Stueyb

Hi Guys n Gals,

Hopefully someone can help me here. I have a system at work that runs on IIS but our remote sales force need access to it. This machine sits in the core of our network on the internal lan, not the DMZ.

To try and secure it a bit (putting it on the DMZ is not fiesable) I want to put a box inbetween the FW1 box and server box to drop all traffic that is not from a certain series of MAC addresses. I know this isnt 100% but it will stop most of the crap and nastyness from getting to the box. Any guides on how to implement this transparently. I was thinking a freebsd box running a highly custom configuration of ipchains.

Cheers

Stu

dsmith

If your "filter" box is somehwhere between your "FW1" box (Firewall-1 i.e. your main internet firewall ?) and the server elsewhere on the corporate LAN. It will *only* see the mac address of the routers either side. MAC addresses dont propagate beyond the immediate LAN segment.

Would have thought you'd be better of with a proxy server on the DMZ that very carefully controls which URLs it will forward to the real server.

stevencotton

You wouldn't use ipchains anyway, iptables perhaps which has superceeded it, but if you want to use freebsd then ipchains isn't what you want, use a native freebsd option instead.

Saying that, dsmith is right. It's not the right way in that situation. If it has to be minus DMZ, I'd go for an SSL-enabled proxy with basic HTTP auth and forward requests to the server you want to give them access to. If the sales people only come on from certain IPs I'd also lock it down to that, MAC filtering isn't an option in that scenario.

stevem2k

They're in sales ffs ... should be kept off the network completely .....