A rant: "Don't put TrueNAS on the internet" - "Backup your NAS"

Hopefully, all of us have some level of control over what / who connects to the home network. The same cannot be said when you expose ports / services / NAS’ to the internet. Clearly, the most secure option is to run your NAS off a battery while air-gapped inside a faraday cage. Most of the time it would be kept electrically-powered-down, and only boot it up as needed. Everything beyond that becomes a trade-off re: security vs. convenience.

Most of us are likely in violent agreement re: limiting the potential impacts of naughty attached devices. Good hygiene is a must. VLANS, dataset / share permissions, snapshots, SMB encryption requirements, WiFi security, hardening end-points, ensuring users have malware detection, etc. all go a long way towards putting up more and more layers to help keep the data secure. But will it be 100% safe? Never. That’s why we have backups, ideally off-site and un-powered.

A firewall does not protect from the kinds of privileged attacks you describe above. Authorized users encrypting content via ransomware can likely be best mitigated with checkpoints, snapshots, and IDS tools that scan for suspicious network behavior. The firewall issue you seem to describe is more likely related to limiting access to the guts of the NAS, for which a hardened gateway / switch is likely a better answer. i.e. no access other than from a specific reserved IP on a isolated sub-net with a hard-coded MAC address.

That is what encryption is for. Both for the hardware (i.e. encrypted pools) as well as specific datasets / archives / files. Nothing prevents you from making the data functionally useless unless an attacker has the keys to the kingdom. So you can encrypt the pool to make physical theft of the data less possible and then host encrypted archives for the stuff you’re also worried about other users snooping into.

All comes down to how much you value your data. We have plenty of stories here that describe precisely what you claim is unlikely. We care about bit-rot for a reason. The more cautious folk here keep off-site, electrically-dead backups for a reason. Many also have off-site machines they can replicate stuff on an hourly basis to. All comes down to budget and willingness to do the work.

I happen to have a different opinion re: the use and benefit of a firewall for the NAS when I can/have program(med) one quite easily via the switch / router on my home network. That firewall remains persistent across reboots / upgrades / etc. and requires zero work for the iXsystems team.

All that said, a better effort may be to set up a IDS to log / highlight suspicious patterns. That could be as basic as a Raspberry Pi (see the honeypi project, among others), up to more sophisticated IDS’ based on N100 platforms that scan all network content. Good luck.

What would a firewall on the TrueNAS system actually solve?

Makes me wonder why Synology bothers including one with DSM if it doesnt solve anything.

Well, the frequency with which Synolyogy/QNAP/readynas are ransomwared may provide an idea re: how useful that ‘firewall’ is. Especially when those machines are delivered with UnPnP and like technologies that yes make it a lot easier for a neophyte to set up but which also punch lots of holes in the so-called firewall. It’s a lot easier to ransomware a device with pilfered but valid access privileges than to hack it outright.

Ditto technologies like WDS, keeping IoT devices on the same sub-net as your NAS, enabling SMB1/NTLM access, etc. Never mind folk putting their NAS in the DMZ and wondering why every loser / bot on the internet is relentlessly port-scanning it.

I’d focus more on how TrueNAS reduces attack vectors by giving the admin a good overview what services are running. Then, if you want to be paranoid, take note of the required ports for said services and block all other ports at the gateway / router / switch level. Any errant port openings at that point will be useless to a would-be attacker.

Take it to the next level with encrypted SMB3, admin ports only available on certain sub-nets (ideally physically segregated), and so on. Even VLANs can go a long way towards making it really difficult for attackers to traverse your network in meaningful ways, especially if you have an IDS looking for a port scanner.

It’s all about layers. Ideally with a canary in the coal mine thrown in for good measure so you can shut down the beastie before it is taken over.

yeah, i have an ubiquiti UDM Pro running my network at home so im one of the lucky ones with IDS/IDP and my network is pretty segemented up to prevent/mitigate some issues

I have some level of sympathy. “Common wisdom” on these topics is not always nuanced.

Like most others I wouldn’t allow WAN to connect to my NAS - but this is fairly low hanging fruit. After that, I’m certain that the likely source of issues come from within, through clients with malware, or even malice. My impression, despite the occasional blog post, is that security in TrueNAS isn’t a high priority, and when raised, often met with that exact argument (“Well, it shouldn’t be connected to the Internet anyway!”). Here is one recent security-related example which I found quite disturbing and there is no sign of iX planning to address it.

Regarding backups. Clearly it’s all a trade-off. Personally I keep my most valued data in 4 places whereof 2 away from my house and 2 always offline. However in reality I’ve never had to reach beyond my main RaidZ2 with regular snapshots. Maybe one day I will. But the likelihood that I will need to reach all the way for my last copy is probably less likely than being hit by a car tomorrow. So, rational? Arguable. But it tickles my OCD.

Risk of a false sense of security with IDS/IDP these days with almost everything going over TLS anyway. Unless you faff around with transparent TLS proxies and certificates on all the clients to put yourself in the middle.

Segmenting the network good, and frequent patching and teaching kids and wife not to click ”yes” to random prompts or following random links also important…

My wife made me specifically responsible for household patch management

Confused here… Redundant has nothing to do with backups.

Redundancy ensures availability, even if some drives fail (Z2 allows for up to 2 disks per vDev to fail before availability suffers). Happy to say redundancy has ensured availability for me many times.

Backups ensure resilience (capacity to recover quickly).

If you choose to backup irreplaceable files to Backblaze, then that is wise. All choices that you can make. Regardless, RAID of any type is NOT, nor will it ever be, a BACKUP.

I’m new to TrueNAS and searching for options to enable a local FW led me to this post and your reply is pretty on the mark. I’m a security engineer and in many environments it doesn’t matter what the purpose of the server is. The best practice is to secure it. What if I turn on the Plex plugin and it has a bug or malicious code in it? What if I add some other plugin that opens a session out to the internet somewhere? I don’t want TrueNAS to be a firewall. I want to enable a software firewall on my server to secure it. Those are two different things entirely.