0

I have a secure subnet 172.20.40.0/24 but I have terminals where security can't be guaranteed and I have no control over protocol (Exam rooms, external user access). I'd like to set these up on a separate subnet to minimize attack vector however they will need access to one or two IP's on the secure subnet. I've setup a virtual pfsense firewall in between and at first was playing with using a LAN and A WAN with natting or VPN but am a bit out of my depth. What is the proper way to do this where I can secure this to minimal amount of network access.

Example

EDIT

This is the list of the ports the application is hitting consisting of two servers ASDB (172.20.40.9) and ASDCFS (172.20.40.11). If the high risk terminal is say 172.20.40.100 what is the most elegant way I limit so it can only access those IP's and ports.

portlist

bumble_bee_tuna
  • 443
  • 10
  • 25
  • 1
    What kind of service is being accessed on the secure subnet? – pmdba Feb 19 '21 at 23:46
  • 1
    NATing is only for outbound traffic, to anonymize the client; it will not help with server access. VPN is most likely overkill, and would potentially open up your entire secure subnet and not just the one server and (likely) port that you need people to access. – pmdba Feb 20 '21 at 03:40
  • @pmdba SQL, FILES, various other ports. It's an ISV healthcare app – bumble_bee_tuna Feb 20 '21 at 03:56
  • 2
    I would look at setting up separate VLANs for your server, your secure network subnet, and your high risk terminals, in addition to whatever firewall rules you put in place to limit access to specific ports from the WAN side of your firewall. – pmdba Feb 20 '21 at 04:15

2 Answers2

1

You should mirror your application server from the secure network to a DMZ. Only there your insecure clients should have access with NO possibility to breach the DMZ-server and get further access into the secure area.

Important is connection security: Never connect from an insecure network to a secure network.

Nils
  • 7,657
  • 3
  • 31
  • 71
1

I'd install a reverse-proxy on the edge, keeping the secure subnet and the application server, inaccessible.

ngnix and varnish are good options for reverse-proxy. You can even create some rules allowing only a few HTTP methods and endpoints targets.

You can also add a firewall restrict external traffic target to secure subnet only from the reverse-proxy.

surfingonthenet
  • 695
  • 2
  • 6