@raidflex Not necessarily. Important is to know your own environment and do the homework. See the "NAS" in general is (was?) accessible only from LAN or from outside via some secured way (VPN, Citrix, whatever...). FreeNAS and the way how we (me included) are using it is not a "NAS" anymore but more like a frame with several VM environments. Meaning the extended security has to take place a moment one of the Jails has access to/from outside. So few points in general from security point of view.
- Promiscuous mode is
BAD thing (excluding host system) in general especially for jails with outside world connectivity.
- VNET is ideal as each Jail gets its own network stack so controlling the data flow is much more easier than on NATted.
- Isolate your Jails. At least those with outside access from the rest of the network.
- Get an L2 switch. Seriously...
- ... and a proper router. Not some sh!tty SOHO thing which has only "Enable security" checkbox in WebUI and nothing else.
- VLANs are superb way for isolation. At least make your "safe/internal" jails on one and the "risky/open" VLAN. By default block communication between them. Also block communication between jails inside the "risky" VLAN. Then implicitly allow only those you really need.
- Drop everything coming from outside to you NAS or Jail IPs. Seriously you don't need to have anything reachable from outside by default.
- dst-nat only what is required. Then allow only established and NATted connections (so fabricated packets can go to hell). (If you have any sort of web-server then more work will be required here)
- If you have any sort of "guest" network for your friends or family visiting you time to time -
isolate that completely from everything else. It is really not funny having your network security hardened from outside access then let your friend to access your network over Wifi from his laptop which has an active rootkit. Not cool!
- Restrict connections to your HOST system. Even your beloved wife which of course has serious IT education from you can do a mistake and click some dirty links on FB. Logically you can not cut her from having access to all of the TVshows and Movies but she shouldn't be able to SSH or whatever to your FreeNAS host. Getting host system compromised is just a plain disaster. Make sure you and you only can access it.
There is much more things to do but the above are the main ones. I would say security is similar to the data backup. Two kind of people... Ones which care about it seriously and the ones which did not (yet) found their personal information (financial, photos, accounts, ...) on the "Internet".
(sorry for bad grammar :] )