[geeks] Putting an insecure machine on a network

[Phil Stracchino]

Sheldon T. Hall wrote:
> I need to connect to my network a completely insecure machine that cannot be
> secured.  I want to isolate it in a way that prevents it from connecting to
> anything but one address over the Internet, and do so in a way that cannot be
> subverted without physical access to the machine.
> 
> I'm on DSL, and have one fixed IP address.  Behind that, a typical DSL modem
> with NAT and various port forwarding to my servers.
> 
> I have a Sun SPARCclassic running Solaris 7 that has two NICs. One is on my
> internal network, the other is unused. Is there a way I can activate the
> second NIC and "lock" it in a way that any machine connected to it only has
> access to one IP address on the Internet, and no access to the Sun itself or
> to any machine on my network?

Given that hardware, surely it's more or less trivial.  Install a
firewall on the SparcClassic, connect the machine to the unused
interface (I'm assuming it's le0), then configure the firewall to allow
traffic to allow only packets to and from your one specified address,
and drop everything else.

I'm doing something similar on my network:  my DSL "modem" is configured
to act solely as a bridge and pass everything, untouched, to my
firewall/router, a U5 running OpenBSD and pf.  The U5 has four
interfaces: the onboard hme (hme0), a 3C905D (xl0), and a dual EEPro100
(fxp0 and fxp1).  hme0 is unused, because my experience is that OpenBSD
doesn't get along well with hme interfaces; xl0 is the uplink to the DSL
bridge; fxp0 is my internal wired subnet; and fxp1 connects to my
wireless router.  Both fxp0 and fxp1 have unrestricted access *to* the
Internet, but controlled access *from* it; fxp1 likewise has only
controlled access to fxp0.  Basically, my wireless subnet is treated as
a DMZ.


-- 
 Phil Stracchino       phil.stracchino at speakeasy.net
    Renaissance Man, Unix generalist, Perl hacker
 Mobile: 603-216-7037         Landline: 603-886-3518