Office Network and NAS

[tecno2018]

hello to all,
i'dd like to solve my office network.

actually, i have two LAN:
1 without internet acces: there are 1 pc(with important data), 1 printer and 10 tvcc ip camera with NVR
2 with internet access: 4 computers use to surfing the web for researching, sending email and writing documents, 1 printer and some mobile devices connected by wifi

i draw a simple schematic for my idea.
i think to fit a NAS for backups (COMPUTER A and COMPUTER 1,2,3, NOTEBOOK 1) but i do not want to fit my nas into a LAN with internet(because virus or ramsoware/cryptolocker) but i want to share some NAS data with other PC's.
There is a very secure solution for this?
Sorry for my bad english

 

[tvsjr]

What you need is a firewall in the middle, with both networks connected to it. Then, you can specify exactly what you want moving between the two networks.

At home, I have cable for my primary Internet access and an LTE modem for backup. Both devices are placed into bridge mode, so they aren't doing any sort of routing. These devices are then connected to a 1U server running pfSense, plus connections to my various internal networks (about 7). pfSense then handles DHCP, firewalling, routing between subnets, etc.

 

[tecno2018]

So i have to use only a firewall?
Can i use FreeNAS and PfSense into a one machine?

And about ramsoware and other virus?

 

[tvsjr]

A firewall/router appliance - pfSense, a Cisco ASA, whatever - will let you do what you need.
There are ways to put FreeNAS and pfSense into one box (through virtualization), but I don't recommend them.

As far as ransomware and viruses, you can prevent the systems on one network from having Internet access if you wish. However, the firewall is only one piece of protecting your system from ransomware.

 

[tecno2018]

About router/firewall i'm thinking at Mikrotik RB3011
What about ramsoware/viruses, what are the best ways to protect/prevents my network?

 

[Nick2253]

What about ramsoware/viruses, what are the best ways to protect/prevents my network?

There are multiple ways to handle this, and a good solution employs multiple defensive arms. The major points of protection are: edge (at the firewall, before traffic gets into the network), within the network (switches/routers that also do packet inspection), and client. Edge and Client protection are definitely the easiest.

If you use pfSense, you can use an IPS solution like Snort to do deep packet inspection, and ClamAV to do AV scanning. You'll need a pretty powerful firewall to do these in real time (not necessarily massive, but bigger than a last-gen Atom). On the client, you really want an AV client that can prevent programs from doing ransomware kinds of things. For example, I use BitDefender, and their ransomware protection basically locks down certain folders and only allows trusted applications to write to them. Other programs are more sophisticated, and look for specific behavior to lock down misbehaving applications. Using a network-wide solution that aggregates data and behavior from multiple clients to find and block ransomware programs is peak anti-ransomware, however those solutions are expensive.

ZFS is actually really effective as an anti-ransomware solution because of its snapshots: changes can be easily rolled back to before the attack.

However, the best anti-ransomware is correcting behavior. Ransomware doesn't come into networks via hacks as much as it does via social engineering. It's amazing how easy it is to get uneducated and unalert people to download and run software on their machine.

 

[tecno2018]

so, what the firewall do??

 

[Nick2253]

so, what the firewall do??

I'm assuming you have a more specific question than what a firewall does in general. Can you expand on this, and explain what you're looking for?