Ilja Coolen \ ICSS

More on this review;

• QNAP TS439 II Pro, Part I
• QNAP TS439 II Pro, Part II

Backup / Replication:

After having set up the box in its most basic form, I tried to set up replication to another “not NAS” server (like I had running on my Linux box). This is done through the web interface and is fairly straight forward, once you have a basic understanding of RSYNC. On the receiving end you will need to set up a basic rsyncd.conf file with a module name and a path to sync with.

Here is an example rsyncd.conf file.

[ModuleName]
 comment = Rsync Target
 path = <path to sync with>
 use chroot = yes
 max connections=10
 lock file = /var/lock/rsyncd
 read only = no
 list = yes
 uid = <youruid>
 gid = <yourgid>
 strict modes = yes
 hosts allow = <your host that should get access>
 hosts deny =
 ignore errors = no
 ignore nonreadable = yes
 transfer logging = no
 log format = %t: host %h (%a) %o %f (%l bytes). Total %b bytes.
 timeout = 600
 refuse options = checksum dry-run
 dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz

From the QNAP webgui you can set weekly, daily rsync intervals, limiting to only a single rsync schedule per day. If you have enabled SSH access, you can just simply edit the QNAP crontab to enable an hourly sync or whatever you would prefer. Just make sure you comply to crontab syntax.
Warning! Since the webgui does not support this, you might get undesired results after reverting back to the webgui once you have manually edited the crontab.

Here is an example from the QNAP crontab, having two schedules defined through the webgui.

0 6 * * * /etc/init.d/rsyncRR.sh Schedule0 2>/dev/null
0 5 * * * /etc/init.d/rsyncRR.sh Schedule1 2>/dev/null

I have it running now for about a week, and so far all seems to replicating (rsyncing) just nicely.

I have not had the chance to set up QNAP-to-QNAP replication, so I had no means of documenting my findings for you. Maybe if Chris M. Evans gets his hands on a QNAP box for review I could set up replication with Chris.

The webgui is pretty straightforward on this. You have to enable incoming replication traffic first on the NAS box. Of course you will have to make sure you punch the appropriate holes and configure the right port forwarders in your firewall (assuming you have one).

The QNAP box offers one USB port in the front, with a large BACKUP button alongside. If you plug in an USB drive, you can have the QNAP backup all your QNAP content to the USB attached drive. You will have to have a large drive though if you have a large capacity QNAP. For me, this would make no sense because I am replicating all my valuable data to a remote location.
QNAP might be smart to add some granularity to this one-button-backup option, so you can specify what to backup to the USB drive.

At the back of the QNAP box, there are four more USB ports, and an eSATA port, so you can expand your QNAP box with quite some capacity.

Installing additional packages:

From the administration panel you can navigate to the Applications sections and then select QPKG Plugins.

Here you can find your way easily to additional packages you can install. My favorites are in the following sections.

Dropbox:

I am a very big fan of Dropbox, so I really wanted to have Dropbox also running on the QNAP to synchronise a folder with my other workstations, especially my laptop for when I am working at a customers location or while traveling.

For the SABnzbdplus part of my usage, I have an NZB folder in my Dropbox synchronized folders which is watched for new downloads. That way I only have to put the nzb file in my Dropbox folder and the SABnzbdplus daemon on the QNAP will pick it up automatically. Maybe it’s just because I am lazy but it works for me hat way

QNAP does not support or offer packages for Dropbox on the QNAP boxes. The TS439 is based on Intel Atom processors, and runs Busybox, so there should be no reason it does not work on these QNAP series. I have found a couple of posts on this topic in the QNAP forum and have been able install and run a Dropbox client on my QNAP.

For your own Dropbox on an Intel based QNAP, please review this forum thread. Be advised, it will NOT work on ARM based QNAP boxes.

Download Station:

The QNAP box offers a Download Station section, which has various Torrent tools in there. I don’t use any torrents at all, so I had no use for it. I do occasionally use SABnzbdplus. This package is available from the QNAP Applications download site. You can install it through the webgui without any problem.
You do need to install the “Python 2.7″ qpkg first though.  Once you have install SABnzbdplus, you can reach it through your web browser at http://<your-qnap-hostname-or-ip>:8800/sabnzbd/

Downloading Podcasts:

I do listen to a bunch of podcasts, and I want them to be downloaded very shortly after the are published. On the QNAP you can most easily do this by means of “castget“. To install castget, you will first need to install “QPKG – Optware”. This enables the ipkg command line utility. You might want to read the QNAP Wiki on castget. The WIKI install quide refers to ARM based QNAPs, but this also works on the Intel Atom series.
There are many discussions about adding a PodCast downloading option to the QNAP code, as well as there are many discussion about adding Dropbox to the QNAP code, but there is not a single sign from QNAP indicating they have plans to integrate these tools.

Overall impression:

The QNAP is an excellent NAS box with series ranging from low end home user usage to a small business range, with disk expansion encloseres. The 3.x code running offers a wide range of features. For the simple home use environments and the novice user this might appear a bit to complex. For the experienced user and IT masters, it will be a piece of cake to set up and maintain the QNAP NAS box.

The sheer number of features is astounding, Modding the QNAP is no problem and even supported (to some extent of course) by QNAP. The user forum is very active and as far as I have been able to experience,  response is swift and helpful.

The QNAP box has been purring for a few weeks now, and so far it has done excellent service for me. Replication, serving multimedia content all worked perfectly so far. I have done two firmware upgrades along the way, and they too went smooth.

I am definitely in for another set in my home/office.

More on this review;

• QNAP TS439 II Pro, Part I
• QNAP TS439 II Pro, Part III

Sorry it took me like forever to write up the remaining parts. Work work work… Money doesn’t come flying through the door by itself you know….
Ok, for you guys that have been waiting for the rest, here is some more reviewing…

Initial Setup

I appologize for the crapy pics I made. Just proofs I am not a photographer.

When booting the device for the first time, it will ask you how you want to set up RAID. It will notice the number of disks you have inserted. If you have only two drives installed, it will ask you if you want RAID1. If you have three or four drives installed it will offer RAID5 as its initial setup. This is all displayed on the front LCD panel, and the two buttons on the right will allow you to change this initial setting. After setting the RAID level you can also choose to encrypt the drives.

Once you have navigated through these initial settings, and it is only the two I mentioned (RAID and encryption) the QNAP will start preparing for initial use. It will take about 15 minutes before you will get access to the web interface. The RAID formatting/synchronisation is not done at that time. It will continue in the background, but you can start using the device if you like.

If you have DHCP in your network, the QNAP will get its IP settings from DHCP and will display it’s IP address in the front LCD panel. If you have no DHCP you will need to get to the QNAP at its APIPA address.

The supplied CDrom also provides you with a discovery tool to help you set up the QNAP.

Web Interface / Management

After initial set you can access the webgui at the IP address you have set up or the one provided by DHCP. Simply navigate your favorite web browser to http://<your-qnap-ip> and it will automatically redirect you to the appropriate section and TCP port for administration.

The main window shows a Apple-cover-flow-like panel which lets you choose what section to use. It will not flow on mouse-over though, but you need to click through it.

Still, for a home NAS appliance it is pretty fancy. You can select the administration section, multimedia station, surveillance station, web file manager or whatever you might have installed and enabled.

The web interface looks very slick and is very responsive. I guess this is among the places you will notice the dual-core Atom processor.

I will only address the most interesting (to me that is) parts of the webgui. The rest is pretty straightforward and self-explanatory. The overall management is very easy en GUI response is swift and informative. No cryptic responses leaving you guessing to the problem.

The resources page gives you tons of information that many system administrator would love to have on his server. In that respect, this QNAP box is very much like a server in respect to all the possible tasks it can perform. If you have your QNAP box working like crazy, be sure to check the resource monitor pages to see how your QNAP handles the load.

If you wish to see more, please drop me a note or comment, and I will see if I can update the posts.

Raid Information

When logged in to the Administration console it is easy to see the status of the RAID array. You can also use the excellent wizards to modify the RAID set. You can check all the hard disk information (if the drive is SMART enabled) and even set up a special temperature alert (next to the other alerts).

The GUI also lets you see in the description field what type of actions you can perform on your array.

uPnP / DLNA – TwonkyMedia

Like most popular home NAS devices, the QNAP also sports a nice DLNA/uPNP media server. You can simply enable it (license key is incorporated and part of the purchase of the QNAP device) through the GUI.

You now get presented a new url to click so you can access the web interface of the Twonky Media server, which to my taste looks awful but is very very usable.

For more about twonky, please follow this link.

Stay tuned for another part….

About a week ago I finally got my home NAS device, a “QNAP TS 439 II Pro“.

I have been postponing this purchase for years now since I had my own home brew Linux server acting as a NAS station. I only decided to phase out the Linux server in favour for the small NAS box because after 10 years always-on usage, my Linux server began to have some stability issues.

For me the new NAS device had to be able to support all features I was using on my Linux server. More features were nice, but not required.

• Replicate personal data on regular intervals, like digital photos and scanned documents.
• Replicate backups from my website and database (along with the website of a couple of friends) to the NAS box.
• Serve multimedia content using uPnP/DLNA to the media players in my house. Transcoding not required.
• Download podcasts on regular intervals.
• Download other content like TV shows and or movies.
• Serve as a surveillance station for a webcam or maybe even two eventually.
• Have fairly good performance.

Like Synology, QNAP has several models that support all of these features. Maybe not all of them out-of-the-box, but they can all be implemented in some way. Besides what I wanted it to support, the QNAP has a bunch more features you can use. I went for the QNAP based on various posts I read on the web and features the do offer. In the end I do not think it would have made much difference. Pricing is however somewhat higher for the Synology boxes with 4 or more drives (as far as I have been able to investigate).

Unboxing:

The QNAP came in a nice cardboard box with sufficient soft protection to make sure your box can sit in your cabinet or on your desk without dents or scratches. Like most other products, there is nothing wrong with the packaging. When you order your gear at a webshop, make sure you check a couple of reviews on that shop to make sure they send their orders in decent and discrete packaging.
I tend to order at the same webshop most of the time, because I know them and am very satisfied with their services. I know it sometimes can be somewhat cheaper, but that is not my most important criteria.

Within the box, there is also a smaller box with the power and network cables. Yes more than one network cable, as this QNAP model has a dual 1GbE interface. Also you will find a small plastic wrapping with the necessary screws to secure your hard drives in the brackets. For those who care to use it, there is also a CDrom with all the user documentation you need. In my case, these mostly end up in the bin.

External appearance:

From the outside the box has a decent and firm look. The surrounding cover is made up out of brushed aluminium and seems to have a clear coating over the metal. I guess it helps keeping the box clear of smudges. At the front is a small but very bright blue LCD panel indicating the IP address and status. After running a few minutes this display dims and only a couple of subtle LED’s are lit to indicate activity and system status.

The front cover is clearly a plastic cover and it also feels that way. This to me kind of seems disappointing in comparison to the side and top covers. The drive brackets are also made of plastic but have a metal cage to place either a 2.5″ HDD or 3.5″ HDD in.

The option of a 2.5″ or 3.5″ contributes to user flexibility but also has the SMB market in mind. I myself will be quite satisfied with the slower but larger capacity drives, but some businesses or high end users might have more need for faster or “greener” 2.5″ drives. It’s up to you, QNAP offers the possibility to go either way.

Be on the lookout for some follow up posts.

I wasn’t aware of all the stuff F5 does, so I am glad to have been part of this, because the things they showed us were quite impressive. The online vMotion of a virtual machine between data centers is what really made the biggest impression if you ask me.

Not all live demo’s done by presenters go without flaw. That’s the biggest danger of doing live demo’s in front of an IT crowd. If something should go wrong, the IT crowd is sure to notice it. You might end up looking like a fool. But not here at the F5 Tech Field Day session. F5 could proudly rely on their own equipment and knowledge to pull of their demo without a problem.

For all the stuff we got to see, the data was hosted on a NFS share, so these demo’s certainly do not apply to all VMware installations. F5 strengths are not in the Fibre channel arena, but in the IP arena. In there, they are able to kick some serious IP ass.

I was shown some impressive network (WAN) optimization products like the BIG-IP  Local Traffic Managers and Global Traffic Managers. Load balancing and IP fail-over, all done, all working. I am not a networking guy, so I was actually more into the ARX series device. If you are more of IP guy or gall, try some of the other Tech Field Day blog posts.

ARX Series.

This device is a NAS virtualization product, a technology F5  acquired by buying Acopia in 2007. You can put this in front of one or more file serving devices, either CIFS or NFS based, and have all of this virtualized.

The applications and users in your environment will talk to the ARX device, which in turn will serve your data from it’s backend NAS devices like NetApp, HP PolyServ, Dell NX series or regular file servers.

With the ARX device you can define a whole bung of policies which control the management of your file data. Based on age, file extensions, or what ever policy you might want to set, the data can get moved to another file storage tier in your environment. You could move all your employees mp3 files to a low cost SATA array with no protection for instance. Many scenarios are possible, only limited by your imagination and wallet I guess.

Some additional features you would probably like to have in your environment, like virus scanning, is not available. You will still be relying on the methods in place on the file serving gear you are already using. Data protection of the files you are storing is also not a feature provided by the ARX. It is what it is. File virtualization. If you want data protection, you still would want to use the features your NAS devices provides, or rely on the more traditional methods like file based backup or NDMP. This product can help in reducing your backup volume though, by moving unused (or almost never used) data off to a tier that has different backup schemes, or maybe no backup at all (not my recommendation though).

The next step in tiering your data would be to put it into the ” cloud ” (here’s that term again) so you would no longer have to operationally manage this data in your infrastructure, including backup handling. The ARX has several API interfaces to the currently biggest cloud storage vendors ready to go. F5 showed us another successful demo in which they were able to show us just how seamless the integration works. From an end-user perspective there was no difference noticeable as to where the file was actually stored. With large files, you might experience some delay however. This was not shown in the demo, because it could take up a lot of our precious time.

The file will remain in the cloud, even if it is updated. The update of a file will not result in the file being stored on a local tier. This can cause some delay in the file manipulation transaction. Only new files will be matched to a policy to store it on a local tier. I have some reservations whether or not this is a good way to work. I would think storing the updated file locally would be the better way to go. I might be missing some detailed information on the policy options here. That’s because the session wasn’t long enough to go into it in that much detail. Feel free to comment on this post if you can offer more detailed info on the policies or have any other remark on this post.

The ARX box comes in three sizes.

1. ARX500
   1. Entry level, single power supply.
   2. 800 Mbps throughput.
   3. 2 x 1Gb/s.
   4. Supporting up to 600 users.
2. ARX2000
   1. A redundantly powered device.
   2. 4Gbps throughput.
   3. 12 x 1Gb/s.
   4. Supporting up to 6000 users.
3. ARX4000
   1. Like the ARX2000, a redundantly powered device.
   2. 12Gbps throughput.
   3. 2 x 10Gb/s.
   4. 12 x 1Gb/s.
   5. Supporting up to 12000 users.

There is a question I have about the maximum number of users it supports. The numbers are very high obviously, but are they based on -1- active session per user, or not? It is very rare for a user to have just -1- active session to a file server.

The device in itself is a single point of failure, no matter how robust the hardware and software is. If you want a high-availability solution, your should buy at least two, and put them in a cluster configuration. I wasn’t able to determine whether or not you could make it a stretched cluster to span two data centers to provide availability and disaster tolerance.

Data Manager

In case you might be curious on how much file data you have and how much of it is actually used, you could go discover your file data using the F5 Data Manager. You can try it for free for 90 days. That’s actually quite a long trial period.
Data Manager gives you some elaborate reports on your file data and profiles.

More on Data Manager…

During these past presentations at Tech Field Day, the overall notion I got was that all (new) storage vendors announcing new products are putting the focus of connectivity at IP based storage primarily. Some are still putting in Fibre Channel as a method of connectivity, it isn’t their most important one anymore.
You can definitely notice the adoption of CEE (Converged Enhanced Ethernet) or DCB (Data Center Bridging) and it might still enable vendors to put in the FC protocol, but iSCSI and NFS/CIFS is actually getting much more attention than I would have anticipated. In the list of products we have discussed the last two days, there’s actually just one that has FC on board.

• NEC HYDRAstor (CIFS/NFS)
• Compellent, iSCSI and FC (Series 20, 30 and 40)
• Compellent NAS head
• NimbleStorage CS Series (iSCSI)
• F5 Networks (actually only file service virtualization as a storage product, but definitely IP based)

I know there’s way more vendors out there, but I just wanted to illustrate my observations of the last couple of days. For a complete list, I might be putting up a new post.

The 10Gb Ethernet is definitely changing the arena here, and FC might lose the dominance in the data-center after a renewal cycle or two.

Although the industry is working on FCoE as a convergence the specialists and analysts all seem the be thinking Fibre Channel over Token Ring will really be the spinner this year.

I wanted to make sure you guys don’t miss out on this new emerging technology.

• http://fctr.blogspot.com/
• http://blog.fosketts.net/2010/07/16/fibre-channel-token-ring-fcotr/

Recent posts discussed the correctness of the term Virtualization in it’s current use. Also the post on the “Storage Virtualization” which should actually be called some form of “Volume Manager” made me think of the next storage related network. The File Area Network, in which the file management problems are to be handled. I’ve been doing some reading in the new Brocade pocket book which I got at a recent “Brocade Fusion Tour” seminar, and this tought me that most file management issues are in the Windows environment. Where else I immediately thought. We all know that there are already several products which claim to handle the large volumes of files we all seem to have problems with. There’s enough NAS gateways/files or other solutions out there to choose from, but that’s actually not what I am aiming at.

The previous posts, and the Brocade booklet lead me to the following:
At first we had Local Area Networks, then Cisco (I believe it was) came with VLAN’s.
Later the Storage Area Networks emerged, and Cisco thought we all needed VSAN’s. Some think you do, some think you don’t.
The new buzz is the File Area Network, and I started thinking if there might be some way for Cisco (or others) to come up with the necessity for the world to have VFAN’s? It would fit right into the Cisco alley.

I myself can’t think of any reason we would need VFAN’s, as in the VLAN and VSAN world it is all about connectivity. The FAN isn’t really about connectivity, but more about the concept of distinguishing the concept of file management.

Remember my post on SAN storage in a DMZ? If not, check this link.

Well, i haven’t been wasting my time.
I’ve done some research on this topic, but that didn’t turn up much information. Maybe my research wasn’t extensive enough .
I’ve had some thoughts on the subject though. Like i said in my previous post, you have to be pretty good to modify the device drivers of a host after breaking in. You’d have to be even better when trying to modify any SAN component or setting without having access to the management interfaces of the SAN components.

Last week I went to the  Storage Expo and i arranged a conversation with Randy Kerns, for those who don’t know mr. Kerns.
I presented him with my dilemma. My question is clarified by the image in the post.

So, here’s the scenario:

Some malicious dude or dudette has made it through all the defensive arrangements and has gained access to host A. He is able to see all the data available to host A, which is stored on disk A. Only access rights and authorizations on the data could slow things down. Disk B is assigned to host B by means of LUN-to-HBA mapping. The most common way of assigning storage. Assuming that no modifications are made to host A by the intruder, he will not be able to access storage (or data) not intended to be seen by host A. We were all clear on this, mr Kerns and me.

But this person is even more dangerous. He or she is able to modify the device drivers on the system.

What needs to be done to gain access to storage he or she should not be able to access? Given the LUN mapping protection, he or she should have to perform WWPN spoofing to impersonate host B. This way he or she could gain access to the data on disk B. Some caveats exist though.

• The intruder has to know the WWPN’s in use, in this case by host B.
• The file systems used on host B, have to be supported in some way by host A.

So, that’s is. Nothing we can do about that. If the intruder is able to spoof the WWPN’s of host B, while accessing host A, he or she could compromise sensitive data.  I was hoping that it wasn’t this easy. But mr Kerns assured me, by spoofing the WWPN, bad things could happen.
But there is a bit more to it.

From a storage subsystems point of view, certain controllers and setups depend on affinity from a LUN to a controller. Without a given fail-over situation caused by path or controller failure, host A could not get access to disk B. Not even when spoofing. But this is not true on all subsystems and all setups. If you use a dual redundant fabric, like in the picture above, all the paths to all controllers are exposed to host A. So the LUN to controller affinity doesn’t offer any protection at all.

From a fabrics point of view, there are security features available which detect and act on spoofing attempts. Most fabrics in use today are build upon Brocade or McData and Cisco. Brocade has its Secure Fabric OS, which offers port/wwpn binding, as does the McData SANtegrity security add-on. I do not know anything about  the software features from Cisco, but i am confident that they have security features as well. I’ll take McData as a sample. From within EFCM (or SANavigator ) you can apply port/wwpn-binding. If the software detects spoofing, you can get to EFCM immediately block the port, thus prevent it from transmitting any frames. Without transmitting frames, it’s really hard to gain access to anything.

Summary:
When proper security measures are in place in the SAN (wwpn/port binding) and storage systems ( controller affinity and mapping features ) it is acceptable to expose centralized storage LUN’s to a internet connected host. Well, for me it is. Not ignoring the fact that the internet facing host itself should also be protected by the usual techniques.

Thank you mister Kerns, for the enlightenment

In our shop the need arises for the internet facing infrastructure to be renewed.
So we also planned on serving SAN storage to those servers.
In the internet facing infrastructure, requires the highest possible security considerations. Like it does in all shops. I almost instantly started thinking about the security aspects of my SAN on the DMZ servers.
What if someone was able to hack into one of those DMZ servers? What would he be able to do?
Could he further hack into our shop through the SAN? I almost certainly know that he should be better than Neo, in order to do so! But i don’t have the illusion that it can’t be done.

We have port zoning in place, and all the N_ports are zoned separately. So no N_port can see another N_port.
We run almost all security features available in the SAN, without telling you which one . The storage systems all do WWPN based LUN mapping. One would tend to think it is pretty safe. But what can an uninvited guest actually do? Can he submit SCSI commands into a SAN, in order to gain access to LUN’s he shouldn’t have access to? Can he do anything in order to compromise a SAN, regardless of the type of SAN or storage one runs in their shop?
These are questions i don’t have answers to. I can only kind of guesstimate that the chance it happens is small. But still……

So i formally send these questions to our SAN and Storage vendors. Just to see what their formal statements were….
Guess what. No one has replied yet. I almost seems like they have no idea as well.

If anyone else has any thoughts on this matter, please let me know. I am very curious. I’ve opened a topic in the forum to discuss this subject.