Part 1 of this saga can be found here.
As mentioned before, this was a SaaS-focused business. Most of the vital business functions, including ordering, shipping and receiving, pricing, accounting and customer service, were SaaS. That meant that a rock-solid Internet connection was required. But again, a small business runs on a small budget. Combined with the fact that the business was in a strip mall, and we were lucky to get Internet at all.
Fortunately, we were able to get Fios for a reasonable cost and installed reasonably quickly. Previously the business had been running IPCop on a tiny fanless Jetway PC, but I felt we had outgrown IPCop, and the Jetway box, though still working, was a bit underpowered for what I needed. I settled on pfSense as my firewall of choice, but I didn’t want to run it on desktop hardware.
Fortunately, Lenovo had a nearly perfect solution for my budget: the RS140 server. It was a 1U rackmount server with a four-core Xeon E3 processor with AES-NI for fast crypto, and it came with 4GB of RAM for a hair over $400. The price was so good I bought two. Each I fitted out with an additional 4GB of RAM and two SSDs, a 240GB from SanDisk and a 240GB from Intel. There was a bit of consternation when I found that the server came with no drive trays, but I found that I could mount the SSDs in 3.5″ adapters and mount them directly into the chassis with no drilling.
The SanDisk and Intel SSDs in each server were configured in software RAID-1 using the onboard motherboard RAID, and the integrated IPMI was finicky but good enough that I could remotely KVM into the boxes if need be. The servers were then configured into an active/passive pair using the pfSense software, and I used a new HPe 8-port switch to connect them to the Fios modem.
The firewalls worked so well I bought a matching pair for the other location and connected them with an IPSec tunnel so they could share files more securely.
You may ask why I used hardware for the firewalls instead of virtualizing them. The answer is, I initially did virtualize them in Hyper-V. However, I just wasn’t comfortable with the idea of running my firewalls on the same hardware as my workloads. There have been rumors of ways to escape a VM and compromise the host, and indeed recent revelations about hypervisor compromise through bad floppy drivers and side channel data leakage a la Spectre and Meltdown have confirmed my suspicions about virtualized firewalls.
Coming soon: Backup, environmental, monitoring and security.