../guides

SOHO firewall with Encrypted Filesharing

Mi19L

  1. Why not Dropbox or Google Drive
  2. Our Solution
  3. Additional advantages over a low end home router/gateway
  4. Cost, performance and hardware

We have been approached on 2 occasions by clients asking about security of client data, particularly in respect of FCA guidelines.

The solution presented here, whilst non-trivial, could still be cost advantageous when all the advantages are viewed together.

Specifically for client data security this product offers a solution where physical security is of concern.  i.e. in a serviced office where a secure comms room isn't possible. 

1. Why not Google Drive or Dropbox

Hosted solutions (Dropbox, Google drive) were considered, but a remote file share with large files is not conducive to a good experience for impatient users. Services that sync files are better at this, but cause concurrency issues and, if devices are stolen (or legitimately removed) and the sync function disabled confidential files are still accessible and permanetly out of reach.

Dropbox exposes previously deleted files, showing that hosted products have data retention issues.

[ http://www.theregister.co.uk/2017/01/24/dropbox_brings_old_files_back_from_dead/ ]

These options did not meet our clients' interpretation of the FCA guidelines (note: the FCA seems not to prescribe, but suggests the relevant office holders take an informed decision on what is reasonable). 

We're not offering advice, only indicating what out client did.

2. Our solution

Is low cost to acquire and remotely maintanable using dm-crypt to block level encrypt an entire partition.  Keys are not stored on the device (and this any reboots are monitored and there is a level of support to recover from one). 

Sharing is accomplished with Samba with full user/group permissions, accessible from Windows and Mac. Remote (off LAN) access to files is available via encrypted VPN, or direct routed IP assuming a fixed IPv4 or IPv6 address.

3. Additional advantages over a low end router

QoS

latency and jitter
bandwidth

SIP / VoIP had/has a bad reputation for call quality. QoS, Queue Length, Latency, Jitter and Bandwidth have an effect on VoIP.  There is much to be read on the subject.

Below is a real world example - business contention ADSL 2+ line:

  • Yellow : Upload bandwith maxed out,
    • 2-5% packet loss
    • latency of 80ms + 30ms jitter buffer = 120ms delay
  • Amber : no more upload, just "normal" use,
    • some packet loss
    • latency of 10-60ms and up to 40ms jitter buffer = 50-100ms delay
  • Green : QoS enabled still "normal" use, upload traffic is managed
    • no packet loss
    • 10ms latency, no jitter buffer required.
    • this will deliver an acceptable VoIP call
Resource Management

Monitoring / reporting employees internet access, long term trend graphs

4.Cost, Performance and Hardware

Cost

The acquision cost of the hardware is £50 - £300, starting at the higher end of a home router, but ending far below a commercial firewall product.

Once the hardware is acquired the marginal cost to add encrypted filesharing, VPN access, QoS as well as options like traffic monitoring are negligible.  We run all this safely on ONE device.

Setup would depend on the precise services required.

Performance

All solutions support 1Gbit ethernet.  Secondary storage speeds range between SSD and SD card depending on the hardware used. 

Hardware
  • Intel Next Unit of Computing devices, both single NIC with a VLAN capable siwitch and multiple NICs for LAN segmentation.  All NUC solutions are 1Gbit NICs with SSDs and will transfer data near to wirespeed.
  • Banana Pi M2BananaPi, the single NIC requires a managed switch that is VLAN capable, but has the additional advantage of complete remote recovery using a backup SD Card.  Although the device has a 1Gbit NIC throughput doesn't go much beyond 300Mbit. Since the internal SD card only supports up to 32GB external USB mass strorage is the block-level encrypted fileshare.

We've not attempted this with a Raspberry Pi due to USB ethernet constraints, but in principle it would work.

 

Service Features
Once the need for border control is accepted, only there are only marginal cost required for additional services.

  • Physically small (fits on a desk or a shelf)
  • Low power (5w or £0.02/day)
  • Used by Mac and Windows (7 & 10) PCs
  • Stateful packet inspection firewall and IPv6 router
  • In the event of single NIC hardware a VLAN capable switch is required
  • Filesystem encrypted at rest (keys are only stored in RAM so theft of the device renders the data meaningless)
  • File sharing with user and group level control
  • Daily Incremental backups that are monitored
  • Guest VLAN (for guest wireless users)
  • PPPoE (for ADSL or FTTC) or DIA with QoS for VoIP
  • Resource Usage graphs for long term planning and short term fault dignosis (processor, storage, network and ADSL line stats (only works with DSL-320B)

 

802.11Q VLAN QoS Filesharing Encryption OpenVPN Firewall

Valid XHTML 1.1 Strict CIS ZA | CIS UK

© Commercial Internet Solutions Limited (2019-)
Registered in England and Wales, Company No. 07276867

Full QR Code

Brief QR Code Take a look at our QR code, if you hover over it you can scan our full VCard.

Commercial Internet Solutions provides internet applications and services to Small Business clients around London. from our Tier 4 hosting facility - Custodian in Maidstone Kent using n+1 redundant Supermicro servers.

We provide fast web and secure (SSL) imap and pop3 email hosting and cheap, compliant easy to use email marketing software.

We host, manage and backup Microsoft Windows Small Business Servers, dedicated Linux servers and Asterisk/ SIP based VoIP PBX solutions.