Synology Security White

Paper

Last updated: Oct 17, 2022

Table of Contents
ntroduction
I 2
Security Policy 3
Standards 3
Severity Ratings 3
End-of-life Policy 6
Life-cycle Phases 6
DiskStation Manager DSM 7
Synology Router Manager SRM 9
Synology-developed Packages 10
Open Source Packages 11
Partner Packages 11
Security Program 12
Product Security Incident Response Team 12
CVE Numbering Authority 14
Co nclusion 17
App endix 18
Long-term Support 18

1
Introduction
Find your information
Synology publishes a wide range of supporting documentation.
In Knowledge Center, you will find useful Help and FAQ articles, as well as video
tutorials breaking up processes into handy steps. You can also find User's Guides,
 

Solution Guides, brochures, and White Papers. Experienced users and administrators
will find answers and guidance in technical Administrator's Guides and Developer

Guides.
Got a problem and unable to find the solution in our official documentation? Search
hundreds of answers by users and support staff in Synology Community or reach
 

Synology Support through the web form, email or telephone.

As a NAS vendor, Synology provides a variety of devices, such as private cloud devices, router
devices, and surveillance solutions. Synology understands the security risks on out-of-date
devices and the importance of security fixes.
This white paper outlines Synology's approach to security and policy compliance for DiskStation
Manager DSM , Synology Router Manager SRM , Synology-developed packages including
mobile applications and desktop utilities, Synology-distributed open source packages, and
partner packages. From personal to enterprise, Synology offers various services for you to make

your own private cloud up and running. This paper illustrates Synology's security policy, how

Synology identifies security threats with proper ratings, and Synology's incident response flow
against vulnerabilities, such as reporting Common Vulnerabilities and Exposures CVE day-by-
day.
Synology reserves the final right to change any content in this document at any time without prior
notice. In the event of any changes, the revised document will be available on kb.synology.com.
Please check the latest information indicated herein to inform yourself of any changes.

2
Security Policy
Standards
Synology is committed to adhering to standards in order to provide the best practices for security.
The following industry standards and mandates guide the handling of product vulnerabilities at
Synology. They also facilitate the disclosure of vulnerabilities to our customers and the broader
echnology community:
t

ISO/IEC 29147 2018

ISO/IEC 30111 2019
FIRST Common Vulnerability Scoring System
FIRST Traffic Light Protocol
FIRST PSIRT Services Framework
Synology is currently participating in the following security communities:
CVE Numbering Authorities
Forum of Incident Response and Security Teams FIRST

Severity Ratings
Synology primarily evaluates the impact of security issues based on the Common Vulnerability
Scoring System CVSS . After receiving the Base Score and Temporal Score assigned by the
metrics, Synology will use a four-point scale Critical, Important, Moderate, Low) to rate the
impact.
The severity is determined through a technical analysis of the vulnerability, including the type of
vulnerability, and the corresponding potential risk assessment. We generally refer to the Common

Vulnerability Scoring System v3.1 Specification Document provided by FIRST.

This severity rating mechanism helps users understand the impact of security vulnerabilities on
Synology products, and fix them according to the recommended system maintenance policies. All
users will then be able to maintain system stability and security by downloading the

corresponding fixes.

Common Vulnerability Scoring System

Common Vulnerability Scoring System CVSS is a method for defining the severity of a
vu lnerability.

3
Synology assesses vulnerabilities using the CVSS v3.1 standards, which include the base metrics
Attack Vector AV , Attack Complexity AC , Privileges Required PR , User Interaction UI , Scope
S , Confidentiality C , Integrity I , and Availability A . The impact of a vulnerability is
represented by a score ranging from 0.0 to 10.0. To learn more about base metrics, please refer to

Common Vulnerability Scoring System v3.1 User Guide.

Synology will decide the priority with which vulnerabilities should be fixed based on CVSS v3.1
and the rules of severity rating mentioned above.

Severity Rating
Critical Impact
This level of vulnerability is high risk for systems that have not been patched, and must be
patched as soon as possible.

This rating is given to flaws that can be automatically exploited by unauthenticated remote
attackers, and have a great impact on at least two constant aspects of a vulnerability:
Confidentiality C , Integrity I , and Availability A .
If mitigation is available RL T , the severity may be adjusted as Important.

Important Impact
This level of vulnerability does not have a serious and immediate impact on unpatched systems.
If the attacks require authentication PR L , user interaction UI R , or non-system default behavior
AC H , it will be classified as Important impact.
If mitigation is available, the severity may be adjusted as Moderate.
However, users are still suggested to patch the vulnerabilities or apply mitigations before the end
f he next system maintenance cycle.
o t

If services are provided to authenticated remote users, administrators should patch or apply
mitigations to impacted systems as soon as possible.
This rating is given to flaws that can be exploited by attackers and have a great impact on at least
one constant aspect of a vulnerability: Confidentiality, Integrity, and Availability.

Moderate Impact
This rating is assigned to flaws that are difficult to exploit AC H but could still cause a certain
level of impact, or is assigned to flaws that could lead to significant impact but requires high
privilege PR H .

Low Impact
All other issues that have a security impact are assigned this rating. The exploits of these types of
vulnerability are usually difficult to be triggered, or could only be triggered by an administrator.

4
Even if they are triggered, the impact is minimal.
A Synology security advisory may contain patches for multiple vulnerabilities as well as packages
for various Synology products. Every security advisory has a rating for each product. The overall
e e i i aken from the highest severity out of all the individual issues or the worst-case
s v r ty s t

scenario when all the issues are combined.

Base Score Variations Across Products

It is common for a vulnerability to have different CVSS base metrics, i.e. different scope and
e e i , depending on the product, model, or version. Synology will provide as much information
s v r ty

as possible, including the corresponding severity, CVSS base score, and vector. If we are unable
to separate each vulnerability, we will report the worst outcome.

Examples of this include:

A vulnerability that only affects certain products. For example, CVE 2017 9417 only affects
RT1900ac.
A vulnerability that is mitigated by source code protection mechanisms or Linux Security
Modules on some platforms. For example, CVE 2015 6912 could have led to arbitrary code
execution on DSM 5.0, but it is only a denial-of-service attack on DSM 5.1.
A vulnerability that affects more than one application. For example, CVE 2017 9993 affects
both DSM and Video Station, but has a lower CVSS score and severity for Video Station.

Differences Between NVD and Synology Scores

National Vulnerability Database NVD or other third-party vulnerability databases will only assign
one CVSS base score to a single CVE ID. However, different scenarios and configuration options

may have significantly different impacts and the scores can vary widely.
For example, NVD rates CVE 2017 1000367 to have Medium impact metrics because sudo is
used to provide limited super user privileges to specific users. For DSM, we use Low impact

metrics, as sudo and the console are only accessible by the administrator.
As a result, instead of using evaluated scores from third parties, we strongly suggest our
customers use the CVSS score in the Synology Security Advisory and follow the mitigation
strategy based on the severity impact. If you have any suggestions for or concerns about our

Security Advisory, please contact us and we will adjust the Security Advisory if necessary.

5
End-of-life Policy
Synology provides software updates, including security and bug fixes, as well as maintenance, for
Synology products that are still in their eligible life-cycle phases: production, maintenance, and
extended life. Otherwise, the product will be considered end-of-life, and Synology will no longer
distribute or support it.

Life-cycle Phases
Life-cycle phases are designed to let users know when and what to update as the product
progresses from its first release.

During life-cycle phases, Synology may release Synology-defined Critical and Important impact
security fixes, as well as selected high priority bug fixes. Corresponding security advisories

Synology-SA YY NN or release notes may also be issued. Other security or bug fixes may be
delivered as appropriate.
If available, selected enhanced software functionalities, and new or improved hardware
enablements may be provided at the discretion of Synology.
The following table lists the differences between each phase:

Production Phase Maintenance Phase Ext ended Life Phase

Security Errata Yes Yes Yes

Bu g Fix Errata Yes Yes Yes

Software
Yes No No
Enhancement

H ardware
Yes No No
Enablement

Production Phase
During the Production Phase, qualified Synology-defined Critical and Important security fixes, and
gent and selected high priority bug fixes may be released as they become available. Other fixes
ur

may be delivered as appropriate.

If available, selected enhanced software functionalities, and new or improved hardware
enablements may be provided at the discretion of Synology.

6
Maintenance Phase
During the Maintenance Phase, only qualified Synology-defined Critical impact security fixes,
selected urgent priority bug fixes may be released as they become available. Other fixes may be
delivered as appropriate.
New functionalities and new hardware enablements will not be released in the Maintenance
Phase.
Not all Synology products have a Maintenance Phase.

Extended Life Phase

During the Extended Life Phase, only qualified Synology-defined Critical impact security fixes and
selected urgent priority bug fixes may be released as they become available. Other fixes may be
delivered as appropriate.
Not all Synology products have an Extended Life Phase. It is an additional software update service
for selected Long-Term Support LTS versions.

Hardware Vulnerabilities
Synology keeps the firmware of product hardware up-to-date to solve or mitigate known public
vulnerabilities; however, for stability reasons, Synology may postpone or ignore hardware-related

vulnerability remediation.

DiskStation Manager DSM

DSM follows the MAJOR.MINOR.MICRO BUILD NANO versioning rules:
MAJOR version is for incompatible system behavior or API changes
MINOR version is for new functionality in a backward-compatible manner
MICRO version is for incremental security or bug fix updates
BUILD is an additional engineering identification of the release
NANO version is for a specific security or bug fixes with backward compatibility
Each minor version of DSM, such as DSM 6.2, is identified as a different product with a different
number of life-cycle phases. Some of them will have an extended life phase and are identified as
long-term support. Security fixes, bug fixes, software enhancements, or hardware enablements
may be contained in each phase.
Software changes to DSM will be delivered via individual nano updates as minimum changes, such
as DSM 6.2.2 24922 4, or be aggregated as an incremental release, such as DSM 6.2 23739 or
6.2.2 24922.
The following table lists the differences between each release version:

7
 Major Release Minor Release Micro Release Nano Release

Ex amples DSM 6.2.2 DSM 6.2.2

DSM 6.0 7321 DSM 6.2 23739
Naming) 24922 24922 4

Release:
Years Years Quarters Months
Fr equency

Release: Basis Schedule Schedule Schedule Incident

Includes:
Yes Yes * Yes * No
Features

ncludes:
I
Liberal Strict * Strict * Very Strict
Criteria

System ABI
No No Yes Yes
Guaranteed

* Depends on the life-cycle phase

DSM is the base operating system of Synology for other derivative product families, e.g., Dual
Controller IP SAN DSM UC , Network Video Recorder, VisualStation VS Firmware), SkyNAS.
Different life-cycle phases and end-of-life policies may apply.

Long-term Support
Among DSM major versions, such as DSM 6, Synology marks at least one minor version as long-
e m support. The LTS version has three life cycles: Production Phase, Maintenance Phase, and
t r

Extended Life Phase. Other versions have only two life-cycle phases: Production Phase and
Maintenance Phase.

Life-cycle Dates
All future dates mentioned for life-cycle phases are close approximations, non-definitive, and
su bject to be extended.

End of nd of
E
General E nd of Extended
Product Production Maintenance
Availability Life Phase
Phase Phase

DSM 4.2 LTS 2013/03 2014/06 2015/06 2017/06

DSM 4.3 2013/08 2014/12 2015/12 N/A

DSM 5.0 2014/03 2015/06 2016/06 N/A

DSM 5.1 2014/11 2015/12 2016/12 N/A

8
 DSM 5.2 LTS 2015/05 2016/06 2017/06 2019/06

DSM 6.0 2016/03 2017/06 2018/06 N/A

DSM 6.1 2017/03 2018/06 2019/06 N/A

DSM 6.2 LTS 2018/05 2020/06 2021/06 2024/06

DSM 7.0 2021/06 2022/06 2023/06 N/A

DSM 7.1 LTS 2022/04 2023/06 2024/06 2025/06*

DSM UC 3.0 2019/10 2020/12 2021/12 N/A

DSM UC 3.1 2021/05 2022/10 2023/05 N/A

VS Firmware 2017/09 2021/12 2023/12 N/A

* The extended life phase for DSM 7.1 is applicable only for the models listed below:
XS /XS Series: RS10613xs+, RS3413xs+, RS3614xs+, RS3614xs, RS3614RPxs, RC18015xs+,
DS3615xs, DS2015xs
Plus Series: DS2413 , DS1813 , DS1513 , DS713 , RS2414RP , RS2414 , RS814RP ,
RS814 , DS214 , RS815RP , RS815 , DS2415 , DS1815 , DS1515 , DS415 , DS215
Value Series: RS814, RS214, DS414, DS214, DS214play, DS114, RS815, DS1515, DS715,
DS415play, DS115
J Series: DS213j, DS414slim, DS414j, DS214se, DS215j, DS115j, DS216se

Synology Router Manager SRM

SRM follows the MAJOR.MINOR.MICRO BUILD NANO versioning rules:
MAJOR version is for incompatible system behavior or API changes
MINOR version is for new functionality in a backward-compatible manner
MICRO version is for incremental security or bug fix updates
BUILD is an additional engineering identification of the release
NANO version is for a specific security or bug fixes with backward compatibility
Each minor version of SRM, such as SRM 1.2, is identified as a different product with a different
number of life-cycle phases. Some of them will have an extended life phase and are identified as
long-term support. Security fixes, bug fixes, software enhancements, or hardware enablements
may be contained in each phase.
Software changes to SRM will be delivered via individual nano updates as the minimum changes,
such as SRM 1.2.3 8017 5, or be aggregated as an incremental release, such as SRM 1.2 7742 or

1.2.3 8017.

9
Long-term Support
Among SRM major versions, Synology marks at least one minor version as long-term support. The
LTS version has three life cycles: Production Phase, Maintenance Phase, and Extended Life Phase.
Other versions may have only two life-cycle phases: Production Phase and Maintenance Phase.

Life-cycle Dates
All future dates mentioned for life-cycle phases are close approximations, non-definitive, and
subject to be extended.

nd of
E End of
General End of Extended
Product Production Maintenance
Availability Life Phase
Phase Phase

SRM 1.0 2015/10 2016/12 2017/12 N/A

SRM 1.1 2016/07 2017/12 2018/12 N/A

SRM 1.2 LTS 2018/10 2021/12 2022/12 2023/06*

SRM 1.3 2022/04 2023/06 2024/06 TBA

* Applicable only for Synology RT1900ac

Synology-developed Packages
Synology-developed packages follow the MAJOR.MINOR.MICRO BUILD versioning rules:
MAJOR version is for incompatible application behavior or API changes
MINOR version is for new functionality, or incremental security or bug fix updates
MICRO version is for security or bug fixes
BUILD is an additional engineering identification of the release
Each major version of Synology-developed packages, such as Web Station 2.0, is identified as a
different product with a different number of life-cycle phases. Some of them will have an
extended life phase and are identified as long-term support.
Selected minor versions of Synology-developed packages, such as Photo Station 6.8, is identified
as a different product with a different number of life-cycle phases. Some of them will have an
extended life phase and are identified as long-term support.
Software changes to Synology-developed packages will be delivered via individual micro updates
as the minimum changes, such as Audio Station 6.5.4 3367, or will be aggregated as an
incremental release, such as Audio Station 5.5 2985 or 6.0.0 3088.

10
Corresponding desktop utility and mobile application for the Synology-developed package follow
t he same life-cycle phase and end-of-life policy with the product.

Long-term Support
Synology will announce the packages for which the long-term maintenance is guaranteed along
with the announcement of the LTS versions of DSM and SRM. A long-term support solution is only

practical when packages are covered within the program. Select packages will keep receiving

updates to maintain operational stability and security. Synology has the obligation to ensure that

the successor package has the same level of reliability as the current one. See Appendix for the

full list of packages.

Open Source Packages

Synology offers open source software as packages and follows the bleeding-edge update policy,
i.e., we do not fix the software for Critical impact or zero-day vulnerabilities by ourselves but
follow upstream releases or cherry-pick patches from the official repository instead. A Synology
security advisory for the vulnerable package may be issued.

Synology-distributed open source packages follow the general MAJOR.MINOR.PATCH BUILD

semantic versioning rules as the upstream releases. Exceptions may apply.

The life-cycle of the Synology-distributed package follows the same maintenance policy by the
upstream. If the specific version or branch of the package is no longer maintained by the

upstream, Synology announces the package enters the end-of-life state, i.e., the package is no

longer distributed and supported by Synology. A successor package for replacement may be
introduced.

Partner Packages
Synology allows partners to distribute their products as a package via the Package Center of
DSM-based operating systems. A Synology security advisory for the vulnerable package may be
issued.
Synology takes no responsibility for these packages but performs underlying security and stability
checks before them hitting the Package Center, and takes down vulnerable partner packages for
customer protection if needed without notice.

11
Security Program
Product Security Incident Response Team
Synology PSIRT manages the receipt, investigation, coordination, and public reporting of security
vulnerability information related to Synology products. It is also the contact for security

researchers and other organizations to report potential Synology security vulnerabilities.

Incident Response Process

There are four stages with which Synology handles vulnerabilities and notifies our customers.

Discovery
We take the initiative to investigate vulnerabilities and to receive information including but not
limited to the following ways:
[email protected]
CERT/CC Vulnerability Notes
National CERTs US CERT, TWCERT/CC, JPCERT/CC, etc.)
Public posting Full Disclosure, oss-security, CVEnew, etc.)
Synology Support
We encourage researchers to send sensitive messages such as proof-of-concept through Pretty
Good Privacy PGP encryption. Once PSIRT receives security reports from researchers, they will
respond immediately to confirm receipt, and make a simple analysis. Researchers may be asked

to provide further information if there is insufficient information to clarify the vulnerabilities before

going to the next stage.

Triage
After receiving the report, PSIRT will build a temporary incident response team consisting of:
Relevant supervisors
Engineers of R&D team and Quality Control team
Public Relation team
If the vulnerability comes with an impact on our products, the incident response team will verify
the report and will log the corresponding bug into our tracking system after the PSIRT confirms

the severity and impact of the issue. The PSIRT supervisor is responsible for arranging the

schedule and coordinating resources to ensure that the software patch release process is
executed smoothly.

12
Remediation
PSIRT will assist the engineering team in fixing the vulnerability or finding a mitigation, and will
ensure that the quality of the test will not be compromised due to the fix, such as causing a
functional crash. If possible, PSIRT will submit the patch to researchers for verification to make
sure that the vulnerabilities are fixed properly. A security advisory will be produced at the same

ime.
t

Disclosure
After applying the security fix, PSIRT will publish a security advisory, update the RSS feed, and
send an e-news email about the security fix. Meanwhile, the Public Relation team will promote the
software update, collect user feedback and report back to PSIRT.

If the vulnerability is not caused by third-party software, PSIRT will work with the MITRE to assign
a CVE ID to the vulnerability. Synology will only release the details of the security fix according to
the Disclosure Schedule, and after the flaw has been published for a suitable period of time to

ensure that our customers have enough time to install the patch. Researchers may disclose the
details of the vulnerability after the public disclosure.

Third-Party Software Vulnerabilities

Some Synology products are built on third-party or open source components. When a
vulnerability is discovered in these components, we will refer to the report or CVSS technical

analysis provided by NVD. Synology will verify and triage the impact of the flaws on our products,
and give our evaluation.
If a third-party vulnerability affects Synology products, the weakness will be considered high-
pro file if one of the following conditions is met:
The vulnerability has attracted significant public attention.
The Severity Rating is evaluated as a Critical or Important impact.
The vulnerability is likely to be exploited publicly or have a public proof-of-concept.
For high-profile vulnerabilities, Synology will begin the Incident Response process, evaluate all
potentially impacted products that are still under maintenance, and publish a Security Advisory

after a third party discloses related information. All other vulnerabilities will be listed in the
elevant release notes after being patched.
r

Types of Security Publications

Synology publishes Security Advisories and release note enclosures on the official website. These
two documents have different intentions, and cover different security flaws. Synology keeps

minimum information about the impact of the vulnerabilities disclosed on all publications. No
vulnerability details that may be exploited by attackers will be provided.

13
Synology Security Advisories
Synology provides Security Advisories that record security flaws affecting Synology products.
Each advisory is entitled as Synology-SA YY NN, and will rate vulnerabilities according to the
Critical, Important, Moderate, or Low severity rating or a vulnerability subject to public concern.
All advisories are tracked using the following statuses:
Resolved: The specified vulnerabilities are remediated for all affected products.
Ongoing: Synology has completed the investigation, and is developing the remediation.
Will not fix: Synology has decided not to remediate the vulnerability for the product.
Accepted: Synology has enhanced its products to prevent serious vulnerabilities. If a device
deployment vulnerability is controllable and is not under a critical security risk, the device is
not subject to remediation.

Release Note Enclosures

If low severity vulnerabilities are remediated, these vulnerabilities will be disclosed in the release
notes by CVE IDs or Synology-SA IDs.

Website E mail RSS Social Media

Critical /
Important Yes Optional Yes Optional
Security Impact
Advisories Moderate
/ Low Yes Optional Yes No
Impact
Release Note
Yes Optional No No
Enclosures

CVE Numbering Authority

CVE Numbering Authorities CNAs) are organizations from around the world that are authorized to
assign CVEs to vulnerabilities affecting products within their distinct, agreed-upon scope, for
inclusion in first-time public announcements of new vulnerabilities. These CVEs are provided to
e earchers, vulnerability disclosures, and information technology vendors.
r s

Synology was authorized as a CNA member by MITRE in 2017. The major difference between a
CNA member and a non-CNA manufacturer is that Synology is certified to directly pre-allocate
CVE IDs to Synology products. This means that we can cooperate with third-party researchers,
and release fixes without publishing any vulnerability information first. The researchers usually
need CVE IDs for confirmation and are willing to follow our disclosure policy. Through this
process, our customers can get security and flexibility at the same time.

14
Responsible Disclosure Policy
Synology follows a 90-day responsible disclosure policy timeline. Synology issues software
updates and security advisories within 90 days of the initial reports and impact assessment.

Synology provides users with security advisories to explain the severity and the scope of the
vulnerability. However, Synology will withhold any proof-of-concept and exploit details. Details

such as attack vectors and specific affected components will not be disclosed within 90 days. An

additional grace period longer may be utilized for high-severity vulnerabilities to ensure enough
users have adequate time to plan for and deploy updates or mitigation.

Synology reserves the right to deviate from this policy under extreme circumstances.

Communications Plan
Under the following circumstances, Synology may consider publishing security advisories:
After Synology fixes the vulnerabilities, we will publish security advisories to notify users to
up date their software. Patch versions will be listed in the advisories and mitigation will be
included, if available.
Security advisories will be published in advance to address high-severity vulnerabilities.
When exploits start to spread, Synology publishes corresponding security advisories to notify
users that we are addressing the issue. Mitigation will also be published, if available.

For third-party vulnerabilities, Synology publishes security advisories or makes a public

announcement if the scope expands or public awareness increases.
Synology reserves the right to deviate from this policy to ensure software patch availability on
. n l g .com.
www sy o o y

Incident Response Eligibility

Customers will receive incident response assistance for incidents involving known or reasonably
suspected security vulnerabilities in a Synology product.
Synology reserves the right to decide what kind of assistance to offer users to solve the incident,
or to withdraw from any incident at any time. Synology may give special consideration for security

incidents that involve actual or potential threats to persons, property, the Internet, or requests
from law enforcement agencies and formal incident response teams.

Bounty Program
Synology is committed to customer safety and the long-term security of our products. Synology
allocates resources to fix vulnerabilities as soon as they are discovered by internal tests,
researchers, or customers. Synology encourages security researchers and all users to contact

Synology PSIRT directly if they discover any security-related issues.

15
PSIRT processes, identifies, and judges all security reports received from the security form. PSIRT
guarantees to respond within 7 working days after receiving the report. After obtaining necessary
information for the security report, PSIRT endeavors to respond within 30 days working days. For
more information, please refer to the Security Bug Bounty Program.

16
Conclusion
Providing our customers with reliable and secure products on which to store their data has always
been Synology's primary consideration. The active collaboration between our security program
team and product development team enables Synology to fix security vulnerabilities quickly and

efficiently. With our powerful and professional solutions for data protection that only few NAS
companies have, organizations and individuals can now focus more on their businesses and
reduce IT costs.

17
Appendix
Long-term Support
The following packages are provided with long-term support for DSM
Active Backup for Business
Active Backup for Google Workspace
Active Backup for Microsoft 365
Calendar
Cloud Sync
Central Management System
Contacts
DNS Server
File Station
Glacier Backup
Hyper Backup
Hyper Backup Vault
LDAP Server
Log Center
MailPlus
Presto File Server
Replication Service
SSO Server
Synology Chat
Synology Drive
Synology High Availability
Synology Office
Synology Photos
Snapshot Replication
Surveillance Station
Virtual Machine Manager
The following packages are provided with long-term support for SRM
Cloud Station

18
DNS Server
Download Station
Media Server
Radius Server
Safe Access
Threat Prevention
VPN Plus Server

19