Another PFSense+FreeNAS argument
-
Why FreeNAS? Why not NAS4Free?
-
Why FreeNAS? Why not NAS4Free?
I'm most familiar with FreeNAS, and I know it to be generally accepted to be the "best" freebsd/pf NAS solution.
If NAS4Free developers want to get in on the whole PFSense+FreeNAS Integration to make it into a PF4NAS mega-conglomerate, there's no reason even more experienced developers wouldn't improve the overall end user experience and contribute to feature maturity, security, and polish
-
There's some general concepts that all suggest this is a bad (dangerous) idea:
-
Security vs. Convenience. They're inversely related. If people want more convenience, usually security is then sacrificed, and vice versa. By incorporating more roles onto a security appliance, it's increasing the convenience; as a result, security is decreased.
-
Attack Surface. By adding more roles, you only dramatically increase the attack service of the device, server, or appliance. Something that is a specialist then becomes a generalist. We're adding more windows and doors to the house, making it easier for just one of them to be compromised and an attacker to gain entry and own the entire box.
-
Security by Isolation concept.
NAS is a storage device, usually for personal, private, or sensitive information. Even for a home user, the data includes personal documents, finances, family photos and videos. Putting those on a a perimeter/edge device such as a router or firewall is putting all that precious data closer to the Internet, when it should be the opposite: protected and as internal as possible from the WAN.
Heck, one could argue that even pfSense with a ton of packages installed is "too much" of an all-in-one solution, for convenience. Traditional firewall, proxy, content filter, IDS/IPS, DNS, DHCP, VPN endpoint, RADIUS. Some have these roles all on separate devices.
It seems OK to me to harden each server however, including NAS. Host-based firewall like FreeBSD's pf running on FreeNAS or Suricata running on a server. I mean, all our Windows devices have a basic host-based firewall enabled, Linux has iptables, etc. So it's fine to have host-based firewalls running on a NAS appliance and other servers, but something with a role of firewall/router should really be as isolated and simple as possible to reduce attack surface.
-
-
"Furthermore, virtualizing a full fledged NAS service (Providing large scale data storage to the network) is a VERY BAD idea, especially for home users as it requires expensive special hardware to do it properly."
What? I run my pfsense virtual - seems so do you, so you think it ok to turn it into a NAS - so then what it shouldn't be a vm then?
A NAS is network attached storage - what would be full fledged vs say not full fledged? What OS you use to provide access to your storage seems irreverent , be it freenas, nas4free, unraid, openfiler, windows anything, etc..
As to special expensive hardware? Again pure poppycock.. My very reasonable priced N40L provides me both my router via vm, and my nas - currently just windows 7 running drivepool from stablebit to make it easier to share out multiple drives as one share vs having to raid them in anyway, etc. This currently provides my network with 6+ TB which can easily expand to 16 in the same box by just plugging in the drives if so desired, more if I used the esata or usb connections, etc.
Anyone with the desire can bring up a very cheap a NAS be it the os is virtual, or they just buy a premade one - there are plenty of OS'es out there that are designed to be NASes - I don't see a reason to try and combine a nas OS with my edge router/firewall..
-
Furthermore, virtualizing a full fledged NAS service (Providing large scale data storage to the network) is a VERY BAD idea, especially for home users as it requires expensive special hardware to do it properly.
Perhaps you could elaborate on that. What sort of performance do you require that can't be achieved by a virtalised solution? It seems there are plenty of pfSense users doing exactly that, running it as a VM together with a NAS VM, and seeing good results.
Steve
-
A "very bad" idea solution of using a VM is still more secure than the "atrocious horrendous ghastly abhorrent lurid terrible horrible no good very bad" idea of putting a storage server on your firewall.
If you want to shoot your own foot, we won't be handing you the gun.
-
A "very bad" idea solution of using a VM is still more secure than the "atrocious horrendous ghastly abhorrent lurid terrible horrible no good very bad" idea of putting a storage server on your firewall.
If you want to shoot your own foot, we won't be handing you the gun.
LOL.
Well said.
-
A "very bad" idea solution of using a VM is still more secure than the "atrocious horrendous ghastly abhorrent lurid terrible horrible no good very bad" idea of putting a storage server on your firewall.
If you want to shoot your own foot, we won't be handing you the gun.
I apparently haven't said loudly enough that I don't actually want any of my edge routers to also be NAS devices, and some people apparently can't read.
-
Furthermore, virtualizing a full fledged NAS service (Providing large scale data storage to the network) is a VERY BAD idea, especially for home users as it requires expensive special hardware to do it properly.
Perhaps you could elaborate on that. What sort of performance do you require that can't be achieved by a virtalised solution? It seems there are plenty of pfSense users doing exactly that, running it as a VM together with a NAS VM, and seeing good results.
Steve
Any sufficiently competent NAS needs access to RAW disks, not encapsulated disks, or disks behind a translation layer, but for optimal error recovery the NAS needs access to raw disks. This usually means direct access to the associated controller, such that either the NAS OS is on bare metal, or the Controller is passed through to the Virtual Machine. Passing the Controller through to a virtual machine requires expensive controllers, expensive motherboards, and either Limits the user to an AMD processor, or requires a Xeon processor.
As for performance, passing your NAS RAW DISKS is not about performance, it's about reliability. Certainly any data you don't care about can be on a virtualized disk NAS. Make sure you take good backups.
As for defining "Fully Fledged", a fully fledged NAS is one that's providing the primary storage for a network. The system with the massive storage that hosts the backups and large scale multimedia. The system that hosts VM images and exports them to VM hosts. It's the Fully Fledged NAS, as opposed to the lightweight NAS that someone might virtualize to provide a limited amount of space to something that needs to be available more easily. I'm picturing, well, Pictures, or a website, or a UPNP media server…
-
There is an issue here that I've talked about before (as have others) but probably worth going into again.
pfSense has become sufficiently popular and is sufficiently flexible that it's install base encompasses a very wide range deployment scenarios. For example it was originally conceived as a direct replacement for Cisco ASA boxes but it's now installed in maybe greater numbers as a SOHO router where a WRT54 would once have been. Think about the difference between those two pieces of equipment and how wildly your expectations would vary between them. Users are coming to pfSense expecting everything both of those can provide.
Now think about adding NAS capability. In the world of the SOHO router this already exists. There are numerous NAS type add-on packages for OpenWRT for instance and you don't see people complaining about it. However if you went to Cisco complaining about not having file sharing capability on your new firewall you'd get short shrift.
Now you could argue that having it as a package allows both requirements to be satisfied but the fact is that if it were possible to do it someone would install a full NAS package on a perimeter firewall. That may then get hacked and that would be very bad for the project.I might suggest that if you are setting up a fairly serious NAS as you describe then why not just run a separate machine?
I hadn't considered that direct disk access was such an issue though. Do you have a link to any discussion on that?
Steve
-
Some of us can read fine and still don't buy the arguments.
If you cared at all about speed/resilience/security then you would not be combining a firewall with a NAS. You're talking about making a compromise to have them both on the same unit, and compromises mean sacrifices. You'll sacrifice a bit of everything to shoehorn them into the same device.
But that's the problem with Bikeshed arguments, everyone wants them to be different colors.
-
"Any sufficiently competent NAS needs access to RAW disks"
And who said my NAS didn't have raw access to the disks?
Raw Device Mapping is simple enough in esxi that anyone can do it. You don't need exp controllers either.
http://www.vm-help.com/esx40i/SATA_RDMs.phpSo yes my nas creates the file system on these disks, they are not vmdks that are given too the vm.. But even so - that could also be done as well. Sorry but you DONT need raw access to provide access to storage.
My nas also has access to the smart info on the disks, etc. etc.
Your trying to overcomplicate a simple thing like access to storage over a network.
-
jimp,
Any chance you can port pfsense to be a Windows based appliance? I want to play Solitaire.
-
Ha! ;D
https://github.com/qpleple/solitaire/tree/master/src/Cli
Steve
-
Ha! ;D
https://github.com/qpleple/solitaire/tree/master/src/Cli
Steve
I guess this might not be appropriate to build into the base system :-\ but maybe somebody will make it package ;)
-
So obviously nobody cares about the benefits that I've identified and pointed out.. Improved security, reliability, and reduced attack footprint. I'm forced to question the strength of those attributes when the community diverts attention away from the subject at hand when those issues are challenged.
-
It's not that people don't care about those things obviously security and reliability are high priorities for pfSense users.
I could imagine a product that was configurable as either a firewall or a NAS at install using a shared base. It should not be possible to install both on one system IMHO. I don't know how FreeNAS people would feel about that but presumably there is a reason they haven't included any firewall/router features.
I cannot imagine combining the two projects at this stage though. It may have been possible when both projects were in their infancy but the work required to do it now would be huge. Would it be worth it?
The other thing is that if you ran a diff against both projects to find the commonality between them what is left is pretty much just FreeBSD. Just how much code could be combined between the two usefully? Webgui? Package system? Both projects contribute code back to FreeBSD so code is shared that way.Steve
-
I can understand where you're coming from. I've beeen a pfsense user since early 2.0.x and also run a local NAS. I would never think of combining my firewall/router w/ my NAS as many others have said. That being said, I understand that you think combining pfsense and a Nas appliance into one would allow multiple deployable scenarios. While true there would have to be a common base, as someone pointed out, and lord knows what that would mean, not only security wise or otherwise. Yes having both on 1 iso to choose from would be convenient, but the old saying goes - security or convenience, pick one.
I will say though, your proposal was nice. Try to take some of what everyone has said to heart - they're all very knowledgable people with good points. Look around, there aren't any other top notch fw/router appliances with a file server onboard - that has to tell you something. -
So obviously nobody cares about the benefits that I've identified and pointed out.. Improved security, reliability, and reduced attack footprint. I'm forced to question the strength of those attributes when the community diverts attention away from the subject at hand when those issues are challenged.
The problem is the gains are all one sided. For a NAS, they are all gains – improved security from having a firewall, reliability is questionable but possible.
For pfSense, they are all losses. Security is reduced by having more services. Reliability is reduced. Attack footprint is increased.
-
I would rather see a pfCenter application that will allow multiple pfSense boxes to be managed and configured from one application/appliance
My two cents.
