Sort of air gap backup

[dan11]

Hello,

I'd like to know what you think about this "sort of" air gap solution...

We do Daily Backup to a new SAN Storage Repository and Weekly Copy to Tape.
The Tapelibrary is now end of Life and we need to buy something new. We did think through a couple of solutions and one was quite interesting:
I would buy two new NAS Boxes (probably synology) and connect one to the Network on a remote location. We would do Daily BackupCopyJobs from the SAN Repository to the first NAS Box. To protect the backupfiles against ransomware and attackers we would connect the second NAS Box directly to the first NAS box (it has two network ports) in an private, unreachable IP Range and use the NAS copy tool to backup the first NAS to the second NAS box. Because the second NAS Box is unreachable through network, it should be proper protected against attacks.
If the second NAS Box has a problem, somebody needs to get physical access to the Box to solve it, because nobody can access it remotely.

What do you think about that?

[csydas]

Not a bad idea, though it'll be something to keep patched pretty well I think. Metasploit even carries some Synology modules, so if one gets punked, would be pretty trivial to get at the other. I get you write "sort of", but more just pointing out the (maybe) obvious threat model.