(security) public httpd's storage on FN via nfs/iscsi ?

[SMnasMAN]

Ive built (and am still testing/messing with), a large freenas server. It will have some personal and my own work files.

Below is most likely something i will not do, but wanted to get feedback from others. My question is only interms of storage security (ie NFS / iSCSI or cifs)

On the same rack as my FN machine, i will have a bare metal linux box, hosting a public facing, public accessible website.
This website/webserver will have about 4gb of (disk) content to serve visitors. I would LIKE to save some power/heat and have this 4tb of data stored on the FN machine (in its own zpool / dataset) and served to the "Bare metal public webserver" via NFS or iSCSI via a dedicated NIC / vlan.

My concern is the Bare metal public webserver gets fully exploited (ie an attacker has full root shell on this machine), and can then leverage the NFS or iSCSI share to gain access to other files on the FN box, or the FN box itself.

ie via:
https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/
(i realize FN does use the "nfsnobody" group, but im sure they are other nfs or iscsi exploits)

Would it be better if i ran "Bare metal public webserver" as a ESXi host, and then use nfs on ESXi to provide the httpd VM a 4tb datastore? (ie the web based attacker, would have to get exploit/access to ESXi first, to then pivot/see the FN NFS share).

Due to these reason (and that i will have other important data elsewhere on my FN box), i will most likely just run a few 2 or 4tb disks on the baremetal host and have it only connected to a separate, isolated network to the internet. But i wanted to get input. How do enterprises or large providers deal with NAS/SAN security in terms of the host accessing the SAN/NAS share getting exploited?

tks

rough/quick idea of how i would physically segment, hypothetically (click to enlarge):

 

[l@e]

@SMnasMAN few questions about your setup.
-is that content to publicly available or through login prompt agains a db (added from you or from signup automatically)?
-is access method through secure socket or plain http/ftp?
-I see a fw in your layout, basicaly it can protect agains ips signatures, dos and av, also it can do even more depending brand and subscription level.
-regarding nfs exploit, yes it is risky but still it will be very dependable risk how your web app is built. Also there a lot of risks involving sql injection and others.
-will be users able to save their own files ir just ro rights for those 4tb?

So from your layout again you have asumed again the public server fully exploit, and see only that as a risk when you have through the 2nd fw internet access to/from the esxi boxes. But also on the first firewall you have allowed only file sharing to nas which isvery good since no direct ssh or other promt can be sent to FN. in real life situatios that exploited server most cases is in a dmz.
Sorry going out of original subject which on my opinion is a little bit out of real life deployments, but in cases you dont want to give atackers any possibilities from known or still unknown exploits to mess with other material i would run a second FNfor those 4TB or even just add the disk localy on the exploited server. In nowdays when everyday some theat is discovered is very hard to prethink ways and harden only one point of the system. So either you go on 2 physical separated nets for public and private data (if the separation cost is justified from the value of what is protected) or you distribute the security mechanism and harden all system components.
I do run in same scenario Nextcloud vm on my esxi and exposed only https port (even that not in standart 443) and the file store sits on my FN and it is accessed via smb from Nextcloud. All is behind a fw (hw) and yes i have observed atacks of different kinds but still the fw and the secure socket have done they job. (Im using it to send software updates to customers and our installation guys in case they need some extra files on site. )

 

[SMnasMAN]

hah, thanks, you are thinking just like me. no matter how well one configures this entire setup, its just not worth it as you never know with new exploits , thus just do the disks direct attached HDDs and physically isolate the bare-metal box.

(and use FN only for my internal uses only.)

to answer some of your questions though:

1- (on the httpd server) i do plan to have the NFS mounted drive as RO.
2- (imo none of these httpd questions/scenarios are that important, as even the most basic httpd server simply serving up a basic html only, static page, can have vulns, so in my scenario i want to assume the box is already exploited and how can nfs/iSCSI , alone, be leveraged by attacker).
The website being hosted is does have HTTPS enabled (that more about internet content transmission security though).
No user login nor account creation (on website). The site is in PHP, and the only user input to sanitize: is user are able to search. (the site is a large archive of very high res, royalty free images). As you pointed out, theses elements are getting a bit away from the core question / relevance to the freenas forums/users here.

I know SANs/NAS are used everywhere, esp at enterprise level, so how are they secured from exploited hosts?
(i assume answer is through patching and support contracts, but even still, its a pretty large prize to be protecting, so i know there are ways to secure/mitigate it)
thanks again.