Administration Guides

AirGap 2.0 Guide For ECS

Home


Overview

The AirGap 2.0 configuration for ECS ensures a highly secure, one-directional data transfer mechanism, designed to protect the Vault ECS from external threats. The architecture is purposefully unidirectional, ensuring that data flows only outbound from the Vault ECS environment to the production ECS, never the reverse.


Architecture Overview

The system is architected as follows (note quantities of VM's not shown in this diagram)


  • Superna Vault Agent checks for any active ransomware events from the Superna Core Appliance (Eyeglass) on a preconfigured schedule before initiating data sync.

  • Superna Vault Agent uses ECS Sync to pull data from the production ECS which is then proxied to the Vault ECS.

  • Firewall should enforce strict outbound-only rules, preventing any inbound connections into Vault ECS.

  • Vault ECS serves as the immutable backup (if object-lock is enabled), only receiving data and never responding to external requests.


The fundamental security principle here is that the Vault ECS never initiates inbound connections. The firewall rules are explicitly designed to allow outbound connections only, ensuring that no data or access can be exploited from the Vault ECS.


Key Features

  • S3 to S3 Airgap Support – Ensures secure, asynchronous replication between S3-compatible ECS environments.

  • Inside-the-Vault Automation – Automates replication management within the vault for enhanced security.

  • Object Recovery - object level recovery with cyber recovery manager from production ECS.  Recovery from attacks on objects with bucket versioning enabled on production buckets.

  • Smart Airgap Technology – Only syncs data when conditions are safe, minimizing risk exposure.

  • Per-Bucket Level Replication – Enables granular control over data synchronization at the bucket level.

  • Immutability Support – Leverages ECS Object Lock and bucket versioning to ensure data integrity and protection.

  • Rapid Recovery – Vault ECS can quickly present an immutable copy of data at petabyte scale. Object Lock safeguards data from modifications during recovery.

  • Many-to-One Support – Allows multiple production ECS clusters to securely replicate to a single ECS Vault cluster.

  • Data Security Edition for ECS – Includes IAM user lockout capabilities for enhanced access control.


Deployment and Configuration

Hardware Requirements

  • Dell PowerEdge R650 Server (see Superna for quantity required)

    • 4 x RAID 1, 800GB SSD

    • 40 core dual CPU 

    • 256GB RAM (Dual Socket, 48 Threads)

    • Dual 10G NIC

  • Support Options:

    • 3-Year Next Business Day (NBD) Support OR

    • ProDeploy Plus Service

Vault ECS Sizing

  • Intended Use case:

    • Highly critical business data to vault, on a limited number of S3 buckets with low change rate applications are the best fit.

    • For all other scenarios protecting the production ECS or Object scale is the recommend solution, and provides advanced monitoring and real time protection including data recovery automation from S3 versions with Cyber Recovery Manager feature built into Security Edition.

  • Capacity must be sized based on the required data protection volume.

  • Supported Airgap must contact sales before quoting.

Potential Additional Equipment

Production Network Requirements

  • Ethernet Switch or Firewall to connect the Vault Agent Host

Vault Network Requirements

  • Ethernet Switch for private network connectivity between Vault Agent Host and Vault ECS Cluster

Load Balancer Support

  • Progress Kemp LoadMaster (if applicable)

  • If using a load balancer in front of ECS, configure its IP address during the Add Managed Device step.

  • This ensures Vault Agent-managed airgap jobs are correctly associated with the ECS cluster.


Installation Services Required

Dell Services:

  • Physical Installation of Dell Server

  • Configuration and Hardening of ECS Vault Cluster

Superna Services:

  • Airgap Design & Implementation

  • Ransomware Defender for ECS – Installation, Configuration, and Knowledge Transfer


Scalability

  • Vault Agent Cluster Options:

    • 3, or 6 Vault Agent VMs for high availability and high throughput asynchronous object-to-object copying

  • Enterprise Airgap Scaling:

    • Supports 10 ECSSync instances


Superna Software

  • Ransomware Defender for ECS

  • Enterprise Airgap


Performance Considerations

  • For the latest ECSSync performance estimates, refer to: ECSSync Performance Metrics

  •  Contact support for sizing of VM count based on object count, average object size, total TB's, number of buckets.  This information is required in order to provid maxium supported configuration.



 Firewall Requirements


Port
Direction
Description
Comment
443 TCP
Network → Airgap ECA Cluster (all node IPs)Web Access to ECSSync UIRequired for setup only, remove after setup
SSH TCP
Network → Airgap ECA Cluster (all node IPs)Management SSH AccessRequired for setup only, remove after setup
9021 TCP HTTPS
Airgap ECA cluster (all node ip addresses) --> Production ECS Load Balancer IP address
Sync Data Replication ( data node network in production). Gets, list objects API required during sync window
9021 TCP HTTPS
Airgap ECA cluster Data movers --> Load balancer in vault --> Vault ECS
Sync Data replication (vault ecs data node in vault) Get, put, list API requiredduring sync window
443 TCP API
Airgap ECA Cluster (all node IPs) → Superna Core Appliance (Eyeglass) IPAPI Access from Vault to EyeglassSecure API communication


Service Account Permissions for Vault Agent Data Movers


ECS Bucket Policy for Vault User Access

This policy ensures the Vault Access object user can reliably access all objects in a bucket, regardless of how they were uploaded or what ACLs they carry. It prevents sync failures due to 403 Forbidden errors caused by restrictive object-level permissions.

Scope

  • Applies at the bucket level (ECS does not support namespace-wide policies)

  • Consider scripting this via the ECS Management API if you manage many buckets

  • Must be applied to each bucket ECS-Sync will read from

Policy Template

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "AllowSupernaVaultAgentReadAccess",

      "Effect": "Allow",

      "Principal": {

        "AWS": "vault-agent-user-access-key"

      },

      "Action": [

        "s3:GetObject",

        "s3:GetObjectAcl",

        "s3:ListBucket",

        "s3:GetBucketLocation"

      ],

      "Resource": [

        "arn:aws:s3:::bucket-name",

        "arn:aws:s3:::bucket-name/*"

      ]

    }

  ]

}

Replace bucket-name and vault-agent-user-access-key with actual values:

Permission Required

Action

Purpose

s3:GetObject

Read object contents

s3:GetObjectAcl

Read object-level ACLs (used by ECS-Sync)

s3:ListBucket

List objects in the bucket

s3:GetBucketLocation

Determine bucket region (required by SDKs)


Notes

  • Principal must be the access key ID, not an ARN or username

  • ECS bucket policies follow IAM-style syntax but are enforced locally

  • Policy must be applied via the ECS Portal (GUI) or ECS Management API

  • Vault agent will fail with 403 Forbidden if this policy is missing or misconfigure

Applying a Bucket Policy in ECS (via GUI 3.8.x)

  • Log into the ECS management URL (e.g., https://ecs.example.com)

  • Sign in with an account that has admin or bucket management privileges

  • Go to Manage → Buckets

  • Find the bucket you want to modify

  • Click Edit Policy

  • Paste Your Policy

  • Save/Apply changes

 

TIP: For environments with many buckets - Refer to ECS API Reference Documentation to apply ECS bucket policies via CLI/Automation.

Configuration

  1. Follow the Ransomware Defender for ECS installation guide
  2. Deploy the Dell Vault hardware with vmware pre-installed
  3. Deploy Enterprise Vault Agent ECA cluster to the vault hardware.  See guide.
  4. Configure firewall as per port table above.
  5. Install Enterprise Airgap license key in Eyeglass using the License Manager Icon
  6. Enter eyeglass IP address and API token on the vault agent
    1. Login to Eyeglass
      1. click main menu and select Eyeglass REST API
      2. create new token and name it vault
      3. copy the new token by clicking it to use with yyyyy value below 
    2. Login to the vault agent as ecaadmin
      1. nano /opt/superna/eca/eca-env-common.conf
      2. export EYEGLASS_LOCATION=x.x.x.x
      3. export EYEGLASS_API_TOKEN=yyyyyy
      4. Add the Object Services for Enterprise Airgap
      5. export ECS_SYNC_CFG=true
      6. control + x (save and exit)
      7. ecactl cluster down
      8. ecactl cluster up
  7. Follow these steps to configure the Vault Agent
    1. Add ecs clusters to the vault agent
      1. ecactl ecs add --host x.x.x.x  --user  <user>
        1. ip of management interface and service account user (see the guide)
      2. repeat for each managed production and vault ECS cluster
      3. verify 
        1. ecactl ecs list
    2. OneTime ECS Sync instance configuration
      1. https://x.x.x.x/ecssyncui
        1. login with ecaadmin and default password 3y3gl4ss
        2. Click Config tab and enter the config path /opt/emc/ecs-sync/config and an email address (this email will not be used for any alerting but is a required input)
        3. Uncheck (automatically archive completed syncs) 
        4.  
    3. Configure ECS Sync Jobs
      1. https://x.x.x.x/ecssyncui  (each vault agent has an ecssync container,  enter the ip address of each instance to add jobs to the copy engine)
      2. login with ecaadmin and default password 3y3gl4ss
        1. NOTE:  Always change the default password following steps here.   
      3. See detailed steps below for adding jobs
      4. Save the jobs
    4. Add ECSSync Jobs to the vault agent to control them and push to Eyeglass
      1. ecactl ecssync listjobs  (to get list of configured jobs)
      2. ecactl ecssync addjob --job xxxx (enter the job name from the list command,  this will add the job to the managed job list)
    5. Push ECS job definitions to Eyeglass to register them
      1. This command will push all the jobs defined and added to the vault agent to be managed, monitored and scheduled.
      2. ecactl ecssync updatejobs
    6. Login to Eyeglass
      1. Open Airgap Icon
      2. Click ECS Sync Config Tab
      3. The new jobs should appear automatically and show status of Not Scheduled.
      4. Click the checkbox to enable Ransomware Defender smart airgap control and set the schedule for each ECS Sync job listed and click save after making changes to any policy.
      5.  
      6. Set the schedule and save
      7.  
      8. Repeat for each policy that displays not scheduled.
    7. Open the jobs icon to enable the job.  The default state is disabled and no sync jobs will run until enabled.

    8. Verify Vault agent has detected the schedule change
      1. login to the vault agent
      2. ecactl ecssync schedules
      3. The schedule should be displayed for each policy configuration.
      4. Done
    9. Test a job sync - this will force run a job from the vault agent cli
      1. ecactl ecssync startjob  --job xxxx (where xxxx is the name of the policy configured in ecactl ecssync checkjobs command
      2. The job should indicate it was started,  You can verify from the ECSSync GUI
      3.  
      4. NOTE:  Do not archive jobs, they are managed by Vault agent.
      5. List all jobs


How to Create ECSSync Jobs

  1. Login to each instance of ecssync on each Vault Agent vm
  2. https://x.x.x.x/ecssyncui/  (each ECA vault vm hosts an instance of ecssync to load balance the workloads)
    1. Select the Status Tab and click the New Sync Button
    2. NOTE: the job name is mandatory and MUST be unique across all instances of ecssync
    3. NOTE: Select ECS S3 for source and destination.  See suggested parameter highlighted below.   
    4. NOTE: selecting the version check box will increase copy time significantly
    5. NOTE: Key prefix allows selecting a location within a bucket
    6. NOTE:  The source and target host ip address should specify the load balancer DNS name or ip address for the source production cluster and the load balancer in the secure network for the Vault ECS. 
  3.    
  4. To enable high performance multipart copies for large objects click the Hide Advanced button.  This will accelerate the copy with multiple threads per object.  Always recommended for larger objects. 

  5. Click the start button to save the configuration and start the copy process.
  6. If the Vault is open the job will succeed and start the copy.  
  7. If the Vault is closed the job will fail and can be scheduled by Eyeglass for running at a later time.

How to Clone ECSSync jobs

Use these steps to clone a job and change the source or destination bucket

  1. Run from Vault agent on the airgap VM
    1. ecactl ecssync clonejob --job jobname --newname jobname1
    2. ecaadmin@cpvault01-1:~> ecactl ecssync clonejob --help
      usage: ecactl ecssync clonejob [-h] --job JOB --newname NEWNAME [--sourcebucket SOURCEBUCKET] [--destbucket DESTBUCKET] [--sourceusername SOURCEUSERNAME] [--destusername DESTUSERNAME]
      [--sourceuserkey SOURCEUSERKEY] [--destuserkey DESTUSERKEY] [--sourceconnstr SOURCECONNSTR] [--destconnstr DESTCONNSTR]

      optional arguments:
      -h, --help show this help message and exit
      --job JOB Name of the ecs-sync job we want to clone in vault agent
      --newname NEWNAME The name of the new job
      --sourcebucket SOURCEBUCKET
      The source bucket of the new job
      --destbucket DESTBUCKET
      The dest bucket of the new job
      --sourceusername SOURCEUSERNAME
      The user name on source for the new job
      --destusername DESTUSERNAME
      The user name on destination ECS for the new job
      --sourceuserkey SOURCEUSERKEY
      The user secret key on source for the new job
      --destuserkey DESTUSERKEY
      The user secret key on destination ECS for the new job
      --sourceconnstr SOURCECONNSTR
      --destconnstr DESTCONNSTR

  2. To set the schedules of the jobs, this can be done from the eyeglass CLI
    1. igls airgap schedule set --job 10.152.0.73_rw-airgap-20-clona5_cpvault01 --cronstr '28 * * * *'
    2. The cron string sets the schedule
    3. NOTE:  For a job called jobname in VA (Vault Agent), in eyeglass those jobs have format: source_jobname_vaultagentid  

Airgap Operations

  1. Monitoring Vault ECS cluster alarms and free space 

    1. Login into the eyeglass vm to review Alarms retrieved from the vault cluster

  2. Monitoring ECSsync job success and failures and policy sync job reports

    1. Login to eyeglass and open the airgap icon and click the Airgap Reports

    3. Click the open button to view the reports.   The reports are also emailed.

  3. Monitoring Job History

    1. Login to eyeglass and open the airgap icon and click the Job History
    2. Click on each job to view details



Vault Agent CLI Commands for ECS Sync


  1. Add ECS production & vault cluster to the vault agent

    1. ecactl ECS add –host <host> –user <user>   
      1. --host management ip address of the ecs
      2. --user service account created on the ecs 
    2. ecactl ecs list
    3. ecactl ecs delete
    4. ecsctl ecs pushalerts
      1. Retrieves the alerts from all ecs registered and forwards it to eyeglass.
    5. ecactl ecssync clonejob where we provide the original job, New job name, and what we want to change:source /dest bucket.

  2. Manage ECSSync jobs, schedules, run jobs, push support logs, update eyeglass

    1. ecactl ecssync {startjob, checkjobs, pushvaultagentlogs, schedules, updatejobs)
      1. ecactl ecssync starjob --job xxx (xxx is the the name of the ecssync job)  This will start the copy job immediately on the ecssync that owns the job
      2. ecactl ecssync checkjobs - Retrieves the jobs from all ecssync instances and displays summary and status of the job
      3. ecactl ecssync schedules - Retrieves the schedules set in Eyeglass
      4. ecactl ecssync pushvaultagentlogs - push vault agent logs to eyeglass
      5. ecactl  ecssync updatejobs - push jobs created in ecssync GUI to eyeglass to be managed and scheduled.  
© Superna Inc