Features

  • Protects and encrypts data with multiple security standards
  • Manages multiple firewall rules for specific protocols and services
  • Automatically blocks remote connections to avoid malicious attacks and hacking
  • Capability to fully scan files and security settings of the system
  • Supports 3rd party or self-signed certificates

Specifications

  • General
    • Runs Rapid7 vulnerability scans regularly
    • Military-grade AES encryption for shared folders and data transmission
    • Integration with Let's Encrypt to apply for and manage SSL certificates with ease
    • Trust level to safeguard from installing unknown or tampered package files
  • Web Security
    • Automatic logout timer provides a layer of security, with a default timeout duration of 15 minutes of inactivity
    • Admins can restrict users from embedding DSM into other web pages with iFrame
    • Option to set system protection against cross-site scripting attacks
    • Option to enhance system security with HTTP content security policy (CSP) header by allowing only data from trusted sources and restricting inline script execution
    • Supports trusted proxy server
    • Supports management of different access profiles
  • Security Advisor
    • Checks for available DSM and package version updates to ensure security and protect against vulnerabilities
    • Scans system and related network settings, and detects and removes malware for enhanced system security
    • Account and password strength detection
    • Automatically alerts users upon detecting logins from suspicious IP
    • Automatically updates security definitions database to stay up-to-date
  • Firewall
    • Access to ports or services can be individually customized to allow/deny specific IP addresses
    • Supports GeoLite data created by MaxMind
    • Admins can create firewall rules based on geographic regions
    • Admins can organize firewall rules into different firewall profiles
    • DDoS protection on all LANs and PPPoE
    • VPN pass-through for PPTP, L2TP, IP Sec
    • Maximum locations in a rule: 15
    • Maximum rules: 100
  • AntiVirus Essential
    • Powered by ClamAV scanning engine
    • Conducts full system or specific folders scans, or schedules automatic scan tasks
    • Offers Smart Scan for new or modified files
    • Offers White List to exclude files from being scanned
    • Automatically updates virus definition database to stay up-to-date
  • AntiVirus by McAfee
    • Powered by McAfee scanning engine
    • Conducts full system or specific folders scans, or schedules automatic scan tasks
    • Offers Smart Scan for new or modified files
    • Offers White List to exclude files from being scanned
    • Automatically updates virus definition database to stay up-to-date
    • Available on specific models only (Learn more from this product comparison page)
  • Auto Block & Account Protection
    • Services which support Auto Block:
      • DSM, SSH, Telnet, rsync, network backup, shared folder sync, FTP, WebDAV, File Station, Photo Station, Audio Station, Video Station, Download Station, Mail Server, Mail Station, Time Backup, VPN Server, Cloud Station Backup, Cloud Station Drive, and Synology mobile apps
    • Services which support Account Protection:
      • DSM, File Station, Audio Station, Video Station, Download Station, Mail Station, Cloud Station Backup, Cloud Station Drive, and Synology mobile apps
    • IP block can be triggered based on a specified number of failed login attempts within a predefined duration. System supports black list and white list to increase management flexibility
    • Account Protection sets separate login attempt, frequency, and protection cancellation rules for trusted and untrusted clients
  • Certificate Management
    • Supports the import and management of multiple certificates
    • IEEE 802.1X compatibility
    • Supports multiple certificates for different services:
      • Web Apps (HTTPS) and WebDAV
      • FTP SSL/TLS
      • Mail Services
      • RADIUS Server
      • VPN Server
      • Replication Service
      • Synology Drive Server
      • Active Backup for Business
      • CardDAV Server
      • Synology Directory Server
      • Hyper Backup Vault
      • Presto File Server
      • File Station
      • Reverse Proxy
      • Web Station
      • Virtual Host
      • QuickConnect
      • Syslog
      • Surveillance
    • Supports the creation and auto-renewal of Let’s Encrypt wildcard certificate
  • TLS/SSL Profile Level Management
    • Supports TLS v1.0/1.1/1.2
    • Supports multiple TLS/SSL Profile Levels for different services:
      • Web Apps (HTTPS) and WebDAV
      • FTP SSL/TLS
      • Mail Services
      • RADIUS Server
      • VPN Server
  • 2-step verification
    • Time-based One-Time Password (TOTP) protocol
    • 2-step verification enforcement for specific user groups
    • Allows trusted devices to skip the 2-step verification step
    • Supports Google Authenticator and Microsoft Authenticator mobile apps
  • Misc
    • Offers HTTP Compression for speeding up web page load time
    • Built-in AES-NI hardware encryption engine

Limitations

  • Firewall
    • GeoIP database can only be upgraded along with DSM updates
  • AntiVirus Essential
    • Files larger than 2,048 MB will not be scanned
    • The probability of success for finding viruses hidden in archive files (e.g., ZIP, RAR, ARJ, Tar, Gzip, Bzip2) will be lower due to scanning engine limitations
    • Remote Folders (CIFS) mounted in File Station will not be included in full scan
  • AntiVirus by McAfee
    • Remote Folders (CIFS) mounted in File Station will not be included in full scan
  • Certificate Management
    • Certificate encryption algorithm is supported by RSA only
    • Certificates must be in X.509 PEM format
    • Private keys must be in RSA format and cannot be passphrase protected
    • Certificates issued by Let's Encrypt are valid for 90 days and can be automatically renewed by DSM before they expire. Please make sure your Synology NAS and router have port 80 open for certificate renewal
  • 2-step verification
    • Only users in the administrators group can disable the 2-step verification for regular users
    • Email reset for users in the administrators group is disabled. Users in the administrators group must soft reset the device to remove 2-step verification