Firewall Upstream - Consumer Router or More Complex?

[onlineforums]

Hi FreeNAS Community!

I understand that, by default, FreeNAS doesn't have a software firewall installed (pf for example). The main argument from my understanding is that FreeNAS is a tool for NAS and one should use a firewall tool for firewall. My concern is that for many the FreeNAS box has to be accessable via the public facing internet for backup/restoration reasons. So without a firewall, there must be something upstream.

Is a consumer grade router (Asus, Netgear, etc) sufficient? My understanding is that these consumer grade devices, by default, block all inbound traffic except for those that are established. For someone to use FreeNAS within NAT in consumer router setup one must do a port forward on the consumer router for the SSH port or whatever mechanism is being used to backup over the internet to the FreeNAS box. Is this sufficient? It is still a point of potential entry, however, isn't that true with a more complex setup as well?

The alternative is something like pfsense, untangle or proprietary hardware firewall. However, don't they basically do the exact same thing as a consumer grade firewall (default block all inbound, but open up a particular port to forward to an internal NAT address)? If one doesn't use some of the advanced features (VLAN, VPN, etc) of a more complex upstream firewall, then what is the point going beyond consumer router?

Finally, not to get anyone in trouble, but do you have an upstream firewall AND run pf or some other firewall on your FreeNAS box in a jail? :)

 

[danb35]

You should not be simply opening ports on your FreeNAS box to the public Internet--that's a quick way to get pwned by @RussianMafia or other bad actors. Jails may be a different story (and, yes, ssh is pretty safe), depending on what's installed there, but for the web UI and the built-in sharing protocols, keep them on a private network. If, then, you need to access those remotely, you should plan to use a VPN (ZeroTier would be great for this, but FreeNAS' implementation of ZeroTier is half-baked at best, and the developers appear to have zero interest in improving it).

Given the requirement for a VPN, IMO, the best and safest way to implement it is on the edge device. I use pfSense and it works very well for me; I've heard good things about Untangle as well. I've also heard good things about the Ubiquiti EdgeRouter series, some of which are quite inexpensive and can act as VPN servers as well.

 

[onlineforums]

You should not be simply opening ports on your FreeNAS box to the public Internet--that's a quick way to get pwned by @RussianMafia or other bad actors. Jails may be a different story (and, yes, ssh is pretty safe), depending on what's installed there, but for the web UI and the built-in sharing protocols, keep them on a private network. If, then, you need to access those remotely, you should plan to use a VPN (ZeroTier would be great for this, but FreeNAS' implementation of ZeroTier is half-baked at best, and the developers appear to have zero interest in improving it).

Given the requirement for a VPN, IMO, the best and safest way to implement it is on the edge device. I use pfSense and it works very well for me; I've heard good things about Untangle as well. I've also heard good things about the Ubiquiti EdgeRouter series, some of which are quite inexpensive and can act as VPN servers as well.

What difference is there in port forwarding a port from router/firewall to the FreeNAS versus port forward to a VPN service or VPN device on edge of network? Both you get pwned if either is compromised, whether VPN or pubkey for SSH. Perhaps I am mistaken.

is a FreeNAS box behind NAT with a single port forward to the FreeNAS box for SSH basically the same as having a VPN device or service running to VPN into to make backups to the FreeNAS box? Either option would involve potential access to the FreeNAS services... no?

 

[Elliot Dierksen]

What difference is there in port forwarding a port from router/firewall to the FreeNAS versus port forward to a VPN service or VPN device on edge of network?

If you need a VPN to access a device on your network, then some kind of authentication happens before it can be accessed. If you port forward in a firewall, anyone anywhere can make a connection without any kind of authentication. Really big difference.

 

[onlineforums]

If you need a VPN to access a device on your network, then some kind of authentication happens before it can be accessed. If you port forward in a firewall, anyone anywhere can make a connection without any kind of authentication. Really big difference.

Correct me if I am wrong but if you use rsync to backup to FreeNAS over the public internet, and you use public key, that is a form of authentication. Incorrect private key would mean no access. No brute force attacks (or atleast not like passphrase authentication).

What is the difference between the two proposed options (the basis of the original post):
1. consumer grade router option: rsync using SSH with public key auth over public internet to FreeNAS box that has the consumer router port forward SSH port to FreeNAS box. FreeNAS box is behind NAT, but does have its SSH port exposed to public internet. Protected by SSH pub key auth.

2. more complex option: OpenVPN or IPSec on edge router/server to access the FreeNAS local network From remote location you VPN into the FreeNAS network to use rsync to backup to FreeNAS box over VPN. OpenVPN would have public key auth or IPsec would just be passphrase to authenticate. Protected by OpenVPN pub key auth or IPsec passphrase auth.

Again, correct me if I am wrong, I'm trying to understand, but aren't they fairly comparable in terms of security? If the FreeNAS box has an SSH port exposed to the open internet but uses public key auth then how is that any different than an OpenVPN/IPsec server exposed to the public internet using public key auth (or worse with IPsec passphrase)?

Thank you all for the insight and education! I am going to assume that the more complex option would be better because you then can then seup the VPN to only be able to access the FreeNAS box and not the rest of the network (like a DMZ?) whereas the consumer router way if someone got into the FreeNAS box they could access the entire network if there wasn't other security measures in place?

 

[Elliot Dierksen]

Correct me if I am wrong but if you use rsync to backup to FreeNAS over the public internet, and you use public key, that is a form of authentication.

Yes, it a form of authentication. However you still have to expose the TCP port to the public internet. If there is a vulnerability in that service or the TCP/IP stack, anyone would have the opportunity to exploit that. The key as has been said many times is that FreeNAS is an appliance, but NOT a hardened appliance. It is not intended to be exposed directly to the public internet.

Again, correct me if I am wrong, I'm trying to understand, but aren't they fairly comparable in terms of security?

I don't think so for the reasons I stated above.

I am going to assume that the more complex option would be better because you then can then seup the VPN to only be able to access the FreeNAS box and not the rest of the network (like a DMZ?)

At a philosophical level, what you describe is more secure. The thing to keep in mind is that now any access to the FreeNAS would pass through a firewall which could slow it down. Are there things that host more sensitive data than the FreeNAS on the inside network? All security decisions are balancing acts between performance/ease of use and security. If you were going to make FreeNAS available directly from the internet (which again isn't recommended), I would strongly encourage you to use a DMZ. If you need a VPN to access FreeNAS, perhaps not depending on the sensitivity of the other things on the network. I hope that helps.

 

[onlineforums]

Yes, it a form of authentication. However you still have to expose the TCP port to the public internet. If there is a vulnerability in that service or the TCP/IP stack, anyone would have the opportunity to exploit that. The key as has been said many times is that FreeNAS is an appliance, but NOT a hardened appliance. It is not intended to be exposed directly to the public internet.

You mention that exposing the SSH TCP port to the public internet there may be a vulnerability in that service or TCP/IP stack. Is this not also true for OpenVPN or IPsec? Would OpenVPN/IPsec not have similar chances of exploits as SSH? SSH and IPsec are more in line with each other I believe in terms of maturity, age and general use. If anyone can find an exploit in either SSH or IPsec then there is going to be some huge targets not the average consumer.

So isn't OpenVPN/IPsec the same in terms of potential vulnerability as using SSH direct to the FreeNAS box? Both require exposing ports/services to the public internet. Both, if compromised (key or vulnerability) gives access to the FreeNAS box. Well, now that I think about it that isn't true, because someone would have to have a comproposed key or vulnerability with VPN and then also again for the FreeNAS box (so both VPN service and SSH/rsync services). So I suppose, is that what you are getting at, is that it is just another layer of protection?

While i'm thinking about it, you can use authorized_keys to only permit certain SSH or rsync type usages restricting what someone that SSH's into the machine as a particular user can do.

I guess at the end of the day I realize it is a balancing act between, as you mention, performance/ease of use and security. Setting up OpenVPN/IPsec isn't incredibly difficult but it is just another appliance, key/passphrase/configs/etc to have to manage and deal with if something doesn't work as planned. SSH using public key seems to be the standard for people to access highly sensitive boxes so figured it would be a fine service to use to rsync into a FreeNAS box. It certainly is a lot easier and less expensive to do a single port forward for SSH services and then permit only certain types of commands via authorized_keys then it is to get another server/device that will run on the edge to VPN into to then SSH through the VPN into the FreeNAS server.

 

[Elliot Dierksen]

Is this not also true for OpenVPN or IPsec?

Yes, anything that is directly exposed to the internet has a risk of that type. That said, I would expect/hope any VPN device would be hardened because it is going in to a known hostile environment. The only computer that is 100% secure is the one that is turned off in a locked room, but it isn't very useful. I keep going back to the point that FreeNAS isn't designed with the security posture of something that will be directly accessible from the internet. I wouldn't advise it, but you get to make your own decisions. My personal opinion as a networking person with some exposure to security is that the VPN option is less vulnerable than the port forwarding option.

 

[danb35]

As I noted in my first post, SSH is pretty safe--it's designed to be used in a hostile environment and has been pretty thoroughly vetted. So, yes, if you're forwarding a (ideally high, random) port to 22 on the FreeNAS box, and you have it locked down to disable root logins and require public key authentication, you're probably pretty safe. Even so, a VPN server running on your edge device is going to be safer. A SSH vulnerability on your FreeNAS box potentially results in an attacker logged into your file server. An OpenVPN vulnerability on your router potentially results in an attacker on your network--a bad thing to be sure, but that still doesn't give them direct access to your files (etc.) without a successful attack against other hosts on your network.

 

[danb35]

Kind of a side issue, but I also greatly prefer Ubiquiti's model of separate devices for separate tasks--keeping, for example, the router separate from the WiFi access point. Gives you more flexibility in your network, and avoids needing to upgrade components that are still working just fine--you might, for example, want to upgrade the WAP to take advantage of new WiFi standards, but the router is still working fine.

The EdgeRouter X will act as an OpenVPN server out of the box, and is only around $60. It doesn't integrate with the Unifi controller software, but it's quite a bit less expensive than the Unifi Security Gateway (which can also be made to do this).