Drobo

Firewall Hardware Needed for DroboElite as SAN?

All,

I’m new to the forum and we are purchasing a DroboElite (we’ve already received it on a trial basis). Our plan is to setup the unit as an iSCSI SAN so people can access externally via WAN and VPN. We’ve been told that we need a hardware firewall. A few questions.

  1. Do you agree that a hardware firewall device is warranted?
  2. Is OS X Snow Leopard on a MacPro adequate as a firewall?
  3. If you believe a hardware device is warranted, do you have brand/flavor recommendations?

I’ve called tech support and they will absolutely not make any third party hardware recommendations.

Thanks in advance for any help you can give.

kbural

  1. Depends on how you want the WAN access to happen. Unless you want to share your DroboElite with anybody who pings your WAN IP for ISCSI, then yes you do need a firewall or other method to control the incoming connections.

You should have a firewall to avoid this, just like home computers directly-connected to the Internet should have a firewall to prevent intrusion.

  1. I really don’t know what OS X offers in terms of security. A security expert friend of mine says Mac OS is just as vulnerable as Windows - just nobody goes through the effort to attack them because of little reward.

  2. A hardware device would provide great OS-independent security and may or may not allow you to configure what you need.

Exactly how will people be accessing your DroboElite from WAN? If they’re already going to establish a secure tunnel or other VPN type solution, then additional hardware is likely unnecessary.

Thanks so much, bhiga, for responding so quickly!

  1. No, I don’t want to share with anyone other than designated team members.
  2. I anticipate that 20+ team members will hit it but only 4 - 5 of them at any given time.
  3. I don’t know enough about the VPN to responde to your last sentence. I’ve been told that VPN is what I’m after by the Drobo tech guys but know nothing beyond that.

I appreciate your help.

A VPN is definitely what you’re after. There are multiple ways to achieve that, and the best method will really depend on the nature of your remote team members.

Are your remote team members sharing an office, or at home offices?
Do any of the remote team members work mobile (access from multiple or unknown locations)?

Fixed offices could use a hardware VPN device that would essentially bridge your network with the remote office, making the whole thing appear like one giant network.

For individual access they could establish a PPTP or IPSEC tunnel.

My employer used to use Nortel Networks VPN client, but now we’re using SSL VPN from Juniper Networks.

I’m no network expert by any degree, so you’d probably be best-served finding a network guru to get you set up. The worst thing to happen would be to get something set up with a “hole” and have a false sense of security only to find out later when someone intrudes on your network.

As for my own personal situation, I have multiple locations with a router at each that “dials in” (it’s not really dialup) over PPTP connect each location with the main location. The main location’s router handles routing between the different subnets.

When I travel remotely, I use SSH tunnels and port-forwarding to gain access to in-network stuff from the outside world. It’s a manual process but I’m the only one who accesses things, so it’s OK that I’m the only one who knows how to use it. The nice thing is that just about every Internet access method I’ve used (tethered to cell phone, “limited” hotel access, hotspots) allows SSH. :wink:

Cool. Thanks so much for your response. It sounds like I’m headed in the right direction but just need to work on the details. I’m contacting a network guru today to clarify dets. I sincerely appreciate your help.

BTW, yes, the team members are working from their homes and they do mobile work. They are all freelancers with whom we contract frequently. Thoughts about that?

You’re welcome. I’m sure you’ll get lots of info from the network guru or tech sales person. :slight_smile:

As for your team members, since they’re contractors, you probably don’t want to have them permanently connected to the private network (though if they have a dedicated “work” machine you might), so they could use a mobile-oriented connect-on-demand solution.

If you had field offices, then I would’ve recommended looking at a hardware persistent-connection type solution, as that would support multiple users and computers without each having to connect to the private network on-demand.

For example, my employer has multiple offices throughout the country, but we’re all connected to the same central company network. Nothing needs to be done on my office machine to connect to the company network - it’s all handled in the IT room by dedicated boxes and the connection to the company network is persistent.

However, when I’m traveling or need to access from home, I connect to the VPN website, enter my security credentials, then I’m temporarily connected to the company network. I do my work, then I disconnect.

Make sure you mention that you have more users than will be simultaneously connected, as this would allow for purchasing fewer connection licenses (per-connection vs per-user) which will likely be cheaper for solutions that license per user or connection.

No matter what you end up doing though - be sure that all your freelancers have antivirus and follow reasonable data safety procedures. If someone gets a virus on a local computer and connect to the private network, that virus can do damage on the private network as well.
For Windows XP and newer, Microsoft Security Essentials is free - and seems to be pretty decent. I’m running it on two of my slower machines and it seems to do better than the commercial package I was using there before.

Great advice. Thanks so much. Your messages are helping me qualify my deployment approach for this process for which I’m extremely grateful. If you think of anything else, please don’t hesitate to share! :wink:

Will do. All I ask is that you remember me when you become rich and famous - or if I’m ever looking for a job. :smiley:

Hahahah. Will do!

kbural, I’m new to Drobo and new to SAN and iSCSI, so forgive me if my questions seem novice.

  1. Does each of these remote users have their own volume dedicated to them on the SAN?
  2. What do you/they use that space for?
  3. Doesn’t this require each of those users to have iSCSI initiator installed?
  4. What advantage do you gain over a NAS and connecting to that NAS by shared volumes?

I am new to SANs and Drobo, but I have some experience in network security. It seems to me that no additional firewall security is necessary assuming some basic network security steps are in place like the SAN having a private IP inside your private network, not a public IP or DMZ. I might set up a special block on my firewall to block any port 3260 attempts. But VPN should be the only way external users are able to get to the SAN.

jjlatdrobo,

Sorry I’m just now getting back with you. Unfortunately, we have not yet deployed that part of the system. We are only using it internally for now. We hope to roll out with the VPN portion of the implementation sometime in early December. I wish I could be more helpful.