Plugin, Shell Access and Firewall Security

[anodos]

Regarding webui access - in the real world a junior admin doesn't need it. If you're in a AD environment using CIFS, users and groups are handled by the DC. Permissions are handled through windows explorer. The only time I need webgui access is to create new volumes and shares. I don't want a minion doing that (this should not be a daily task). I certainly don't want them to have any sort of shell access.

In short you're either so small that you have a single admin enter new users on a single freenas box or you're large enough to have a seperate DC, LDAP, or other type of server handling your users and groups.

In heavily-regulated environments the decisions are simple. You figure out if your software has to be 'x-compliant' then you find a vendor who guarantees his product is 'x-compliant'. It might not be the technically best solution, but its the best solution for keeping your job when things go sideways.

I've never heard of a data breach because of a storage appliance. It usually has to do with crappy webapps, SQL injections, compromised user accounts / workstations, etc.

I don't see what firewall or restricting root buys you on FreeNAS. Ubuntu doesn't have a root account. Go check out their forums. It certainly doesn't even slow them down from doing stupid things and breaking their systems / security.

As far as plugins go - truenas doesn't have them.

 

[cyberjock]

Oh anados, please stop confusing the subject with "facts" and "use cases"! How dare you!

 

[anodos]

Oh anados, please stop confusing the subject with "facts" and "use cases"! How dare you!

I'm okay with 'security theater' as long as it stays off my lawn.

 

[cyberjock]

I'm okay with 'security theater' as long as it stays off my lawn.

LOL!. Good man!

 

[SwampRabbit]

In short you're either so small that you have a single admin enter new users on a single freenas box or you're large enough to have a seperate DC, LDAP, or other type of server handling your users and groups.

So what you are saying is in short that you know for sure there wouldn't be any companies in between this, ever?

In heavily-regulated environments the decisions are simple. You figure out if your software has to be 'x-compliant' then you find a vendor who guarantees his product is 'x-compliant'. It might not be the technically best solution, but its the best solution for keeping your job when things go sideways.

Show me a vendor whose compliancy states they will ensure you don't lose your job if their product gets hacked and I'll show you a company who is selling a load of bull. And I bet my job on this every single day and it is in the most regulated environment there is.

I've never heard of a data breach because of a storage appliance. It usually has to do with crappy webapps, SQL injections, compromised user accounts / workstations, etc.

Just like you probably never heard of a data breach from a printer either?
Which is funny cause I've seen both a storage appliance and a printer used at DEF CON twice, in fact a storage appliance one was a highlight this year.
So like user accounts, like guarenteed default ones, like ones I dont have to worry about spending the time to elevate, like easy ones called "root"? Yeah those accounts wouldn't be something to worry about at all.

TrueNAS doesn't have them yet, but soon you'll be able to torrent that trojaned video off of Pirate Bay right at the corporate office and share it via ftp to everyone in the office running that awesome thing you talked about "Windows" too. Don't need to worry about that either.

Fact - Ubuntu does have the "root" account.
You wanted to say is "it isn't enabled" by default.
Just like you wanted to say that most of your post is just your opinions.

 

[anodos]

So what you are saying is in short that you know for sure there wouldn't be any companies in between this, ever?

I've worked for companies ranging from 5 employees to 200 employees. 5 employees is fine without setting up a proper domain. I start pushing setting up a DC at about 20 workstations. Group policies, easy application white-listing, and lots of other conveniences / time savings make setting up a proper domain fairly compelling. Man-hours are more expensive than CALs. If you can define a use case in between, then feel free to do so.

Show me a vendor whose compliancy states they will ensure you don't lose your job if their product gets hacked and I'll show you a company who is selling a load of bull. And I bet my job on this every single day and it is in the most regulated environment there is.

I never stated any such assurances.

Just like you probably never heard of a data breach from a printer either? Which is funny cause I've seen both a storage appliance and a printer used at DEF CON twice, in fact a storage appliance one was a highlight this year.

Not to minimize the research, but defcon presentation /= real world data breach. Typically you see people hitting low-hanging fruit (SQL injections, out-of-date software, spear-fishing, etc.). If someone outside your storage network has unfettered access to brute-force the admin password on your TrueNAS appliance then it sounds like you have bigger fish to fry.

So like user accounts, like guarenteed default ones, like ones I dont have to worry about spending the time to elevate, like easy ones called "root"? Yeah those accounts wouldn't be something to worry about at all.

TrueNAS doesn't have them yet, but soon you'll be able to torrent that trojaned video off of Pirate Bay right at the corporate office and share it via ftp to everyone in the office running that awesome thing you talked about "Windows" too. Don't need to worry about that either.

Not sure what you're aiming at here. If someone can run a torrent client on your corporate network then it sounds like you have bigger problems than having a 'root' account on FreeNAS.

Fact - Ubuntu does have the "root" account.
You wanted to say is "it isn't enabled" by default.

Now that's just being pedantic.

Just like you wanted to say that most of your post is just your opinions.

Of course my post is my opinion. I wouldn't write it otherwise. :)

 

[David Dyer-Bennet]

Yeah, being a firewall isn't something that the FreeNAS should be doing. If you have a properly configured network, the network gateway, or a device somewhere upstream on the network should be handling all of the traffic and security enforcements. Clients on the network, be they servers or workstations should not be relied on to provide their own security. You're just asking for trouble doing that.

The concept that there is a section of the local network so secure that it doesn't really need security is wishful thinking of the worst kind; doubly or triply so on home networks. Yeah, the filer isn't directly exposed to the random internet, but that doesn't mean it doesn't need security. It's exposed to anybody who can sit down at a computer in the household, and anybody who manages to get on the private wifi (the guest wifi doesn't give access to internal IPs, supposedly, but relying on that strikes me as optimistic again). Every system needs a firewall.

 

[jgreco]

Firewalls decrease performance, and a properly designed system isn't exposing tons of crap anyways. The real problem is that there's a big slippery slope on how paranoid you need to be.

 

[David Dyer-Bennet]

It's certainly quite easy to go down the rabbit hole into insane security land, and get results with poor performance and usability; no doubt about that.

 

[jgreco]

With that agreed upon, then, let me propose to you that the general security model for FreeNAS deployment is:

1) Never visible to the Internet. Just totally bad.

2) A filer on a dedicated storage network with no visibility from outside the local network is not much of a security risk. This sort of thing happens when filers are running large datasets, or VM storage, etc., and it is Hell to plan a maintenance window to "update the filer." Especially if there's a risk that the filer might not come back up correctly.

3) A filer with modest visibility internally, say an office NAS, should ideally be kept up to date, except where there's a compelling reason not to (SAMBA upgrade breaks something), unless there's a security bulletin or something that appears relevant.

 

[anodos]

With that agreed upon, then, let me propose to you that the general security model for FreeNAS deployment is:

1) Never visible to the Internet. Just totally bad.

2) A filer on a dedicated storage network with no visibility from outside the local network is not much of a security risk. This sort of thing happens when filers are running large datasets, or VM storage, etc., and it is Hell to plan a maintenance window to "update the filer." Especially if there's a risk that the filer might not come back up correctly.

3) A filer with modest visibility internally, say an office NAS, should ideally be kept up to date, except where there's a compelling reason not to (SAMBA upgrade breaks something), unless there's a security bulletin or something that appears relevant.

Even in a small office it's never a bad idea to have a second LAN for management interfaces / IPMI. You can use a ridiculously cheap switch since you don't need much performance and almost all router / firewall appliances have at least two LAN ports.

 

[jgreco]

There's that too, though I suspect that the level of isolation that I'd prefer isn't available.

 

[anodos]

There's that too, though I suspect that the level of isolation that I'd prefer isn't available.

Probably. There are also port acls and the like that can be set on managed switches, which are useful in some situations. In short, we have a wide variety of poisons to pick between, but no silver bullets. It almost makes you think this stuff is hard.

 

[jgreco]

Keeps guys like us in business.