Best way to protect FreeNAS server on open internet?

[RoboKaren]

I'd like to install a FreeNAS server in my university lab, but this would mean that it would be more or less on the open internet with its own full IP address. The university does of course have a firewall, but they try to balance openness against security.

I really only have HTTP/HTTPS/SSH as the only ports open (and HTTP redirects to HTTPS).

Is there, however, a better way to secure my FreeNAS server? Note that at this university, all of the Windows and Mac machines are also on the same open network, so it's not like other devices are super-secured.

 

[pirateghost]

stick your own router/firewall between your NAS and the reset of the network.

 

[RoboKaren]

Many firewalls appear to be just custom linux/BSD appliances. Is there that much more security to be gained by having them in the middle? That is, any security bug that the firewall has is likely also in FreeNAS or the other way around.

 

[jgreco]

No, the entire point of a dedicated security appliance is that it has been vetted to be able to do certain things in an appropriate configuration.

You can do many of the same things with FreeNAS, such as installing a local firewall, but they will only ever be halfass implementations, because there's a significant risk that a reinstall or upgrade could disable them, and default to things being wide open.

By way of comparison, a dedicated firewall appliance isn't going to "forget" to be a firewall accidentally, or "misplace" your rules. A properly designed firewall appliance will fail safe - that is, it will block ALL traffic - if it manages to get reset and loses its configuration.

"security bugs" are usually things in code on a device that are a problem. A firewall appliance does not expose enough of itself to the network for this to be an issue (or, at least, shouldn't). It's dealing with flows of data ON the network. As long as it does that well, any potential "security bugs" on the platform itself are irrelevant. Meanwhile, the FreeNAS box is actually terminating connections and providing services. There's a much more substantial risk there.

 

[tvsjr]

And, if your FreeNAS is going to be installed in a subnet where other stuff is publicly exposed without any significant thought to security, all the better reason to throw your own firewall in front of it. There are tons of options... pfsense or the free Sophos UTM running on pretty much any reasonable hardware are good ones, as are any of the little commercial firewalls - ASA5506-X, PA-200, etc.

 

[adamgoldberg]

+1 for the Sophos UTM.

 

[RoboKaren]

Thanks for the recommendations! Looks like I'll get a mini-ITX box with dual Intel LANs and stick Sophos UTM on it.

 

[Mlovelace]

Dell sonic wall is great firewall for home. I've had zero issues with the TZ-215.

 

[Mirfster]

Stick with FreeBSD and use PFSense... :D

 

[Yatti420]

Best way to protect FreeNAS? Don't use it on the internet. Period! That's what was actually recommended last I checked but everyone still does..

 

[adamgoldberg]

Best way to protect FreeNAS? Don't use it on the internet. Period!

Isn't that sort of like "how can I avoid getting into an accident with my car? park it in the garage, and never drive it."

Surely you're not suggesting that a FreeNAS system would be on a network not connected to the internet.

 

[pirateghost]

Isn't that sort of like "how can I avoid getting into an accident with my car? park it in the garage, and never drive it."

Surely you're not suggesting that a FreeNAS system would be on a network not connected to the internet.

FYI, you can use a freenas on a network that has internet but the freenas doesn't have to ever touch the internet.

Just like the documentation tells you, you can keep freenas off the internet by not providing a gateway address.

 

[Montel Bahn]

Best way to protect FreeNAS? Don't use it on the internet. Period! That's what was actually recommended last I checked but everyone still does..

Kinda soils the whole good name of bsd that you can't connect a FreeNAS to the internet with sane pre-configured defaults.
A casual observer might be fooled, but apparently that can't be done, even by the pre-eminent supporter/sponsor of FreeBSD.
With friends like that.....
Seriously though, couldn't an install have the smarts/GUI ai to lock down the uplink and not be so promiscuous by default?
Whatever firewall ix would favor surely would have minimal overhead?
Dang stupid cisco/linksys crap uses like 256 mb!

 

[Yatti420]

This begs the question ofcourse if you build in pbi support for plugins etc that need network but provide no firewall etc (by default atleast) can be seen as a problem imo.. It's always bugged me.. But let's be honest as long as your not inviting the world into your network or PC you should be safe! I'd be more worried about router exploits or something silly etc.. UPNP is a huge one.. I've turned this off - as much as possible..

 

[jgreco]

Kinda soils the whole good name of bsd that you can't connect a FreeNAS to the internet with sane pre-configured defaults.

That's just unfair. A large part of the problem is that something that's designed to be deployed as an appliance is unlikely to be updated by users as frequently as it ought to be. In theory you CAN put a Windows box directly on the Internet and it shouldn't be instantly pwned. However, there's a lot of mass scanning of the Internet that goes on, and the bad guys are known to be building databases of what they find and where it is, so that when an exploit for a given product becomes known, they can just immediately go and target JUST THOSE machines that might be vulnerable, rather than having to scan 4 billion IP's. So in practice, the smart advice for ANY platform is not to put it on the Internet without some careful considerations, including hardening of the underlying OS, and a firewall. And the best advice (which is typically what we try to hand out around here) is that you should not expose directly on the Internet a product that was not designed for such a use model.

A casual observer might be fooled, but apparently that can't be done, even by the pre-eminent supporter/sponsor of FreeBSD.
With friends like that.....
Seriously though, couldn't an install have the smarts/GUI ai to lock down the uplink and not be so promiscuous by default?

It's intended as a fileserver. Fileservers are inherently promiscuous. Each sharing protocol (most of which are authored by external projects) has a different strategy for access control. It gets messy.

Whatever firewall ix would favor surely would have minimal overhead?
Dang stupid cisco/linksys crap uses like 256 mb!

256MB in 2016 is not onerous.

 

[Montel Bahn]

256MB in 2016 is not onerous.

That's my point. Not that router firmware is/should be in the same league as pf or ipfw, but my understanding is that the latter are 'cheap' in terms of cpu/ram. In THEORY, and since FreeNAS already seems to be a schizo (not perjorative, but as in VERY versatile) OS, it could ship with locked-down features that are a-la-carte enabled, ports opened etc. following proper engineering/GUI design. Example, enabling CIFS looks to see if machine's IP is LOCAL, other wise can't be enabled. Interactive warnings and guidance, etc. And I imagine things do get messy fast, and resources would be stretched.
But why not have some sort of port knocking or fail-to-ban auto configured(through GUI input) as the default? This would be easy to implement I think and not stress the box right? I imagine SSH is the most used/usefull service and also the most commonly mis-used in risky ways? There is no fail safe for the poor sods that do make mistakes....god even plugging in the wrong CAT cable by accident in an enterprise.

To Be Clear, Mr Grinch, I think is NOT wrong. But store bought routers have usb ports (shiver me timbers) and http GUIs. Mind you those are for SOHO and not FreeNAS' primary target market apparently. Also as mentionned a firewall would be usefull on some intranets and small business networks also I think.

Seems to me despite the SHODANS, and since FreeNAS does want to auto-update???? a Firewall TAB would not be ridiculous. Just my 2cents. Most OSs ship with firewalls, and I think data safety could be improved. But again, that might be mission creep and OBVIOUSLY nobody should be advised to put the FreeNAS on the internet. This is just my impression as a casual user, I do not have the Mr Greco's intimate knowledge of the product. So I think his main point stands.

P.S. Are there a lot of Gotchas to running a firewall in a jail ? Is it very complex or complicated?

 

[adamgoldberg]

Ok, I really don't understand the problem here. FreeNAS is /not/ intended to be "on the open internet", it's intended to be inside your firewall. Generally, only things that ARE intended to be on the open internet should be (and only to the minimal extent necessary), like IP PBX, web servers, incoming email servers, etc. And EVEN THEN, generally via a proxy on the firewall is probably best when possible.

I don't see it ANY sort of a problem that FreeNAS isn't designed to be on the open net.

 

[jgreco]

Ok, I really don't understand the problem here. FreeNAS is /not/ intended to be "on the open internet", it's intended to be inside your firewall. Generally, only things that ARE intended to be on the open internet should be (and only to the minimal extent necessary), like IP PBX, web servers, incoming email servers, etc. And EVEN THEN, generally via a proxy on the firewall is probably best when possible.

I don't see it ANY sort of a problem that FreeNAS isn't designed to be on the open net.

I don't, either.

On the other hand, I have to say that FreeBSD has done pretty well over the years. It really isn't FreeBSD itself that's likely to be a significant issue here so much as it is the lack of updates that tend not to happen in production environments, plus the overall design, which involves integrating various open source projects into a single "thing." It's much better to focus on what you're good at and just scope it appropriately from the security standpoint. I wouldn't put a NetApp, EqualLogic, or Nexenta box on an unprotected Internet segment, and I wouldn't do it with FreeNAS either. *shrug* I encourage someone else to be the guinea pig to discover if my paranoia is warranted.