[rescue] Putting an insecure machine on a network

[Devin L. Ganger]

At Saturday, March 18, 2006 9:20 AM, Sheldon T. Hall wrote:

> I need to connect to my network a completely insecure machine that
> cannot be secured.  I want to isolate it in a way that prevents it
> from connecting to anything but one address over the Internet, and do
> so in a way that cannot be subverted without physical access to the
> machine.
>
> I'm on DSL, and have one fixed IP address.  Behind that, a typical
> DSL modem with NAT and various port forwarding to my servers.

If you have a spare NAT-enabled router, you can (temporarily) put it on
the network to protect your network.

NAT A --> insecure machine
      --> NAT B -- > servers

As long as you're not doing any hosting, this will isolate the insecure
machine from the rest of your network.

As for filtering *outbound* access, that's more tough. It's been too
long since I've worked with ipfilter or any of the other readily
available free solutions to know if you can set up access rules by
interface -- if they can do that, then you should be able to use your
SPARC as you're talking about.

Can you make no modifications to the insecure machine? If you can,
setting up rules on that machine to prevent outbound access to any other
IP address is a good second line of defense.

If you're got spare x86 hardware around, there are several Linux-based
firewall distros that should easily be able to handle this --
downloading one and installing it might be a better use of your time
than trying to assemble, compile, and configure a solution for Solaris
7.

Give me a call if you've got a few minutes and want some other ideas --
ping me directly if you need my phone number again.

--
Devin L. Ganger <devin at thecabal.org>
Homepage: http://www.thecabal.org/~devin/
Devin on Earth: http://blogs.thecabal.org/blogs/devin/