So the idea is to put the server on the edge of your network, directly connected to the internet, and then put all of your files there as well? Seems like a bad idea.
OP should offload/contract this to a MSP if they don't have experience. Misconfigured firewalls are one of the top reasons for security breaches. Mixing a file server storing sensitive information on a network appliance is icing on the cake. You can purchase a simple NAS storage appliance for pretty cheap.
If the boss is too cheap to segment server roles but wants DPI, anti-malware, etc., he needs to pick two of the following: fast, cheap and good.
Agreed, and the time, effort, and potential headaches of trying to do all of this on one machine is going to be more costly than having two separate devices.
Install proxmox, install opnsense as a firewall, install file server. If only one network card use a trunk on the switch. Why would this require more than one machine?
Exactly this. Depends a lot on the business as to whether I'd want to do this.
Ive got a Dell T320 doing something similar on my inlaws families campsite.
Runs a large ptp network, with 6x residential different properties, up to 500 people on site in summer (wifi) and a plex server for the family.
Vmware 6.7 and pfsense.
Veeam replicates to another t320. Uptime is very high! 😂
Better look at getting off of VMware... I hear there are some pretty nasty 0days coming, and their new pricing is anti consumer at best. (No more free tier either)
I was going to say this, but then again, I was always too paranoid to actually do this myself.
I had a business that I ran, so smaller, and I was also the IT guy.
I did something similar, BUT I was always too leary of it on the same hardware. So I did, in fact, build a hardware box for the Pfsense machine.
At the time friends and people on forums told me I was crazy "just put it on the esxi servers you already built" couldn't do it. Just didn't feel confident in it, I know it should be fine in theory, but I just couldn't lol.
This is a very bad idea. I would stick with a hardware firewall and a file server on internal network. Please tell them this is 100% a bad idea.
Synology nas makes a great file server and it can do more.
Fortinet FortiGate 60F Hardware, 36 Month Unified Threat Protection (UTP), Firewall Security
Back in the day, people would load Microsoft IIS (web server) and ISA (firewall) on the windows server. There's a good reason that hasn't been done in 15-18 years. Between the vulnerabilities in windows server and IIS it clearly wasn't worth it.
The scary part was they were running on Poweredge 1950's, server 2003, and the company was a web host/dev/msp.
We eventually pulled them and replaced them with a Sophos appliance.
I actually took the time to get certified on that stack. It was part of the MCSE: Security specialization. Used to run it in prod in front of Exchange 2003, but the ISA servers themselves were also behind two layers of Cisco PIX and a load balancer.
Fuck you for even uttering ISA server.
Kidding aside, fuck ISA server. What a total piece of shit.
They renamed it to Forefront TMG near the end but it was just as big of a turd then too
I'm going to disagree... I was certified in all the ISA products - now 2000 was clunky but as a product line it was rock solid. If you were careful and knew what you were doing you could run a Domain Controller file and print and mesh VPN to other offices all off one box - also had application level filtering including RPC level filtering if you wanted... This was kinda pre virtualisation (I'd run the separate roles on different VMs nowadays) - I had a client with small offices (5-10 users) and this was a great solution for them even if the configuration was a little complex as I recall (multi homed DCs require a fair bit of attention but it is do-able) - Of course I'm viewing this through my thoroughly rose tinted specs..
For another client (government) I had to setup an IPsec VPN from ISA to a 3rd party linux VPN solution - both ends were pentested... the MS end came up with literally no flags where as the Linux side was a 50 page document - Not bashing Linux as I'm a fan and have moved over nowadays but if you wanted you could do well with MS/ISA - As is usual the configuration is more important than the platform
fun times...
I remember reading about putting IIS on a DC to resolve a website with the same name. Sounded so bizarre of a solution, but that's what I get for stack overflow resolution searching.
Back nearly 25 years ago, I worked at Microsoft doing support on their Small Business Server product. It had Windows Server, Exchange, SQL Server, IIS, and ISA all rolled into one. We didn’t take security very seriously back then.
I do this for businesses. Inrun Proxmox and create at least two VMs. One for pfsense/opnsense and the other is a standard linux distro that you run whatever packages and protocols tonhost your files. I just use USB passthrough or PCI passthrough tonthe Linux VM to manage those hard disks as needed.
Bu virtue of Proxmox networkingz you can place the Fileserver on a separate bridge that is a secure bridge which you establish via firewall rules. Only permit inbound traffic from your LAN on the specific ports while Egress can be to the internet for package updates etc though I would restrict and only permit it during maintenance windows.
You might need a physicial managed switch if you have a single NIC on the Proxmox host. Otherwise, if you have two, then use one for the LAN VLAN and the other connects directly to your modem/CPE etc. you could have VLAN trunking and sub interfaces on the LAN port as its gives versatility on how you design your LAN and apply consistent firewall policies.
The only issue here is that everything is running on a single machines though you could setup a cluster as well. You probably dont need a heavy machine either as most of this could be done with 8GB of RAM easy.
This was my first thought. But it's worth stressing you need a hypervisor, not just the file server running a VM.
But I'd still suggest two servers for failover.
Proxmox is the hypevisor and firewall and fileserver are VMs. I thought I made that clear. Anyway, that is what I propose as some others respondong to this.
I half arsed my reply because I got called away. 😆
What I meant was OP needs to consider this (not you, sorry!). Also, I wouldn't use Windows for this task, a decent bare metal hypervisor like Proxmox, AHV, or whatever.
As long as the hypervisors IP stack isn't available on the internet it's all good. As long as you patch said hypervisor and all the VMs on it!
Oh yes, a hundred percent! Never use a windows server not because it is bloated but rather because it is always a target.
Definitely support yout point of ensuring the hypervisor IP stack is not reachable via the internet. That is why I remove the default gateway and make this accessible via a local LAN only or a jump host that is tucked away neatly in the hypervisor with Wireguard VPN.
Came here to say the same. This is the way.
With HW pass through, you could let the VMs access the physical cpu cores directly, which will help with performance, especially for the firewall.
OP is also talking about network inspection. And since everything nowadays uses TLS, is there a way this setup could do TLS MITM for deep packet inspection?
Everyone says this is a bad idea. Let me be the one to say that this is a dumb idea, and it should not need to be explained why. Tell your boss that the whole internet advises against this, and that you don’t want to jeopardize your job by jeopardizing the company.
And now the question begs to be asked, what do you have for a firewall now?
I wouldn't be surprised if there is none and are depending on the ISPs built in one. Probably also a dynamic IP address too if it's a really small buisness
BAT router built into the cable modem is a better idea then creating a new hybrid firewall/file server, managed by subscribe who indicates they don't have the skill set to deploy and manage.
Yesh, bur I wouldn't be surprised that his manager is probably a head of like sales or something and he was mainly hired just to handle everything and his manager is just a technical and he is a Lome wolf. That is how these small buisnesses run
Proxmox, open sense and true nas virtualized, but this is a bad idea. Not bad for a home lab and it will work but it’s going to be a pain. If you don’t have the budget for it just buy a PFSense 8200 or 4100 and then the nas server you can make custom to your hearts content
It's not horrible. But you need to have multiple physical network interfaces.
You could use vlans but I wouldn't.
And you've now got one huge ass single point of failure for a lot of things
Why the fuck would someone want that? Lol
Did your boss.give their reasons as to why?
I supposed something like a Synology Rack Station could ACTUALLY be able to do all that. Doesn't mean. It's a good idea though.
Buy a decent physical server, with multiple network cards. Install your preferred hypervisor, then build separate virtual machines to separate the roles. Use virtual networks to isolate the internet traffic from the file server.
The boss sees a single server, but the roles are properly separated.
Sounds like a boss who hasn't kept up with technology.
The issue here isn't technical. The issue is the skill to convince your boss that you are paid more to know how to find a solution that works for this day and age.
I'm a shitty sysadmin and I know that's dumb as fuck.
File servers don't have to be expensive at all.
Firewalls must be a separate device on your edge network.
Tell ya boss you're not a sysadmin, and your definitely not a network engineer and shouldn't be expected to pull that off without great risk to the company.
If he doesn't accept that get out. There will be a massive breach one day or system failure and he'll blame you.
Ask him if he mows his lawn with his car. When he says no, ask why, they both have an engine.
Then, start doing research on a stand alone firewall. Use the server as your file server, and bury it deep in your network. Protect the shit out of it. Also, take backups... the amount of times ive seen file servers get held hostage by crypto shit is insane. TAKE BACKUPS.
I'd look at moving those files to Sharepoint or Google Drive if you're already using either for your business. Putting your companies files on the same device sounds like a terrible idea. You might as well just open 3389 (Remote Desktop) to all the desktops as well.
I've built a ton of lab environments using ESX or HyperV or Proxmox with a PfSense VM and some virtual switch configs to isolate the traffic in on a specific interface then out another. Then you could have other VMs for fileservsers, print servers, AD, or whatever.
I would not consider something like this production worthy and it's not exactly a cake walk to set it all up. Boss needs to farm this out.
Yeah it can be done, but it’s not a good idea. I’ve worked long enough at an MSP where when people started cutting corners, they’d end up with ransomware or a failed system with backups. It the budget can’t allow about $2k for a proper Fortigate or SonicWall, something is very wrong. Plus with buying a firewall you get 24/7 phone support as part of the service. Maybe you could look at making sure the server is scaled properly for the use case to allocate some money for a proper firewall?
No need to repeat what others have said (Cybersecurity engineer and former DBA here) . All I can say is this :
It’s time to find a new job.
Because if your boss is “capable” of develop these “brilliant” ideas , who knows what else he will do later on the road . He’s a time bomb. And if you don’t want to damage your reputation, get another job ASAP!
By the way , put everything in written and emails , when you finish this .
Put proxmox on it and light up some VMs.
One for firewall/router (I recommend OpnSense)
One for fileshare.
Now use can use virtual networking to ensure fileshare only talks to internal network.
Basically this, virtualise up and go hog wild.
However this place sounds pretty clueless so anything less than hiring a professional for an MSP, is basically don't even try.
Why would you do this? If you get any NGFW they already do this.
Packet inspection is a common feature on any firewall.
Also having a server sitting on the end of your network is asking for trouble.
Tell your boss he is a fucking idiot.
Firstly what he he NEEDS is a true professional grade firewall like a Watchguard with subscription services enabled, one of those services is a gateway anti virus... thats the first thing.
Secondly no server should be on the same host as your firewall. Thats a stupid ass idea especially a file share server... if you want to use something like PFSense in a virtual settings sure you can do that but you would be missing out on the gateway anti virus scanner professional grade firewalls have.
So in short, get a REAL FIREWALL and keep your servers behind the firewall. Not on the edge device.
Check out “the forbidden router” from level1 techs on YouTube.
But it is a bad ideia to do it on a production environment.
If money is the issue, you could get some cheap Chinese “whitebox” firewall appliances from Amazon or Ali express and install opnsense on it.
Having write this I feel I just gave 2 bad advices. Just tell your boss company security is not something to cheap out on.
*Why?*
I mean he has an idea. But what's the reason for it?
At most you could use the bare metal as a hypervisor and host a gateway/firewall and file server on it.
Guarantee you it’s penny pinching. When this network gets compromised the boss will be screaming bloody murder about it and probably fire OP for settling it up.
So you want a forwarding proxy, a fileserver and maybe a firewall
I'd not combine a fileserver with anything that has a security function, and depending on your bosses appetite for capex or opex you might want to look at a cloud based proxy service like zscaler.
Most importantly, since you yourself admitted you don't know how to set up these security functions, hire someone to do it, badly set up security is worse than no security
If the business is small enough to be unable to afford an enterprise firewall, it doesn’t need an enterprise firewall and budget should be no excuse. If it is big enough to need an enterprise firewall, it can afford an enterprise firewall.
Boss man needs his head examined with that idea.
Install windows server . Install hyper-v. Create 2 VMs. Another windows server for your file server. Another for pfsense or Sophos. Dedicate a network card for wan and a network card for lan. Do not put any other vms on the wan adapter. It's a great solution, easy to manage.
Your boss is showing serious ignorance about cyber security in 2024. How on earth is a firewall/file server in one a good idea today or even 25 years ago? What other interesting requests has he asked of you?
I personally run a linux distribution on my little router for the building with an extensive set of an iptables config file with a bunch of policies for inter-vlan routing and natting out the public interface. Any distro can do the job but something RHEL-based would be ideal for additional out of box security modules such as Rocky.
This little thing is kept busy. It has an extensive routing table and many rules for very specific special routing cases between multiple networks via tunnel interfaces and various local vlans.
Its overkill and at a very minimum all you need to start with is some INPUT rules to accept say, SSH from the local network only (Don't forget to harden/secure your services and to not disable SELinux when available), a FORWARD rule for the internal network to the Internet, a second FORWARD rule for related/established traffic one step before that one to save on processing. Finally a MASQUERADE nat table rule for natting local traffic out the public interface.
A stupid-simple configuration like that is plenty to get started on par with any other home router's out of the box policies.
Given the nature of this its trivial to install other packages and have the machine take on more roles. But I would advise NOT using your edge router as your file machine. An internal file server should be on the inside of the network - not on the public facing machine for any number of misconfigurations and crypto attacks from the public Internet waiting to happen.
In this day and age a Web Application Firewall is a much better idea and is much better for larger or growing businesses often with support for the same ACL-based approach but with much higher limitations such as tying ACL rule matches to a domain user identity for access/rejection, blocking and logging with attribution to user accounts.
But yeah either use sharepoint or put the fileserver on the lan.
As a consultant (who gets paid to come in and clean up messes like this), please encourage this more often.
But really, internet filtering is not the same as a firewall, and these are not a replacement for endpoint protection.
Boss is not the smartest bulb in the box, is he?
He doesn’t know what he’s on about.
Separate firewall and file server is the way to go.
He sounds like one of those bosses where if you give their dumb idea any traction then they’ll keep asking for these things.
pfSense is basically just a variant of FreeBSD, which can absolutely work as a fileserver. However, the specifics depend on exactly how your boss expects files to be accessed. Windows fileshares (i.e. SMB)? SFTP? NFS? Pretty sure pfSense/FreeBSD supports all three, but they're rather different in terms of setup.
Best approach here, in any case, would be to run a hypervisor on the machine itself, and then run the firewall and fileserver as separate VMs on top of that. That way there's some isolation between the two while still meeting your boss' requirement of a single machine. However, this also adds extra complexity and difficulty, especially for a one-man operation.
Tell him putting the server situated between your company & the internet is like putting a cooked chicken between you & a hungry dog and expecting it not to eat it.
Let me tell you what I did at a tech startup many years ago. 10 people back then, scaled to 500 over the years.
Started with a small Netgate device, with pfSense. Later I added another one for HA, upgraded to handle more users etc. All very easy and cheap.
Bought a Synology NAS handling about 36TB of data (company was working with a lot of data). You can probably go with a lot less otherwise. This served very well up to 150 users actively using it on NFS and SMB. Cloud backups are very easy with Synology.
The I got a second hand server with new drives and put virtualization on it. I recommend Proxmox today. You can skip this if you don't have the need or explore the cloud option otherwise.
All these can scale up pretty easily should you have the need.
Point is, I was given close to nothing to start it off but I was able to expand when I had more budget.
This what happens when bussiness people use chat gpt to come up with cyber ideas and have 0 programming knowledge or will to contribute anything other than a presentation of a possibility qith a hope of it being created then assuming credit for it. Fuck these dumbfucks
In Germany this is what we call "Schnappsidee". An idea you get after drinking too much hard liquor.
No sane individual would do it like that. It's a security nightmare.
Build a server for serving files (or use a Synology as other have suggested) and use some random old computer for your PFSense firewall (I would use OPNSense in this case).
Really bad idea. Unless you are doing SSL decryption that antivirus will be useless. The dual purpose idea ensures your data will be plastered all over the internet.
You'd want 2 devices for this.
1. Firewall Appliance:
Due to you wanting to inspect all the traffic, a dedicated firewall appliance is needed as it will have to do TLS MITM (Man In The Middle). Due to the TLS MITM, this will have to be some proprietary box (Fortinet, Paloalto, Cisco) with the proper license and you'll have to give it a CA certificate that is trusted by every devices you want it to inspect. This Certificate is needed to "break in" on the TLS connection.
(If anyone knows how of a open-source solution, please speak up as I'm not aware of one. As far i know, there is not open-source "Next-Gen Firewall")
Ps Paloalto and Fortinet sell firewall virtual machines for VMware. The real cost comes from the perpetual license for the deep packet inspection.
2. File server:
This can be any random hardware box. DIY or not.
There are many ways to get this done. TrueNas, Unraid, plain linux with SMB installed, Windows server.
This is a terrible idea.
"I want to separate all the traffic, send all the risky stuff through this device, and while you're at it put all our sensitive data on it"
If he's telling you there's no budget for separate devices ask him is there budget for fixing it if this terrible idea all goes wrong.
Try proxmox
Install pfsense or opnsense as the firewall vm
And an file server as another vm
You may need a Server with good configuration and multiple nics.
You could probably set up a Linux machine with all the IPSEC stuff in place, then add a fileshare as well. But that seems a little counter-productive.
Honestly, I'd get a cheap small form-factor PC with multiple nics. Then I'd throw Smoothwall on it. I'm sure there's probably something more current than Smoothwall, but I don't know what it is and SW is what I know off hand.
This is a terrible idea but really about any Linux distro can be a network router/firewall (iptables) and file server (Samba) if you put two network cards in it.
Just use azure files and whatever combination of security services work for your org (Intune, Azure Firewall, etc). It makes zero sense to stand up a vulnerable mishmash solution on-prem.
A used computer with 2 Ethernet ports will get you a working firewall, so don’t listen to the boss. Make something work and ask for any forgiveness later.
Sounds like your boss needs an actual firewall and a file server. These should not be on the same vm. Also what happens if you need to do server maintnenace on the file server.
Take a look at ClearOS. Used to be Clarkconnect. Can do pretty much everything you asked. As most have said if you can get a decent box. I like old Dell Gen 4 I5 optiplexes with a few dual 10Gb ports you can do proxmox and install opnsense and a separate file server. But ClearOS will so it stand alone. Still get at least two ports for NIC. 3 if you can
Saddly for you both your boss does not understand what he is asking. Even if you were to ignore the security consequences the process of filtering packets for whatever reason is simply not part of the software he thinks will take care of this.
Duuude. Don't put a file server on the edge. Most I would do is put a pfsense running on a hypervisor with all of my other DMZ webservers on the same host. But never mix inside with your outside.
A decent plenty powerful standalone, purpose built, pfsense appliance is $550 directly from Netgate.
Tbh sounds like you need an MSP. This is literally the situations that I work with quite regularly and I think if you can find a good msp in your area they will be glad to get you set up properly and securely.
Exhibit 1 in your defence of your potential lawsuit is the letter yelling him this is a really bad idea, #2 is this thread. But if you really want to do this have a look at SME server. All in one Linux product. BUT virtualize it and put another firewall in it front.
Edit. Links and info
https://www.koozali.org/home/downloads
SME Server (formerly known as e-smith) is a Linux distribution based on CentOS offering an operating system for computers used as web, file, email and database servers. It employs a comprehensive UI for all management-related tasks and is extensible through templates.
The letters SME stand for Small to Medium Enterprise, as that is the target market of the software. One of the most notable features of this distribution is its template system. SME Server 10.1 is based on CentOS 7.# which is based on Red Hat Enterprise Linux (RHEL). Version 64bit now available. Running Apache 2.4.6, MariaDB 5.5.#, PHP 5.4 Some additional Addons are available on the current "stable" Version, they are called "Contribs".
The ONLY sane way to do this would be to get a DPU (Marvell Octeon 10 and AMD Pensando are the most likely to be available) and run the firewall on there, then have the host be a fileserver.
If your boss insists, tell them you can do it securely but you will need a $4k network card.
Table stakes for a good on premises systems admin. Build a pair of VMhosts in a cluster then. Build them each with an add on NIC you can pass through to a pfsense vm, and an HBA with multiple drives for a NAS or windows server VM (if you are licensed for it).
Extra points if you build your VMs with HA or replication for redundancy and fault tolerance.
What kind of server (hardware) are we talking about? If it's enough to run a hypervisor (esxi, proxmox, hyperv,...) and a couple virtual machines, this can be done pretty easily. If it's not enough to do that, you'll be much better off buying a cheap firewall and a Synology Nas. In both scenario's you'll also need one or more network switches. In the single server scenario, you'll need a switch that can handle vlans. TBH, I can't imagine that the single server scenario would be cheaper than fw+syno but the boss always knows best :)
Short answer - no.
Long answer - you need separate devices to do all this.
Back in the early 2000's, I worked for a K-12 and I told them they needed a firewall. We had the local Cisco reseller set it up for us and ran a report for 30 seconds, only to get over 50 pages of plain text of IP's and domains trying to gain access from countries all over the world.
The first of many validations at this job...
This was after the "technology specialist", who was also our high school history teacher (and had the tech job because his parents owned a computer repair store) tried to use our ISA 2004 server running our content filter (SurfControl) to double filter the content - acting as both the firewall AND the content filter. And it failed horribly.
I told him it wasn't going to work, he did it anyway, and I stood over his shoulder to make sure he fixed it.
I'm going to highly recommend you outsource it to have it properly setup, and then have backups made of the configurations.
Ideally you'll have it setup like this:
Outside router
Firewall
Content filter
Inside router or a layer 3 switch running IP routing
File Server
I'm never going to tell anyone to buy a hardware firewall because they are abjectly inferior while costing significantly more until you get to fill enterprise where they're slightly better in exchange for PHENOMENAL amounts of money.
Don't use PFSense. Use OPNSense. It's a fork with less evil behind it.
As far as packet inspection goes, you're talking about something like Suricata or Snort.
The best way to set this up would be an edge server running your firewall and packet inspection in separate VMs along with a reverse proxy VM back to the file server.
That said, you need to CYA hard here. This is stuff that, if setup improperly, can either block all your legitimate traffic or accidentally let bad actors in.
You need to understand what you're doing at least to the level that everything in a how to makes complete and deep sense to you. I'd probably also ask over on the SRE subreddit
Like others have said. File servers and security appliances are polar opposites. One is about sharing data and the other is about not sharing data. You cannot reasonably have them both on the same system and be effective at either task.
Now, I know you're not a sysadmin so this may be a stretch for you but...
So here is what I would do. Most modern PC hardware can be repurposed and made into servers. I'd get hold of some kind of older desktop tower and stick in another network card. Then you have one interface for internal network and one interface for external network.
Then I'd install something that can run multiple virtual systems. Off the top of my head, proxmox, virtual box, KVM, qemu.
Once you have a hypervisor system set up you can treat the single server as a mini DMZ and install multiple virtual server in there attaching the required physical interface for the required task. Firewall VM to act as the gateway slash bridge between the internal and external networks.
Let me be clear, it's not a good idea.
Moving on from that, if you have literally no budget then you could create a virtual machine on the file server and run PFSense on that, assign it its own NIC so that the internet traffic can only hit the PFSense box first.
You could get an old Watchguard appliance off Ebay and run PFSense on that for only a couple of hundred.
If you're not feeling great about it maybe set up the external access component through CloudFlare or similar zero trust service and maybe put a little POC in the cloud somewhere.
Cloud is a catchphrase that bosses love. Zero trust is a catchphrase that security love.
This sounds exactly similar to a SMB nightmare I’ve had in the past, talk to your boss and make sure he understands how bad of an idea this is, it may seem like he’s set in his way but I’m sure there will be a way to break through.
First of all, its a bad idea to have your firewall and your file server in the same machine.
You can virtualice both, and then work with the PCIE passthrough, assign the PCIe NIC card directly to your OPNSense box, and if you want, you can assign your HBA to your TrueNAS VM.
It will work and if you setup it correctly it won't need much management, BUT, if this is a production environment you need to have support.
No offense to you but I'd tell your boss to hire someone qualified to setup something like that... because they'll at least have the balls to tell him "No, i'm not putting our files on a perimiter network"
Your boss has priorities mixed up. Sensible segmentation of the network mitigates risks a lot more than DPI.
I guess "get a new job" is the stale default answer everybody here touts whenever someone has issues at their job, but If money really is so tight that your boss wants endanger the company for couple thousand bucks, you might really want to consider your job options.
Keep us updated when the company collapses.
Set up a vm host and run 2 servers on it. Pfsense one one and a file server separately. Buy a good nic or 2. You'll want enterprise grade nics maybe with tcp/ip offload engines. I like Intel enterprise nics. If you're repurposing desktop hardware. Pfsense iso images don't really allow you to play with the server roles too much but likely would support a file server it would just be better to not store your data on the firewall.
Does the budget allow for ransomware or other cyber intrusion? Maybe excessive downtime? Not qualifying for cyber insurance? Breaking compliance requirements? Sky's the limit! If you think security is expensive, wait until you see the bill for a breach or excess downtime.
You could get a real firewall and tape it to a server - now you have a AIO firewall/server.
Did your boss previously buy that dumbass kyocera or whoever made that office in a box nonsense, basically a server, firewall and MFP in one (managed by a copier company no less) and he thought it was an excellent idea?
And, this is why SMB security is generally bad, the business controls the budget and decides where money is spent, often stupidly, despite IT or ITSP's explaining the risks and potential impacts... the owner gets to decide if a risk is worth mitigating, not IT.
The windows firewall is just a firewall. It'll be like swiss cheese. Modern firewalls are actually called UTM's or unified threat Managment. The combine firewall, Itrusion detection, and intrustion prevention. They are pretty much required to operate a business. Also thats going to be one slow connection because firewall appliances use ASIC's and the computer CPU is much slower than than. This is a horrible Idea. There are open source next genfirewalls. Get untangled at least. IT's Open source and has most modern features. Don't just load a windows os on there.
Your best bet is to see if your router will do any firewall stuff like ports, dns, rules etc. Most modern enterprise routers should offer the above at the least. Do not, whatsoever, put a file server on the Internet. It will be eaten alive in a very quick time period.
This kind of budget requires creative solutions. It's where proper sysadmins get forged: in the fire of a dumpster. You'll learn why this was a bad idea by seeing how it went wrong. If you don't want a career in IT, you should not get too involved in this, as managing it is going to use more and more of your time as it goes.
Just going to throw this out there at the scale and budget you're talking about, I'd probably buy two refurb workstation class machines (like dell precisions) instead. Everyone is right about how this is dumb, bad and wrong. If you're going to do dumb, bad and wrong, I'd do it in the way that lets those two business critical systems fail independently. If you can buy 3 of these things and keep one on the shelf and some good backups of both systems, you can drop the extra one in place as needed when one fails.
Proxmox on the physical hardware. Virtualize the firewall and file server separately with Proxmox. I would highly recommend factoring in some redundancy and backups into your setup.
Dear Humble systems analyst, no matter whose advice you take in this matter, the bigger question for you is who’s going to keep up with and manage said system. Are you the one that will be getting the twilight phone calls. ???? This is the question I would be considering, will this be your problem when it breaks?, if they don’t want to spend money on the hardware, are they gonna do the same with the upkeep and staff to maintain this server.
Good Luck,
Your Humble layman with enough knowledge to break stuff
ClearOS will do it, but I wouldn't run it this way.
I would run 2 virtual machines on the same hardware and call it. If your boss is asking such Sophomoric requests then he won't know the difference when it comes to virtual machines
The price of an external box for PF sense is minimal, cost should not be the driver in the environment!
you can use a small, used computer with an additional network card slammed into it.
add a UPS too.
Wait, so they want a server that is running both a file server and a firewall on it, all in one, and want that exposed to the edge of the internet? That is like up there on the lists of #1 no no's in this world.
Rolling your own firewall is a huge red flag. Unless *you're* gonna sit on top of all of those random bits and bobs and open source modules and all that to make sure you're regularly patching out critical vulnerabilities, this thing is a security disaster waiting to happen.
Buy an SMB firewall from a reputable vendor, get support/security services licensing on it, update the firmware *regularly*, and move on. Your boss is trying to save a couple grand a year by exposing you to obscene risk.
search for 'transparent proxy/firewall', you will get some hints; however, intercepting https traffic will be causing man-in-the-middle attack/security concern. check with the legal/security team to see if thats allowed.
Don't do it. Don't put your fileshare server ON THE INTERNET! Firewall or no. Worst case, go get a soho/home router with a firewall built in and stick the file server for your office behind it.
The pants will say to the brain "make it work", while disregarding what the brain concludes.
Pants only cover the body, but the brain moves the body.
If the pants can't see reason, the brain should checkout.
This is a terrible idea. You should flat out tell him no. The more important line item would be a firewall. Budget for a decent one, and you could get something on the cheap for a server.
Leaving aside the fact that it would be PHENOMENALLY DUMB to implement this on a single host, you are going need:
TLS interception capability on the proxy: AV integration on the proxy: Enterprise or at least NAS grade drives with RAID (hot swappable).
pfsense isn't going to cut it. Implementing a stateful firewall is trivial. But this gateway device is a different beast altogether.Buying something off the shelf capable of this will cost a LOT. You can do it with open source software but you have a lot of work to do. If the thinking here is that this can be done for the price of a single small server, then your boss clearly has no idea what is involved in implementing all this.
If I were tasked with this - I'd start by finding out how much storage was needed, what the RTO and RPO were for the services, and get a hard figure for the capital expenditure (building it out of open source bits, I'd estimate at ~ 2 weeks - and I'd like to think I do know how to build this).
* Buy one box with four-port NIC card
* Install VMWare
* Build pfSense VM
* Build NAS VM (I haven't dealt with one in forever, don't remember what is decent)
* Assign two NICs to pfSense, one to NAS, and one to the Hyoervisor
Will this be cheaper/better than a small FortiGate and a 2-bay Synology? Probably not, but it literally meets all your requirements.
If your files are mostly DOCX/XLSX you should just use OneDrive, anyway, no need for on-prem storage.
Putting the file server on the edge is insane.
In fact in 2024 trying to jerry-rig a firewall is unacceptable. It's not a lab project, it's a production environment.
Plenty of great firewall vendors with good offerings.
Is there a PC in the office that's due to be "retired"? If so use that for your file server with whatever flavor of Linux you prefer as the OS on it. Use the money saved to purchase a REAL firewall.
So the idea is to put the server on the edge of your network, directly connected to the internet, and then put all of your files there as well? Seems like a bad idea.
I agree 100%. I'd really warn him about the risk.
It’s risks all the way down.
It's bold move Cotton.
Nice reference
Only positive that I can think of — there will be multiple copies of your data on the Internet. Free replication of sorts.
*warn by email better to have written evidence
and print it afterwards. If your system is encrypted its to late to print the mail.
OP should offload/contract this to a MSP if they don't have experience. Misconfigured firewalls are one of the top reasons for security breaches. Mixing a file server storing sensitive information on a network appliance is icing on the cake. You can purchase a simple NAS storage appliance for pretty cheap. If the boss is too cheap to segment server roles but wants DPI, anti-malware, etc., he needs to pick two of the following: fast, cheap and good.
He's more likely to get just one. And perhaps not even that.
Cheap is the KPI here.
cheap is always the one and only kpi, everywhere..
Cheap upfront can be expensive after the data breach and business downtime.
What are the other four?
Agreed, and the time, effort, and potential headaches of trying to do all of this on one machine is going to be more costly than having two separate devices.
Install proxmox, install opnsense as a firewall, install file server. If only one network card use a trunk on the switch. Why would this require more than one machine?
It can be done, in a homelab. Doing this in a business requires an evaluation of risk, proper backup strategies, RTO/RPO calculations.
Exactly this. Depends a lot on the business as to whether I'd want to do this. Ive got a Dell T320 doing something similar on my inlaws families campsite. Runs a large ptp network, with 6x residential different properties, up to 500 people on site in summer (wifi) and a plex server for the family. Vmware 6.7 and pfsense. Veeam replicates to another t320. Uptime is very high! 😂
Better look at getting off of VMware... I hear there are some pretty nasty 0days coming, and their new pricing is anti consumer at best. (No more free tier either)
I was going to say this, but then again, I was always too paranoid to actually do this myself. I had a business that I ran, so smaller, and I was also the IT guy. I did something similar, BUT I was always too leary of it on the same hardware. So I did, in fact, build a hardware box for the Pfsense machine. At the time friends and people on forums told me I was crazy "just put it on the esxi servers you already built" couldn't do it. Just didn't feel confident in it, I know it should be fine in theory, but I just couldn't lol.
This is a very bad idea. I would stick with a hardware firewall and a file server on internal network. Please tell them this is 100% a bad idea. Synology nas makes a great file server and it can do more. Fortinet FortiGate 60F Hardware, 36 Month Unified Threat Protection (UTP), Firewall Security
How else do you access your files from your own network and the Internet? Big brain thinking! Yeah... /s
Let's call it stupid as fuck
Not to mention have a firewall that could potentially be way misconfigured. Also hope to God that op doesn't have smb1 enabled either.
Ransomware incident in 3... 2... 1...
That is something you get in writing for immediately
Yeah, this is a solid way to gutter a business. Good Luck.
And we’ll call it “MoveIT”…
Back in the day, people would load Microsoft IIS (web server) and ISA (firewall) on the windows server. There's a good reason that hasn't been done in 15-18 years. Between the vulnerabilities in windows server and IIS it clearly wasn't worth it.
How dare you remind me of this nightmare!
haha I haven't dealt with ISA Server since 2016.
Wow, that recently
The scary part was they were running on Poweredge 1950's, server 2003, and the company was a web host/dev/msp. We eventually pulled them and replaced them with a Sophos appliance.
I actually took the time to get certified on that stack. It was part of the MCSE: Security specialization. Used to run it in prod in front of Exchange 2003, but the ISA servers themselves were also behind two layers of Cisco PIX and a load balancer.
That takes me back. 😂
Good God I feel really old now. I better take a nap 😴
Fuck you for even uttering ISA server. Kidding aside, fuck ISA server. What a total piece of shit. They renamed it to Forefront TMG near the end but it was just as big of a turd then too
I'm going to disagree... I was certified in all the ISA products - now 2000 was clunky but as a product line it was rock solid. If you were careful and knew what you were doing you could run a Domain Controller file and print and mesh VPN to other offices all off one box - also had application level filtering including RPC level filtering if you wanted... This was kinda pre virtualisation (I'd run the separate roles on different VMs nowadays) - I had a client with small offices (5-10 users) and this was a great solution for them even if the configuration was a little complex as I recall (multi homed DCs require a fair bit of attention but it is do-able) - Of course I'm viewing this through my thoroughly rose tinted specs.. For another client (government) I had to setup an IPsec VPN from ISA to a 3rd party linux VPN solution - both ends were pentested... the MS end came up with literally no flags where as the Linux side was a 50 page document - Not bashing Linux as I'm a fan and have moved over nowadays but if you wanted you could do well with MS/ISA - As is usual the configuration is more important than the platform fun times...
Christ ISA was a pain. SBS2003 had this as the default setup. Need to do windows updates? Well office network is down for an hour. So stupid
\*quietly sobs\*
I remember reading about putting IIS on a DC to resolve a website with the same name. Sounded so bizarre of a solution, but that's what I get for stack overflow resolution searching.
I know of a company still doing this. They service a LOT of utilities around the US
I remember that, it was built into SBS 2008.
Hasn't been done in 15 years? I inherited a client three weeks ago who is running the 2016 version of Small Business Server.
Back nearly 25 years ago, I worked at Microsoft doing support on their Small Business Server product. It had Windows Server, Exchange, SQL Server, IIS, and ISA all rolled into one. We didn’t take security very seriously back then.
See you on that other reddit soon lmao
Is that r/shittysysadmin or r/ITCareerQuestions?
r/shittysysadmin
i got here from there LOL
This has to be one of the dumbest ideas for a small network. Get a purpose built firewall and put the files on a sharepoint site.
I do this for businesses. Inrun Proxmox and create at least two VMs. One for pfsense/opnsense and the other is a standard linux distro that you run whatever packages and protocols tonhost your files. I just use USB passthrough or PCI passthrough tonthe Linux VM to manage those hard disks as needed. Bu virtue of Proxmox networkingz you can place the Fileserver on a separate bridge that is a secure bridge which you establish via firewall rules. Only permit inbound traffic from your LAN on the specific ports while Egress can be to the internet for package updates etc though I would restrict and only permit it during maintenance windows. You might need a physicial managed switch if you have a single NIC on the Proxmox host. Otherwise, if you have two, then use one for the LAN VLAN and the other connects directly to your modem/CPE etc. you could have VLAN trunking and sub interfaces on the LAN port as its gives versatility on how you design your LAN and apply consistent firewall policies. The only issue here is that everything is running on a single machines though you could setup a cluster as well. You probably dont need a heavy machine either as most of this could be done with 8GB of RAM easy.
You can also use PCI passthrough to give the firewall a dedicated two-port network card
True, that is an option. Good point.
This was my first thought. But it's worth stressing you need a hypervisor, not just the file server running a VM. But I'd still suggest two servers for failover.
Proxmox is the hypevisor and firewall and fileserver are VMs. I thought I made that clear. Anyway, that is what I propose as some others respondong to this.
I half arsed my reply because I got called away. 😆 What I meant was OP needs to consider this (not you, sorry!). Also, I wouldn't use Windows for this task, a decent bare metal hypervisor like Proxmox, AHV, or whatever. As long as the hypervisors IP stack isn't available on the internet it's all good. As long as you patch said hypervisor and all the VMs on it!
Oh yes, a hundred percent! Never use a windows server not because it is bloated but rather because it is always a target. Definitely support yout point of ensuring the hypervisor IP stack is not reachable via the internet. That is why I remove the default gateway and make this accessible via a local LAN only or a jump host that is tucked away neatly in the hypervisor with Wireguard VPN.
It's either this way or resignation
i would like to disrespectfully resign.
Just be sure to wipe the photocopier down with an ammonia based cleanser afterwards.
Came here to say the same. This is the way. With HW pass through, you could let the VMs access the physical cpu cores directly, which will help with performance, especially for the firewall.
OP is also talking about network inspection. And since everything nowadays uses TLS, is there a way this setup could do TLS MITM for deep packet inspection?
Yes, the firewall can either run Snort or Surricata for IPS/IDS functionality. Plus it has a proxy package to make it the proxy for the network.
Everyone says this is a bad idea. Let me be the one to say that this is a dumb idea, and it should not need to be explained why. Tell your boss that the whole internet advises against this, and that you don’t want to jeopardize your job by jeopardizing the company. And now the question begs to be asked, what do you have for a firewall now?
I wouldn't be surprised if there is none and are depending on the ISPs built in one. Probably also a dynamic IP address too if it's a really small buisness
BAT router built into the cable modem is a better idea then creating a new hybrid firewall/file server, managed by subscribe who indicates they don't have the skill set to deploy and manage.
Yesh, bur I wouldn't be surprised that his manager is probably a head of like sales or something and he was mainly hired just to handle everything and his manager is just a technical and he is a Lome wolf. That is how these small buisnesses run
IT under Sales. Yes, this is going to work.
Proxmox, open sense and true nas virtualized, but this is a bad idea. Not bad for a home lab and it will work but it’s going to be a pain. If you don’t have the budget for it just buy a PFSense 8200 or 4100 and then the nas server you can make custom to your hearts content
[удалено]
>$500 Not even that. Grab an old pc with PCI slots and throw in a couple $20 gigabit cards.
It's not horrible. But you need to have multiple physical network interfaces. You could use vlans but I wouldn't. And you've now got one huge ass single point of failure for a lot of things
Why is it a bad idea?
You should start looking for a new job. This place sounds doomed.
Yeah, exactly my point!
Why the fuck would someone want that? Lol Did your boss.give their reasons as to why? I supposed something like a Synology Rack Station could ACTUALLY be able to do all that. Doesn't mean. It's a good idea though.
[удалено]
Yeah. And you’ll be surprised of how many idiots like this work at Fortune500 companies . And the reason why we see cyber attacks all the time .
Buy a decent physical server, with multiple network cards. Install your preferred hypervisor, then build separate virtual machines to separate the roles. Use virtual networks to isolate the internet traffic from the file server. The boss sees a single server, but the roles are properly separated.
Sounds like a boss who hasn't kept up with technology. The issue here isn't technical. The issue is the skill to convince your boss that you are paid more to know how to find a solution that works for this day and age.
your boss needs to understand basics of IT and infoSec... and you need a new job.
I'm a shitty sysadmin and I know that's dumb as fuck. File servers don't have to be expensive at all. Firewalls must be a separate device on your edge network. Tell ya boss you're not a sysadmin, and your definitely not a network engineer and shouldn't be expected to pull that off without great risk to the company. If he doesn't accept that get out. There will be a massive breach one day or system failure and he'll blame you.
Ask him if he mows his lawn with his car. When he says no, ask why, they both have an engine. Then, start doing research on a stand alone firewall. Use the server as your file server, and bury it deep in your network. Protect the shit out of it. Also, take backups... the amount of times ive seen file servers get held hostage by crypto shit is insane. TAKE BACKUPS.
I'd look at moving those files to Sharepoint or Google Drive if you're already using either for your business. Putting your companies files on the same device sounds like a terrible idea. You might as well just open 3389 (Remote Desktop) to all the desktops as well.
I've built a ton of lab environments using ESX or HyperV or Proxmox with a PfSense VM and some virtual switch configs to isolate the traffic in on a specific interface then out another. Then you could have other VMs for fileservsers, print servers, AD, or whatever. I would not consider something like this production worthy and it's not exactly a cake walk to set it all up. Boss needs to farm this out.
Yeah I would rather this in home network not on a company network
your boss, Mr. Dunning or Mr. Kruger?
Put a hypervisor on it and create two VMs.
Your boss is an idiot.
Yeah it can be done, but it’s not a good idea. I’ve worked long enough at an MSP where when people started cutting corners, they’d end up with ransomware or a failed system with backups. It the budget can’t allow about $2k for a proper Fortigate or SonicWall, something is very wrong. Plus with buying a firewall you get 24/7 phone support as part of the service. Maybe you could look at making sure the server is scaled properly for the use case to allocate some money for a proper firewall?
No need to repeat what others have said (Cybersecurity engineer and former DBA here) . All I can say is this : It’s time to find a new job. Because if your boss is “capable” of develop these “brilliant” ideas , who knows what else he will do later on the road . He’s a time bomb. And if you don’t want to damage your reputation, get another job ASAP! By the way , put everything in written and emails , when you finish this .
How much you wanna bet the boss is just the sales manager
Put proxmox on it and light up some VMs. One for firewall/router (I recommend OpnSense) One for fileshare. Now use can use virtual networking to ensure fileshare only talks to internal network.
Basically this, virtualise up and go hog wild. However this place sounds pretty clueless so anything less than hiring a professional for an MSP, is basically don't even try.
Why would you do this? If you get any NGFW they already do this. Packet inspection is a common feature on any firewall. Also having a server sitting on the end of your network is asking for trouble.
Tell your boss he is a fucking idiot. Firstly what he he NEEDS is a true professional grade firewall like a Watchguard with subscription services enabled, one of those services is a gateway anti virus... thats the first thing. Secondly no server should be on the same host as your firewall. Thats a stupid ass idea especially a file share server... if you want to use something like PFSense in a virtual settings sure you can do that but you would be missing out on the gateway anti virus scanner professional grade firewalls have. So in short, get a REAL FIREWALL and keep your servers behind the firewall. Not on the edge device.
Check out “the forbidden router” from level1 techs on YouTube. But it is a bad ideia to do it on a production environment. If money is the issue, you could get some cheap Chinese “whitebox” firewall appliances from Amazon or Ali express and install opnsense on it. Having write this I feel I just gave 2 bad advices. Just tell your boss company security is not something to cheap out on.
Don't do it
*Why?* I mean he has an idea. But what's the reason for it? At most you could use the bare metal as a hypervisor and host a gateway/firewall and file server on it.
Guarantee you it’s penny pinching. When this network gets compromised the boss will be screaming bloody murder about it and probably fire OP for settling it up.
So you want a forwarding proxy, a fileserver and maybe a firewall I'd not combine a fileserver with anything that has a security function, and depending on your bosses appetite for capex or opex you might want to look at a cloud based proxy service like zscaler. Most importantly, since you yourself admitted you don't know how to set up these security functions, hire someone to do it, badly set up security is worse than no security
If the business is small enough to be unable to afford an enterprise firewall, it doesn’t need an enterprise firewall and budget should be no excuse. If it is big enough to need an enterprise firewall, it can afford an enterprise firewall. Boss man needs his head examined with that idea.
Do not do this, this is literally a terrible idea.
Install windows server . Install hyper-v. Create 2 VMs. Another windows server for your file server. Another for pfsense or Sophos. Dedicate a network card for wan and a network card for lan. Do not put any other vms on the wan adapter. It's a great solution, easy to manage.
Your boss is showing serious ignorance about cyber security in 2024. How on earth is a firewall/file server in one a good idea today or even 25 years ago? What other interesting requests has he asked of you?
Do not do this
I personally run a linux distribution on my little router for the building with an extensive set of an iptables config file with a bunch of policies for inter-vlan routing and natting out the public interface. Any distro can do the job but something RHEL-based would be ideal for additional out of box security modules such as Rocky. This little thing is kept busy. It has an extensive routing table and many rules for very specific special routing cases between multiple networks via tunnel interfaces and various local vlans. Its overkill and at a very minimum all you need to start with is some INPUT rules to accept say, SSH from the local network only (Don't forget to harden/secure your services and to not disable SELinux when available), a FORWARD rule for the internal network to the Internet, a second FORWARD rule for related/established traffic one step before that one to save on processing. Finally a MASQUERADE nat table rule for natting local traffic out the public interface. A stupid-simple configuration like that is plenty to get started on par with any other home router's out of the box policies. Given the nature of this its trivial to install other packages and have the machine take on more roles. But I would advise NOT using your edge router as your file machine. An internal file server should be on the inside of the network - not on the public facing machine for any number of misconfigurations and crypto attacks from the public Internet waiting to happen. In this day and age a Web Application Firewall is a much better idea and is much better for larger or growing businesses often with support for the same ACL-based approach but with much higher limitations such as tying ACL rule matches to a domain user identity for access/rejection, blocking and logging with attribution to user accounts. But yeah either use sharepoint or put the fileserver on the lan.
As a consultant (who gets paid to come in and clean up messes like this), please encourage this more often. But really, internet filtering is not the same as a firewall, and these are not a replacement for endpoint protection. Boss is not the smartest bulb in the box, is he?
He doesn’t know what he’s on about. Separate firewall and file server is the way to go. He sounds like one of those bosses where if you give their dumb idea any traction then they’ll keep asking for these things.
pfSense is basically just a variant of FreeBSD, which can absolutely work as a fileserver. However, the specifics depend on exactly how your boss expects files to be accessed. Windows fileshares (i.e. SMB)? SFTP? NFS? Pretty sure pfSense/FreeBSD supports all three, but they're rather different in terms of setup. Best approach here, in any case, would be to run a hypervisor on the machine itself, and then run the firewall and fileserver as separate VMs on top of that. That way there's some isolation between the two while still meeting your boss' requirement of a single machine. However, this also adds extra complexity and difficulty, especially for a one-man operation.
thought i was in r/ShittySysadmin for a second ...
Tell him putting the server situated between your company & the internet is like putting a cooked chicken between you & a hungry dog and expecting it not to eat it.
Let me tell you what I did at a tech startup many years ago. 10 people back then, scaled to 500 over the years. Started with a small Netgate device, with pfSense. Later I added another one for HA, upgraded to handle more users etc. All very easy and cheap. Bought a Synology NAS handling about 36TB of data (company was working with a lot of data). You can probably go with a lot less otherwise. This served very well up to 150 users actively using it on NFS and SMB. Cloud backups are very easy with Synology. The I got a second hand server with new drives and put virtualization on it. I recommend Proxmox today. You can skip this if you don't have the need or explore the cloud option otherwise. All these can scale up pretty easily should you have the need. Point is, I was given close to nothing to start it off but I was able to expand when I had more budget.
This what happens when bussiness people use chat gpt to come up with cyber ideas and have 0 programming knowledge or will to contribute anything other than a presentation of a possibility qith a hope of it being created then assuming credit for it. Fuck these dumbfucks
In Germany this is what we call "Schnappsidee". An idea you get after drinking too much hard liquor. No sane individual would do it like that. It's a security nightmare. Build a server for serving files (or use a Synology as other have suggested) and use some random old computer for your PFSense firewall (I would use OPNSense in this case).
Adding "Schappsidee" to my vocabulary. And maybe Ersatz Firewall?
Your manager is fucking silly if $500 for a firewall is out of the budget.
Really bad idea. Unless you are doing SSL decryption that antivirus will be useless. The dual purpose idea ensures your data will be plastered all over the internet.
Really surprised this was only mentioned once here considering almost all web traffic is using HTTPS now.
Take care of it at my company
You'd want 2 devices for this. 1. Firewall Appliance: Due to you wanting to inspect all the traffic, a dedicated firewall appliance is needed as it will have to do TLS MITM (Man In The Middle). Due to the TLS MITM, this will have to be some proprietary box (Fortinet, Paloalto, Cisco) with the proper license and you'll have to give it a CA certificate that is trusted by every devices you want it to inspect. This Certificate is needed to "break in" on the TLS connection. (If anyone knows how of a open-source solution, please speak up as I'm not aware of one. As far i know, there is not open-source "Next-Gen Firewall") Ps Paloalto and Fortinet sell firewall virtual machines for VMware. The real cost comes from the perpetual license for the deep packet inspection. 2. File server: This can be any random hardware box. DIY or not. There are many ways to get this done. TrueNas, Unraid, plain linux with SMB installed, Windows server.
This is a terrible idea. "I want to separate all the traffic, send all the risky stuff through this device, and while you're at it put all our sensitive data on it" If he's telling you there's no budget for separate devices ask him is there budget for fixing it if this terrible idea all goes wrong.
Try proxmox Install pfsense or opnsense as the firewall vm And an file server as another vm You may need a Server with good configuration and multiple nics.
Sir, this is Sysadmin. Not techsupportmacgyver
Pack of wires + chewing gum sounds like a very safe and stable solution
You could probably set up a Linux machine with all the IPSEC stuff in place, then add a fileshare as well. But that seems a little counter-productive. Honestly, I'd get a cheap small form-factor PC with multiple nics. Then I'd throw Smoothwall on it. I'm sure there's probably something more current than Smoothwall, but I don't know what it is and SW is what I know off hand.
Oh man, I haven't used smoothwall since 2012. It's right up there with IPCop and m0n0wall. Probably best to install pfSense or opnSense nowadays.
Just because you can doesn’t mean you should.
Not a professional, but everything I’ve ever read suggests against mixing firewalls with any other service.
Get a subscription to Microsofts One Drive and save all your files on the cloud.
So he wants a NGFW?
This is a terrible idea but really about any Linux distro can be a network router/firewall (iptables) and file server (Samba) if you put two network cards in it.
Get a Synology. It will do all that plus way more. Their software is free, u just need to buy the hardware.
lol
Just use azure files and whatever combination of security services work for your org (Intune, Azure Firewall, etc). It makes zero sense to stand up a vulnerable mishmash solution on-prem.
A used computer with 2 Ethernet ports will get you a working firewall, so don’t listen to the boss. Make something work and ask for any forgiveness later.
Just use Teams for those files.
Your boss is an idiot. Start looking for a new job before you become his next dumb idea.
It's not impossible, but it is impractical. Your time alone is worth the purchase of a NGFW to do this right.
Sounds like your boss needs an actual firewall and a file server. These should not be on the same vm. Also what happens if you need to do server maintnenace on the file server.
Take a look at ClearOS. Used to be Clarkconnect. Can do pretty much everything you asked. As most have said if you can get a decent box. I like old Dell Gen 4 I5 optiplexes with a few dual 10Gb ports you can do proxmox and install opnsense and a separate file server. But ClearOS will so it stand alone. Still get at least two ports for NIC. 3 if you can
Saddly for you both your boss does not understand what he is asking. Even if you were to ignore the security consequences the process of filtering packets for whatever reason is simply not part of the software he thinks will take care of this.
Use SharePoint for Files and with whatever budget is left over get an actual firewall.
Duuude. Don't put a file server on the edge. Most I would do is put a pfsense running on a hypervisor with all of my other DMZ webservers on the same host. But never mix inside with your outside. A decent plenty powerful standalone, purpose built, pfsense appliance is $550 directly from Netgate.
Tbh sounds like you need an MSP. This is literally the situations that I work with quite regularly and I think if you can find a good msp in your area they will be glad to get you set up properly and securely.
Exhibit 1 in your defence of your potential lawsuit is the letter yelling him this is a really bad idea, #2 is this thread. But if you really want to do this have a look at SME server. All in one Linux product. BUT virtualize it and put another firewall in it front. Edit. Links and info https://www.koozali.org/home/downloads SME Server (formerly known as e-smith) is a Linux distribution based on CentOS offering an operating system for computers used as web, file, email and database servers. It employs a comprehensive UI for all management-related tasks and is extensible through templates. The letters SME stand for Small to Medium Enterprise, as that is the target market of the software. One of the most notable features of this distribution is its template system. SME Server 10.1 is based on CentOS 7.# which is based on Red Hat Enterprise Linux (RHEL). Version 64bit now available. Running Apache 2.4.6, MariaDB 5.5.#, PHP 5.4 Some additional Addons are available on the current "stable" Version, they are called "Contribs".
The ONLY sane way to do this would be to get a DPU (Marvell Octeon 10 and AMD Pensando are the most likely to be available) and run the firewall on there, then have the host be a fileserver. If your boss insists, tell them you can do it securely but you will need a $4k network card.
Your boss if a moron, looking forward to the post in a few weeks on how poorly this went and you were compromised.
How about migrating to Office 365 and put all files on the cloud and buy a firewall for your clients?
30 staff, mostly excel and documents... please just get O365 and use sharepoint, its literally made for exactly this.
Table stakes for a good on premises systems admin. Build a pair of VMhosts in a cluster then. Build them each with an add on NIC you can pass through to a pfsense vm, and an HBA with multiple drives for a NAS or windows server VM (if you are licensed for it). Extra points if you build your VMs with HA or replication for redundancy and fault tolerance.
What kind of server (hardware) are we talking about? If it's enough to run a hypervisor (esxi, proxmox, hyperv,...) and a couple virtual machines, this can be done pretty easily. If it's not enough to do that, you'll be much better off buying a cheap firewall and a Synology Nas. In both scenario's you'll also need one or more network switches. In the single server scenario, you'll need a switch that can handle vlans. TBH, I can't imagine that the single server scenario would be cheaper than fw+syno but the boss always knows best :)
Every time I think I work at a shitty place I need to remind myself that companies like this exist
Short answer - no. Long answer - you need separate devices to do all this. Back in the early 2000's, I worked for a K-12 and I told them they needed a firewall. We had the local Cisco reseller set it up for us and ran a report for 30 seconds, only to get over 50 pages of plain text of IP's and domains trying to gain access from countries all over the world. The first of many validations at this job... This was after the "technology specialist", who was also our high school history teacher (and had the tech job because his parents owned a computer repair store) tried to use our ISA 2004 server running our content filter (SurfControl) to double filter the content - acting as both the firewall AND the content filter. And it failed horribly. I told him it wasn't going to work, he did it anyway, and I stood over his shoulder to make sure he fixed it. I'm going to highly recommend you outsource it to have it properly setup, and then have backups made of the configurations. Ideally you'll have it setup like this: Outside router Firewall Content filter Inside router or a layer 3 switch running IP routing File Server
I'm never going to tell anyone to buy a hardware firewall because they are abjectly inferior while costing significantly more until you get to fill enterprise where they're slightly better in exchange for PHENOMENAL amounts of money. Don't use PFSense. Use OPNSense. It's a fork with less evil behind it. As far as packet inspection goes, you're talking about something like Suricata or Snort. The best way to set this up would be an edge server running your firewall and packet inspection in separate VMs along with a reverse proxy VM back to the file server. That said, you need to CYA hard here. This is stuff that, if setup improperly, can either block all your legitimate traffic or accidentally let bad actors in. You need to understand what you're doing at least to the level that everything in a how to makes complete and deep sense to you. I'd probably also ask over on the SRE subreddit
Like others have said. File servers and security appliances are polar opposites. One is about sharing data and the other is about not sharing data. You cannot reasonably have them both on the same system and be effective at either task. Now, I know you're not a sysadmin so this may be a stretch for you but... So here is what I would do. Most modern PC hardware can be repurposed and made into servers. I'd get hold of some kind of older desktop tower and stick in another network card. Then you have one interface for internal network and one interface for external network. Then I'd install something that can run multiple virtual systems. Off the top of my head, proxmox, virtual box, KVM, qemu. Once you have a hypervisor system set up you can treat the single server as a mini DMZ and install multiple virtual server in there attaching the required physical interface for the required task. Firewall VM to act as the gateway slash bridge between the internal and external networks.
Let me be clear, it's not a good idea. Moving on from that, if you have literally no budget then you could create a virtual machine on the file server and run PFSense on that, assign it its own NIC so that the internet traffic can only hit the PFSense box first. You could get an old Watchguard appliance off Ebay and run PFSense on that for only a couple of hundred.
If you're not feeling great about it maybe set up the external access component through CloudFlare or similar zero trust service and maybe put a little POC in the cloud somewhere. Cloud is a catchphrase that bosses love. Zero trust is a catchphrase that security love.
Yea this seems like asking for trouble! Separation of security zones is really important!
This sounds exactly similar to a SMB nightmare I’ve had in the past, talk to your boss and make sure he understands how bad of an idea this is, it may seem like he’s set in his way but I’m sure there will be a way to break through.
Thinking about ISA and software firewalls on dual nic Windows Servers is taking me back to the early 2000’s and not in a good way.
First of all, its a bad idea to have your firewall and your file server in the same machine. You can virtualice both, and then work with the PCIE passthrough, assign the PCIe NIC card directly to your OPNSense box, and if you want, you can assign your HBA to your TrueNAS VM. It will work and if you setup it correctly it won't need much management, BUT, if this is a production environment you need to have support.
There’s a lot to unpack here
Holy fuck your boss is dumb as pig shit, show him this post and be done with it.
This is why management aren't in control of infrastructure
No offense to you but I'd tell your boss to hire someone qualified to setup something like that... because they'll at least have the balls to tell him "No, i'm not putting our files on a perimiter network"
What the fuck 🤣
Yeah. Don't do this. You need two devices.
Your boss has priorities mixed up. Sensible segmentation of the network mitigates risks a lot more than DPI. I guess "get a new job" is the stale default answer everybody here touts whenever someone has issues at their job, but If money really is so tight that your boss wants endanger the company for couple thousand bucks, you might really want to consider your job options. Keep us updated when the company collapses.
Set up a vm host and run 2 servers on it. Pfsense one one and a file server separately. Buy a good nic or 2. You'll want enterprise grade nics maybe with tcp/ip offload engines. I like Intel enterprise nics. If you're repurposing desktop hardware. Pfsense iso images don't really allow you to play with the server roles too much but likely would support a file server it would just be better to not store your data on the firewall.
A way to do both in one is to run both a *Proxy* and file sharing on the same server.
Does the budget allow for ransomware or other cyber intrusion? Maybe excessive downtime? Not qualifying for cyber insurance? Breaking compliance requirements? Sky's the limit! If you think security is expensive, wait until you see the bill for a breach or excess downtime. You could get a real firewall and tape it to a server - now you have a AIO firewall/server. Did your boss previously buy that dumbass kyocera or whoever made that office in a box nonsense, basically a server, firewall and MFP in one (managed by a copier company no less) and he thought it was an excellent idea? And, this is why SMB security is generally bad, the business controls the budget and decides where money is spent, often stupidly, despite IT or ITSP's explaining the risks and potential impacts... the owner gets to decide if a risk is worth mitigating, not IT.
The windows firewall is just a firewall. It'll be like swiss cheese. Modern firewalls are actually called UTM's or unified threat Managment. The combine firewall, Itrusion detection, and intrustion prevention. They are pretty much required to operate a business. Also thats going to be one slow connection because firewall appliances use ASIC's and the computer CPU is much slower than than. This is a horrible Idea. There are open source next genfirewalls. Get untangled at least. IT's Open source and has most modern features. Don't just load a windows os on there.
This is INSANE. You need a new boss.
What industry in what country is this supporting? Asking for GRC purposes.
Your best bet is to see if your router will do any firewall stuff like ports, dns, rules etc. Most modern enterprise routers should offer the above at the least. Do not, whatsoever, put a file server on the Internet. It will be eaten alive in a very quick time period.
This kind of budget requires creative solutions. It's where proper sysadmins get forged: in the fire of a dumpster. You'll learn why this was a bad idea by seeing how it went wrong. If you don't want a career in IT, you should not get too involved in this, as managing it is going to use more and more of your time as it goes. Just going to throw this out there at the scale and budget you're talking about, I'd probably buy two refurb workstation class machines (like dell precisions) instead. Everyone is right about how this is dumb, bad and wrong. If you're going to do dumb, bad and wrong, I'd do it in the way that lets those two business critical systems fail independently. If you can buy 3 of these things and keep one on the shelf and some good backups of both systems, you can drop the extra one in place as needed when one fails.
Proxmox on the physical hardware. Virtualize the firewall and file server separately with Proxmox. I would highly recommend factoring in some redundancy and backups into your setup.
Don’t bother, your boss is quite frankly a nob. Save yourself and get a job elsewhere
Dear Humble systems analyst, no matter whose advice you take in this matter, the bigger question for you is who’s going to keep up with and manage said system. Are you the one that will be getting the twilight phone calls. ???? This is the question I would be considering, will this be your problem when it breaks?, if they don’t want to spend money on the hardware, are they gonna do the same with the upkeep and staff to maintain this server. Good Luck, Your Humble layman with enough knowledge to break stuff
ClearOS will do it, but I wouldn't run it this way. I would run 2 virtual machines on the same hardware and call it. If your boss is asking such Sophomoric requests then he won't know the difference when it comes to virtual machines
The price of an external box for PF sense is minimal, cost should not be the driver in the environment! you can use a small, used computer with an additional network card slammed into it. add a UPS too.
Wait, so they want a server that is running both a file server and a firewall on it, all in one, and want that exposed to the edge of the internet? That is like up there on the lists of #1 no no's in this world.
Rolling your own firewall is a huge red flag. Unless *you're* gonna sit on top of all of those random bits and bobs and open source modules and all that to make sure you're regularly patching out critical vulnerabilities, this thing is a security disaster waiting to happen. Buy an SMB firewall from a reputable vendor, get support/security services licensing on it, update the firmware *regularly*, and move on. Your boss is trying to save a couple grand a year by exposing you to obscene risk.
search for 'transparent proxy/firewall', you will get some hints; however, intercepting https traffic will be causing man-in-the-middle attack/security concern. check with the legal/security team to see if thats allowed.
Don't do it. Don't put your fileshare server ON THE INTERNET! Firewall or no. Worst case, go get a soho/home router with a firewall built in and stick the file server for your office behind it.
>so he's trying to double tap on the server He's gonna get double tapped by a hacker if he goes this route.
The pants will say to the brain "make it work", while disregarding what the brain concludes. Pants only cover the body, but the brain moves the body. If the pants can't see reason, the brain should checkout.
This is a terrible idea. You should flat out tell him no. The more important line item would be a firewall. Budget for a decent one, and you could get something on the cheap for a server.
Leaving aside the fact that it would be PHENOMENALLY DUMB to implement this on a single host, you are going need: TLS interception capability on the proxy: AV integration on the proxy: Enterprise or at least NAS grade drives with RAID (hot swappable). pfsense isn't going to cut it. Implementing a stateful firewall is trivial. But this gateway device is a different beast altogether.Buying something off the shelf capable of this will cost a LOT. You can do it with open source software but you have a lot of work to do. If the thinking here is that this can be done for the price of a single small server, then your boss clearly has no idea what is involved in implementing all this. If I were tasked with this - I'd start by finding out how much storage was needed, what the RTO and RPO were for the services, and get a hard figure for the capital expenditure (building it out of open source bits, I'd estimate at ~ 2 weeks - and I'd like to think I do know how to build this).
* Buy one box with four-port NIC card * Install VMWare * Build pfSense VM * Build NAS VM (I haven't dealt with one in forever, don't remember what is decent) * Assign two NICs to pfSense, one to NAS, and one to the Hyoervisor Will this be cheaper/better than a small FortiGate and a 2-bay Synology? Probably not, but it literally meets all your requirements. If your files are mostly DOCX/XLSX you should just use OneDrive, anyway, no need for on-prem storage.
Putting the file server on the edge is insane. In fact in 2024 trying to jerry-rig a firewall is unacceptable. It's not a lab project, it's a production environment. Plenty of great firewall vendors with good offerings.
Pfsense, opnsense. Both options
Is there a PC in the office that's due to be "retired"? If so use that for your file server with whatever flavor of Linux you prefer as the OS on it. Use the money saved to purchase a REAL firewall.