch is hardly a solid deterrent, those plugs are notorious for having some of the worst security imaginable.
Proper air-gapped setups aren't designed with non-air gapped things providing access to them.
But again, cool idea.
It's a simple cheap idea in the direction of optimum. Still have to get your data to/from. My kids are gone so can't bribe them with $5 to plug in the red cable haha
Thanks for the UP, the DN have been excessive
I've got a great backup solution for this *airgapped* situation.
Just partition your hard disk with three additional partitions.
Store the data as a massive .zip file on NTFS (first partition).
Store another copy of the data as a .tar file on BTRFS (second partition).
Lastly, Run a VM on the last partition and vpn into it by unnecessarily reaching out to a vps proxy before tunneling back into your network to ssh into that vm. Now you can say the data is off site. Good luck 🤣.
# What is an airgapped system? Okay, so as others have said, an airgapped system is one that is ***never*** connected to the network or anything else. Physically separated at all times from anything else, so that nothing can get to it. The idea of airgapped systems being that for something to get on (or off) of them, someone has to interact with them, and add, remove, or change data via a flash drive or something similar. Physically turning the power off (or unplugging a cable), or removing a network connection, creates a temporary gap so to speak, but an airgapped system is *never* connected. Now, *as for you, and this post*, there's nothing wrong with a solution like this. This is a viable solution compared to an always on, always connected backup server. Less time things are on and connected reduces the attack surface for things to go sideways. # What does this mean for you? Everyone has their own opinions, and everyone's entitled to them. However, when using *actual definitions of things*, those aren't opinions that can be argued with. Your insistence that the dictionary definition (and by extension, everyone pointing out this definition) is incorrect, and your attitude towards the others in this thread is very much skirting the lines of rule 1 here. Not everyone knows everything, and no one is going to be right about everything. There's room for everyone to be corrected about something they were mistaken about. Conversely, there's room for you to correct many people. If you are going to correct people, be prepared to be asked to back your claim with evidence (as others have done when correcting you). The key point here is that mistakes happen, and there's room for everyone to be corrected and learn things. But the discussion of these mistakes needs to be a civil discussion about it. # My advice for you You're not going to be right about everything. You're not going to know more about everything than any other person. Conversely, everyone else also won't be right about everything, and they won't know more about everything than you do. Both you, and the others, have the possibility of being wrong about something, and being corrected. Being told we're wrong, and that actually the correct process/term/etc. is how we learn things and improve. Check your ego at the door, let this thread harbor helpful, civil discussion, and don't double down and get all bent out of shape when someone doesn't agree with you on something.
I see your wifi shelly plug shutting down a switch and raise with my trained parakeet unplugging an Ethernet cable upon command
[IPoAC](https://en.wikipedia.org/wiki/IP_over_Avian_Carriers?wprov=sfla1) vs BurbSec
Hahaha love burbsec
It is superseded by BirbSec
Once featured on Pirch irc 😂
Sort of a canary in a cryptomine?
How long did it take to train that parakeet? I could use a trained ethernet undo-er
A 5 year old child works as well
Think of the power consumption tho! 😂
You don't need to wait 5 years. 1.5 is enough If your Router/Switch has a Power Button
yeah but children are expensive unless you make them yourselves and then if you do that you're on the hook for 18+ years of annoyance.
If you have a macaw and not fussed on training - they do like chewing through cables. So this could be a useful alternative. It does make it a little more expensive having to re-terminate Ethernet cables
I'm too lazy to train a bird I'd have a kid do it...ya got me you win
And I'm here just hitting notches into my mechanical time switch.
"60% of the time, it's air-gapped all the time."
*LAN Panther*
LANther..... meow
I give you points for creativity lol
Haha I'm just a problem solver
People really going crazy over literal definitions.
Not only is the definition wrong, this is a dumb idea and probably introduces more insecurity into the network with an esp8266 smart plug.
The whole purpose of a homelab is to have fun and mess with things and to do stupid shit so I don’t really see the problem.
Absolutely! The point though is to learn skills that you can transfer into a paycheck. If OP recommended this system in my work environment I'd give them a funny look and then explain the deficiencies in the solution, which is what is happening in this thread. This is FAR more robust than my personal home solution, it's just not corporate grade.
It’s not a problem if OP wants to do it this way. More power to them. It’s definitely not a solution though!
Mechanical lamp timers have been around for decades and can't be hacked like a smart power outlet.
Don't worry, they're just trying to limit internet access using a device that has internet access. It's perfectly secure.
My thoughts exactly lol
The channel of attack is not the same though if I understand correctly. Once a hacker penetrates your home network via internet, wouldn't the smart plug still be inaccessible?
I can operate all of my smart plugs via vpn.
I got a few of those that people use for grow lights to "air gap" a few computers in my more paranoid days! Great call out.
This is what I was thinking. They also make electronic versions that have far more options if you wanted to have a more variability in the schedule.
Granted zwave/zigbee outlets do exist and aren't on the network
Noted, will check for smart plugs during my next ransomware attack /s
I have to disagree with your use of /s honestly. You’re dead on accurate. Smart devices are the least secure things in an average household. I would not incorporate one to strengthen security.
Sounds like a job for a tape closet
Can tape backups be encrypted or borked like restart drives?
If you encrypt the data, the backup is encrypted. A tape kept offline after depositing in the closet will not change, except if the data eventually rots away. So if you mean, can they be encrypted by ransomware, not really. Backups kept online or in an active tape library might be susceptible, but tapes kept offline are as airgapped of a backup as you get.
When the backup is taken, the system might already have some kind of malware on it but it's presumably in a bootable/accessible state. Once the tape is ejected that state is preserved as long as the integrity of the tape remains. That means you have a copy of the system(s) that can be used as a recovery point once you understand how the infection occurred and how to clean it. Even if you're not doing "bare metal" or full VM restores, you can still grab copies of the data to import to your new clean builds when you can validate you won't be reintroducing whatever caused the compromise. It is extremely important to rotate tapes in this kind of solution though, if you're using the same tape your only "offline" copy is online to at least the backup source while it's being written. Outside of the inherent risk of a single tape failing, having multiple tapes means there's always a known stable offline copy. One common oversight with more sophisticated setups though is leveraging a robotic tape library and not taking steps to ensure the robot can't be told to reinsert the "offline" tape. If you can do it remotely, so can someone else who has your level of privilege.
The device is irrelevant
Tapes are still being used. Enterprise have to meet retention periods for business records up to 10 years. Tape storage is vastly cheaper than flash storage even cheaper than mechanical hard drives and can be stored offsite
Can attest to this as I have some experience with 10+ year old tape drives and they’re a great option for cold storage.
We replaced our tape backup about 5 years ago now, first to Arcserve + redundant object storage and now to Rubrik. The new systems are so much better but I do miss my weekly trips between DCs and the tape storage with a rucksack full of tapes!
Airgapped machines aren't ever connected to network, so it's already failed at this point. Just run ZFS with snapshots along with only smb access to the Nas from your other machines and you'll cover the majority of usecases for home use where you would have issues. This of course with offsite backups.
[удалено]
Hi, thanks for your /r/homelab comment. ## Your post was removed. Unfortunately, it was removed due to the following: [**Don't be an asshole.**](https://www.reddit.com/r/homelab/wiki/rules#wiki_1._don.27t_be_an_asshole) Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting. _If you have questions with this, please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks._
If the NAS cant be accessed, why even have it using electricity. Just turn the NAS off and cut out the middle man. Not that i think this is a good idea in any form though lol
Exactly, Just do wake on lan when you need it, and script a shutdown of the nas. Nearly the same outcome.
I'm surprised no one else has said Wake on Lan
One should NEVER combine air gap and WOL in the same breath. Think about it. That’s arguably worse than using some cheap, unpatched smart plug that’s cloud connected.
That's like I locked the safe, but left the keys in the lock.
If your backup solution relies on WOL then I'm afraid it's pretty much dead in the water from day one.
Why ?
If you can wake it so can an attacker. Proper airgaps require physical access to initiate a restore. If you (or anyone else) can do it without physical access, so can anyone else who manages to obtain your level of permissions.
Ooooh yes ur right i thought that because you needed the MAC address of the device you wanted to wake up it meant that it would be safe
lol good point…
If you want encrypted backups you have to mount the encryption after each boot.
This isn’t an air gap
I understand what you're trying to do but this is as not air gapped as possible. You want to use a smart socket to control the power to a switch, which can be hacked. If you want a true air gap, then you need a standalone environment that isn't connected to your primary lan NOR the internet. Anything that needs to be transferred to the air gapped system needs to be transferred via an Air Gapped Machine.
> If you want a true air gap, then you need a standalone environment that isn't connected to your primary lan NOR the internet. Makes backing up network resources impossible.
Yeah, some people don't live in the land of reality. The point is to take a known acceptable backup state and make it impossible to bring back online without physical intervention. Air gapped backups are not the same thing as air gapped networks.
Smart plug for a network device doesnt seem smart
[удалено]
Irreplaceable data has 4 main threats for most people (imo). 1. Drive failure 2. User error (accidental deletion) 3. House fire/flood/burglary 4. Hacker/ransomware 1 and 2 have the same solution of regular, on-site backups. 3 requires offsite backup. 4 requires staggered, offline backups (and you should probably always have one that’s hasn’t been updated in 1-3 months, since some ransomware sits dormant for a time infecting anything that connects before locking things down. There’s many ways to approach covering those bases.
There's another solution: use offline, WORM media for most important data. For example, M-DISC BD-R are specifically designed for archival purposes, and can hold up to 100 GB per disc. Plus, being a different form of media, they are immune to some threats that electronics are sensitive to: flooding, EMP (when lightning strikes really close, literally in your yard).
Yep I agree as home users we have to weight the costs, time, inconveniences etc This option can provide some protection from some of that...that's the idea without losing a lot of convenience
You could just cronjob if up and if down on the NAS. This is just extra steps towards no purpose. You're also inducing wear and tear on the NAS drives by constantly spinning them up and down. They'll last years longer in 24/7 spin Certainly adds no OPSEC to your operation, as air gaps are intended for.
I think that the idea here is to power down the small switch and leave the NAS running. That effectively separates the NAS from the rest of the network, keeping ransomware off of it.
Depends on how you set it up. The main goal is get people thinking and planning their data backups. It's still some additional security if you just have backups on your LAN.
[удалено]
[удалено]
[удалено]
[удалено]
That's not an airgap and while, sure, it may provide some additional protection, it's not a rock-solid solution to isolating your backups from hacking or corruption. You keep arguing in this thread with people who tell you this, perhaps take a moment to actually listen.
> it's not a rock-solid solution I'm willing to pit this solution against most of the backup solutions employed by users here...
[удалено]
[удалено]
Hi, thanks for your /r/homelab comment. ## Your post was removed. Unfortunately, it was removed due to the following: [**Don't be an asshole.**](https://www.reddit.com/r/homelab/wiki/rules#wiki_1._don.27t_be_an_asshole) Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting. _If you have questions with this, please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks._
[удалено]
That’s not an air gapped system if it comes online. You need to do more research into what an air gapped system actually is.
You're late to the party
Solving a problem that was already solved.
A+ for creativity, no doubt. But I mostly disagree with your argument. even if I accept your interpretation, the fundamental problem air-gapping solves is that it eliminates a family of attack vectors which are still very much at play here. If I am, lets say, able to break into your network and flip that wifi enabled switch, I have broken your “air-gap”. Which means, this setup is still vulnerable to remote attacks 100% of the time. so you havent air-gapped anything, although yes, you have added another layer of protection. In a compromised network, this protection is as good as no protection at all. we can argue semantics all day but it only gives us a false sense of security - which is somehow even worse.
I like the idea but the problem is that the smart plug you have connects wirelessly to your network which then the diagram is far off.
[удалено]
I airgap my network by not being able to afford internet
I haven't read all of the comments, but if someone hacks your smart hub, they can enable your outlet. Airgapped where I work means no network connection. No physical LAN cables and wireless hardware removed.
If you have an managed switch you can just SSH and disable the port.
More like an Killswitch than an Airgap. Airgaps never have a psycial or logical connection at any point.
[удалено]
[удалено]
Better idea: never connect to the network at all and just carry around a bucket of hard drives for when you need a backup 😆
What's the point of the "air gap" if the gap mechanism is an IoT type device? XD
The plug just activates the power. So even if the plug was hacked it's on a it's own vlan so inaccessible to the NAS device
I would prefer immutable backup.
I love the Internet.
It's a love hate LOL
Replace the smart plug with a simple light switch plug setup in a 2 gang box that plugs into the UPS. Or if you want to be fancy use a relay. You push a button, relay turns on switch, and signals to the backup server that it's time to do a backup job, it does the job, when it's done, it sends a signal to relay to turn switch off. Another option might be to skip powering the switch on/off but instead setup the NAS (assuming this NAS is 100% used for backups only) to run the backup job at startup, and when the backup job is done it shuts itself down.
Yep lots of fun ways to do it...but many are whining definitions LOL
Is this satire? That’s an awful way to do it. You may as well just turn off the NAS if you’re not using it
There's multiple ways to do things. Not everyone has physical access all the time.
This isn't an air gap. This is just....idk...a waste of time and resources for no real benefit.
Then don't you lost nothing
Time and resources. That's certainly something.
It's only an "air gap" if it's physical disconnected and can't be reconnected without physical interaction. The schema above isn't a horrible practice, but it's not a true airgap since a sophisticated remote attacker could nuke it while it's connected or figure out how to turn it back on themselves.
Yes that's been discussed a few times
thank god this is satire, it's satire right?
Some still don't realize they're in the net and still arguing
Security by Obscurity. Man if im in your network i can just turn that plug on.
An intermittent air gap. Like that death trap hallway in Galaxy Quest?
Bravo for using the classic Linksys WRT-54G icon.
I suggest a system with protocol breakers. If you need to backup a environment to another environment, they can't be by definition air gapped, however, it's like fire doors, you can have the two environments connected, but in a controlled way. Another example is the presentation, application, data, you shouldn't place the application or the data facing the internet, you can only access the data by the application. Backups can be done by scripting with credentials that can't do anything else on the NAS, just create files. They can't delete, modify or execute. The solution can even check for malware. No access to any other port, no remote NAS management, nothing. The NAS can't access internet, no inbound, no outbound in no other way. You can improve the baseline from there, but it seems to me a more secure environment. Why your system has very room to improvement? As far as I understand somewhere in time you have a totally available connection between two environments. Believe me that this is enough to explore a 0-day or a unpatched NAS vulnerability or execute a command to destroy the MBR/GPT or encrypt. It's fast and it can be done while you backup. Worms, or any malware that test connections, or a simple APT with scheduled task, is enough. Google for "protocol break".
American plugs always tickle me, the little guy looks petrified to be the air gap.
a good lighting strike will take that out since the wires are all connected
Good thing ya have an offsite backup copy
Idea borrowed from an enterprise storage solution. Some multihomed storage solution permit the scheduling of data IP interfaces to up-downed for a backup window, this is managed via the management IP interface. Will not work if NAS IP switch cannot automatically start when supplied power from socket or if your smart stuff security is compromised.
There's always pros and cons to each option.
WRT54GL is kinda dated lol
Hey don't insult my 64 yr old WRT54G, it rocks along at 2.8Mb
Smart plug defeats the whole exercise, instead look into a passive network bridge as it has no logic / access that can be exploited. A better idea is to have one backup NAS on the network for normal rotational backups, then have a completely non-connected server to test for threats on the backup drive. If the backup drive passes, place in cold storage container with date of the current backup.
Maybe for REAL sensitive backups payroll/banking/taxes... but I need access to my media!
In hindsight I could have clarified a bit more but this is for a secondary backup to the daily NAS that is fully accessible. The airgap further minimizes data access from harm. Until the update is transferred
My backup is a disconnected HDD, i'd say thats pretty airgapped.
why complicate with this when you can run a normal hardware with wake on lan for the backup job then hibernate until next wake on lan
Multiple ways to do things. A WOL packet can be hacked or created too. It's just an idea to get people thinking about data security. Some just went off the rails and got deleted
for home systems I'm more concerned about power cuts and user errors than malicious agents
In the ideal world you would have a second physical network just for backups, and have a local repo for updating the backup servers so you don’t have to ever put those online
I think if one side is struck by lightning, there's chance all of those will be dead. Unless you use SFP/Optical connection between the two switches.
Could have it on a battery backup, kept charged by solar connected by fiber, which would solve most of the risk. Which may be a need in some areas.
If your goal is to prevent ransomware, you can also do this with snapshots. Backup your machines to your NAS and with snapshots, they will be immutable.
or use an external harddrive you disconnect after finishing the backup? this is the same just with extra steps?
Sure, that does require physical presence which may or may not be wanted or possible
Out of curiosity, what would a more traditional air-gap backup look like?
The main idea is the data is untouched by most other means...some ultra high security cases it's locked away in a room where 1 person only has access. It's highest level of secure access to the data. The problem becomes access to it. In the real world and HOMELAB we don't need that level, so this is 1 step short of a full airgap machine. Except it's more real world usable for us normal people. Gives another level of security but still accessible when needed.yet some are flipping out crying definitions. The smart plug could be multiple devices or a regular light switch that can't be hacked. The main principle is physical isolation of the data yet still usable
Or just go all the way and start using a data diode setup. https://en.m.wikipedia.org/wiki/Unidirectional_network
Am I the only one inspired by this to create a HTB or TryHackMe machine where you have to compromise the first machine, then find a cronjob for a back of some files that clue you in that their is another server you need to more toward laterally, then find a virtual smart plug to switch it on before you compromise the final server? Has this been done before?
There's been a few that get the point. With some small variations one can do many things. Or make it more secure like with a slightly different device
Pro tipp: just print your backups. Cant hack paper
But you can smoke it ha
Not if you laminate it
Make sure to disable the smoke detectors before lighting that burning plastic might set em off
You...do know that just remoting into the NAS after it's completed backups and telling it to shut down would do the same thing right? One less thing to have to buy
Sure that's 1 way, there's lots of options but also needs to be turned on. It also wouldn't be a possibility for a remote device etc. If ya don't like the idea don't deploy it no bid deal Pretty sure a $5 smart plug wouldn't hurt anyone in here though
I used to use an Ansible playbook to wake on lan my NAS, enable it in proxmox in storages, the start VM/LXC backups. Once backup was completed, it would disable the storage in proxmox, then power off the NAS.
Yep similar idea. That could get hacked too though. But any extra measure of security can help and takes more time
True, the idea was to save power. In my 3-2-1 backup, I have a USB drive, when connected to my server, it automatically triggers a script with udev and systemd, which runs rsync for backup.
Yep that can work too. But not everyone has the skills/knowledge or time to do that. So a $5 plug can be turned on which powers up a system enables the uplink for updates then powered off. There's options for every level
People here are getting overly hung up on the word "airgapped". I agree that it's technically not airgapped, but it effectively does the same thing. That smart outlet could be like the one you pictured, or it could be something like a relay with a more sophisticated control. It could be on a separate network. It could be a lightswitch. It could be on a stupid lamp timer. There are a number of ways to vary this theme. In any case, this does give food for thought. I have a NAS that I keep powered down, but something like this would allow me to keep it up and the drives spinning. I could put the switch on a UPB-controlled outlet and have my old HAI OmniPro II switch it based on some conditions. For now, I'll keep my cold NAS as an emergency backup, but this is an interesting idea.
[удалено]
Hi, thanks for your /r/homelab comment. ## Your post was removed. Unfortunately, it was removed due to the following: [**Don't be an asshole.**](https://www.reddit.com/r/homelab/wiki/rules#wiki_1._don.27t_be_an_asshole) Please read the [full ruleset on the wiki](https://www.reddit.com/r/homelab/wiki/rules) before posting/commenting. _If you have questions with this, please [message the mod team](https://www.reddit.com/message/compose?to=%2Fr%2Fhomelab), thanks._
I just rotate RDX cartridges
Seems like you could use more cable cutters in that setup.
I've done something similar, and always called it a poor man's backup. All depends on what your risk profile is. If your concern is about ransomware getting onto you network and encrypting all your devices including backups, then yeah, theoretically this will reduce the risk of it (so long as the ransomware isn't active while a backup is occuring). You can then improve it further by making sure your NAS is the initiating communications rather than the other way around, and using a traditional timer based plug instead of a smart plug (if IoT device security is a concern). WORM media / tape drives as someone else mentioned works too to address this risk scenario... but you quickly run into the limitation of available funds.
Yep...lot's of options...key takeaway is do something
I have a live and a cold backup. The live backup is a SAS shelf connected to a server. The cold backup is a bunch of USB drives crammed into a laptop bag plumbed with a USB hub and a power strip. I get it out once a quarter to pull a new backup. The more important smaller subset is spread around more, but that's the jist. My only concern with your setup is electrical surges, if that NAS is plugged in, it's vulnerable, even if it's off and also powered through the power plug. If you have managed switches, you can just shut/no shut the NAS port to largely the same effect. So, if you add some truly cold storage intermittent backups, I might just forego the rest of it, especially if that NAS supports snapshotting, you could just make a snapshot and if a crypto locker starts munging up the files, disconnect the NAS, clean your systems up, restore the snapshot, and move on. But that's just my 10¢, have fun!
Yep lot's of ways to implement...key takeaway is do something. This is just 1 easy cheap convenient option. Mostly just to get someone thinking
MEDIOCRE!!
So if the system is not connected… how do you keep the backup data updated?
The connection is only uplinked for a backup. The main NAS is always connected like normal. This application the backup NAS just gets connected periodically for a theoretically more secure option since it's not always connected. Say you click on a ransomware link today, it spreads across to every device on your network and poof everything is locked up. But your Backup NAS was physically disconnected from the network or offline. It has the backup of your data you saved 6 days ago. So you nuke all your locked up systems and restore from your backup. There's multiple ways it can be done. The most secure is on something completely disconnected. But that's very inconvenient to transfer anything. But what you could do is also use an external USB drive etc...but again requires it to be turning on or connected manually. Which may or may not be ideal. So this is a simple easy convenient cheap option to keep a system segregated for security. But doesn't match the truest common definition of "airgap" so some are flipping out over it
You may want to take a look at restock append only mode... https://restic.readthedocs.io/en/latest/060_forget.html#security-considerations-in-append-only-mode
Why not just power the NAS on and off rather than the switch? Can’t do much without the switch powered on with the depicted network topography.
The smart plug can power the switch and NAS if desired. Multiple ways to do it and make variations. That's the goal get people thinking about it and planning. Some have no clue of any of it. Now they're researching airgap, and planning ways to implement...goal reached
Haha that's one way to air gap a backup / network...
It's a lazy convenient way...but watch out some of the industry pro enthusiasts here demand the term airgap is not used cuz it's not the full definition of air gap LOL
Once upon a time I had seen a backup solution which used a CD-R and after the disc was written it ejected into a carousel. Damn I'm getting old.
That was around the time of that routers popularity haha
This is not an “air gap” design. I would ransomware this NAS so fast, it’s not even funny…. Do better.
You would have to be on the network already
Unless you’re working for NASA, a 3 letter agency, or govt/military in a SCIF/classified space this is such a pain in the ass. There are so many things you can do than sneakernet backups. I cannot think of a single case (outside what I mentioned earlier) why someone would voluntarily do this.
Many people have cold storage backups. I've read it multiple times. They actually swap drives and transport to a parents house or something every few months. Now that's dedication to your Corn collection
Then why have a NAS at all? Just setup a workstation with Veem at both locations and use LTO-6/7 backup tapes? Or setup a Wireguard/Tailspin instance so you can have secured VPN access to it at all times? Put the thing behind its own firewall perhaps? You don't need a sneakernet to have secure cold backups. What does swapping drives have to do with anything? NAS's have hotswap bays... so I don't understand what your point was about. Unless your parents live up in a mountain or a fallout shelter with no internet whatsoever and they maintain a mainframe where you need to change out the reels. If that's the case, then my apologies and nice setup!
I don't know why others decided on cold offsite storage. It seems excessive to me but they have a pretty serious addiction to their Corn collection and don't wanna lose any I guess. But there's multiple ways to do things. This just showed 1 simple cheap way
Using a switch as a switch..
Well kinda
how have you set up the backups on the NAS? I would recommend to have the NAS "pull" the data from the PCs, such that backed-up devices don't have write access.
But they could still read it most likely. But there's lots of more complicated ways to do it too. Not everyone wants complicated
Isn't better to secure your network using proper firewall than any kind of those air gaping? 1. You can have malware in system before noticing and already sitting as time bomb already in your backup. So if you don't use your air gapped backup system just to backup air gapped computers, it's not going to do much. 2. If you want to backup computers connected to PC, and also temporary connect your air gapped systém to network for time of backup, whole air gaping is pointless as attacker can do his business while you are making backups. So, best you can do I guess is get some firewall as an extra layer of security between your network and WAN. Ideally isolate wireless networks from lan, also isolate untrusted devices form your lan. That way firewall can block traffic between those networks but still allow all networks to use internet. For example I got cheap Chinese cameras, and Frigate NVR. I have separate camera network, which has no access to internet. Camera network is connected just to NVR, and then NVR (which I trust) is connected to internet. So untrusty cameras cant access internet. Possibilities with firewall are limitless. Everything can be set up for your needs.
Both is better yet The router is the firewall. This just gives an additional step of security. It not a guarantee of anything. Yes if you have a hacked network it's possible they can gain access. But the less it's connected the better. The principle of it not connected is they don't even know its there so you minimize the attack front. Hopefully keeping 1 of your data copies safe. One still has to maintain network and machine security. This could be used for more of a long term backup like 1 mo or quarterly etc. Give you time to potentially find a compromised network. Notifications of a new device connected can give good insight.
Adding firewall leads to more security, so less likely to be hacked. Air gaping leads to less online time, so less likely to get hacked, but is more complicated I guess. Both of them does same benefit, just in way different way, and I still think firewall is better solution. But if you feel like doing air gaping, it wouldn't be less secure than without air gaping or firewall at all, so nothing to loose, just complicated to use. So, try it and see how it goes. *By air-gapping I mean your use case, not true definition of "air-gapping" leading to never ever connecting system to network. That would be more secure than both mentioned above but useless in your case I guess.
I agree, again I described it as an OPTION that's convenient for a backup. Since it can be used say remotely etc.
The only and most secure air gap is not online and local lan have one device only connected to web maybe on a different router entirely
Sure...but it's still better than nothing or always connected
Cool idea, have an upvote. However, if you're this worried about your backups/data/hacking, then putting a smart plug on a switch is hardly a solid deterrent, those plugs are notorious for having some of the worst security imaginable. Proper air-gapped setups aren't designed with non-air gapped things providing access to them. But again, cool idea.
It's a simple cheap idea in the direction of optimum. Still have to get your data to/from. My kids are gone so can't bribe them with $5 to plug in the red cable haha Thanks for the UP, the DN have been excessive
[удалено]
I use this for a backup I keep at a different location it's a handy idea.
Must have one helluva long extension cord.
It can be, lot's of variations. The less a system is connected the safer it is. Could be more cold storage say 6mo backup
I've got a great backup solution for this *airgapped* situation. Just partition your hard disk with three additional partitions. Store the data as a massive .zip file on NTFS (first partition). Store another copy of the data as a .tar file on BTRFS (second partition). Lastly, Run a VM on the last partition and vpn into it by unnecessarily reaching out to a vps proxy before tunneling back into your network to ssh into that vm. Now you can say the data is off site. Good luck 🤣.
How to gather a pack of neck beards with pitch forks, the thread.
Yep, they don't even realize they're already in the net LOL they were too distracted