I have been thinking for some time which NAS system I should buy, after my current system no longer receives updates and spare parts supply becomes difficult. Since I want to run additional services like Roon (and also PLEX), the question of sufficient performance was an important factor. Worryingly, NAS manufacturers have repeatedly discovered devastating security vulnerabilities in recent months in their products, which have also been exploited by some hacker groups.
Key points for my decision:
Independence of compatibility between different generations of products
Hardware independence for spare parts or technology renewal
General extended update capability over a long period of time
Timely updates and patches of security vulnerabilities
Flexibility over security controls to be implemented
Unlimited possibilities of additional services to be operated
Sufficient performance and affordable option for upgrading/replacing processing power
For these reasons I decided against one of the popular NAS products. Maybe you have already thought about this? Here is the link to my project and the way I went:
I ceased using a dedicated NAS (and NAS software) a decade or so ago. I think they’re overpriced and underperform, and not nearly flexible enough. Consequently, I use a branded microserver, which can be picked up new at bargain prices (I paid around £360 for my current machine.) Originally I had an HP Proliant Microserver. Now I use a Dell PowerEdge T30. I increased the memory to 16 GB and added a UPS. Reliable 24 x 7 x 365 operation.
For the OS I use an Ubuntu Server LTS, so that predictably provides security updates etc. The OS (and Roon) runs on SSD (ZFS for snapshots), and storage is a ZFS mirror. The software build is scripted (similar to what I use on Linode) and requires very little maintenance (critical updates, reboots, securiy patches etc. are automated, as are backups to cloud.)
I’m comfortable with the terminal, but Cockpit is a good web-GUI.
I have been using Roon since 2016 on a Synology NAS. I have been using Synology since 2016 and have had Plex since then. It works well, has few downsides. About once a year something breaks due to updates and I have to restart it, but it’s powerful. I wish transfer speeds were faster, but otherwise, it’s remarkable. Safe, efficient, reliable, does everything I throw at it and more.
Don’t get me wrong. I think both vendors Qnap and Synology provide some great options to run your Roon platform. I just think they are slightly overpriced for the performance you get and not so flexible if you want to run additional software services. And in terms of Security, they had recently some flaws. But I totally understand, why those systems are so popular…
Yep, I agree. I also thought in the beginning, that I might require Cockpit to have a web-GUI, but I quickly got comfortable with the terminal. It’s rock solid and just works and since I have most of the stuff automated, there is not so much to adminstrate. I am now ont Ubuntu Server LTS 22.04 which gives me guaranteed updates for the next 5 years and I am also not afraid to upgrade to the next LTS version in a few years on the same HW. My setup is really minimalistic and the hardware does take a very little space.
I totally understand your approach and that you are happy with your choice. I also think, that both vendors, Synology or Qnap, deliver outstanding products. Maybe a little bit overpriced for the performance you get and there is also some vendor lock-in on the long term. My case for the Ubuntu based approach was getting the maximum flexibility on the HW side as well asv ery frequent and timely security updates, which is supported by the whole open source community. Again, there has been some critical vulnerabilities on Synology and Qnap systems, which took quite some time to get them fixed…
Critical vulnerabilities? QNAP left a hard coded back door in their back up software that cost thousands of people their data not that long ago when they got hacked. I was very lucky that I didn’t suffer too badly from the problem.
All software have vulnerabilities which will need to be addressed when vulnerabilities are identified. This is why CVE and other systems exist to ensure there is awareness across the board. If you look through the QNAP change logs, you will see that many of the fixes have been for stuff out in the wild and remediated in a timely manner based on severity.
Is your NAS open to the public internet exposing services making you vulnerable to these issues? Few, if any, would affect a NAS behind a firewall and no external exposure/access. Read the notes… QNAP explain the security and attack vectors.
You are 100% correct. All software have vulnerabilities. I just prefer the the broader ecosystem of the open source community to discover and fix those vulnerabilities, which happens almost on a daily base, compared to every now and then.
Given the known attacks on QNAP equipment by organized criminals using ransomware attacks, I’m very hesitant to opening my firewall at all for anything. Roon ARC requires an open port to the Roon Core on the firewall and because of that, I’m wondering if I’m going to use it, even though it’s been a feature I’ve wanted. I may just continue to use a VPN to tunnel into my network and use the ARC app which is optimized for streaming instead of the classic app.