Firewall Distribution at a Mouse Click
In addition to the numerous Linux distributions to choose from, we now also offer OPNsense, a professional firewall distribution. Using OPNsense you can easily and effectively reduce the potential attack surface of your servers by placing critical systems in a private network behind your OPNsense firewall and protecting them from direct access from the Internet.
What distinguishes OPNsense
OPNsense is a popular distribution for operating e.g. routers, firewalls, NAT or VPN gateways. User-friendliness is a top priority: the firewall is set up with the help of a wizard and thereafter configured completely via a graphical web frontend. There is no need to deal with configuration files. However, if you do not want to restrict yourself to the web frontend, you can still enjoy full SSH access to your firewall.
The feature set covers all your needs: in addition to its functionality as a NAT gateway for your private network, the firewall also acts, for example, as a VPN endpoint or as a load balancer for redundant web workers. Plug-ins for virtually every use case complete the package. OPNsense is based on FreeBSD and is an open-source project supported by a strong community. It is very economical in its use of RAM and CPU power, thus enabling cost-efficient operation.
What a simple firewall setup can look like
Private networks have been available at cloudscale.ch for quite some time and are ideal for servers that need to run in a professional data center but must not be directly accessible from the Internet. Instead of connecting servers to the LAN in your office, you can set them up at cloudscale.ch and connect them to your "private network", which is completely invisible to the Internet and other customers. Create a virtual server with OPNsense to serve as a firewall between the private network and the Internet. This gives you full control over which data should flow where – and where it should not flow.
Accessing your data remains really easy as you can use the OPNsense web frontend to configure a VPN and create a user account for each authorized person. As soon as they connect to this VPN, they can access your servers as usual – irrespective their own location. It goes without saying that data traffic in the VPN is encrypted to protect your data from being spied upon. This way, you also provide employees working from home or on the road with optimal access to your internal IT tools.
An OPNsense firewall also provides additional protection for publicly accessible systems such as your website. You can set up another barrier against attackers and prevent many attacks altogether by making services such as database backends unreachable from the Internet. A reverse proxy on your OPNsense firewall (e.g. with the HAProxy plugin) forwards the HTTP(S) requests of your visitors to the web server in your private network and delivers the corresponding web pages via the Internet. A further advantage is that HAProxy also supports setups with multiple web servers, thus allowing you to distribute the load and even keep your website available in the event of a web server failure or during maintenance.
Further tips for you
For optimal security, we recommend the use of strong passwords and the timely installation of any security updates available for your firewall. If you prefer to use keys for SSH access, you can specify them in OPNsense's user management. Like our cloud control panel, OPNsense also supports two-factor authentication via TOTP.
A VPN and a reverse proxy, as described above, are just two of many useful applications. It is also possible to route Floating IPs directly to internal servers and at the same time benefit from the advantages of a dedicated firewall system.
In addition to OPNsense, we also offer you to choose the pfSense CE distribution for your virtual servers. Based on the same roots, the two distributions are fine-tuned to the needs of the respective community. In most scenarios, however, choosing one of the two solutions is primarily a matter of taste.
The OPNsense and pfSense CE distributions offer a great deal more than can be discussed here. Explore the numerous features in the user-friendly web frontends and learn more about the available functions in the extensive documentation of the OPNsense and pfSense CE distribution.
Batten down the hatches!
Your cloudscale.ch team