I want to set up an internal network with very restricted traffic. Sadly, a service vendor for my wife's office has a web interface that only talks to Internet Exploder with a local app that must run under windoze. Another supplier will only deal with Quickbooks over the web. We have a little windoze box (ASUS B202) running winXP with no network connection. I don't want it connected to the internet. It could get 0wned by the wrong popup ads, and I don't want to spend a lot of time keeping it updated (this is not possible for zero day exploits, anyway).
Possible Solution: Feed it from the Linux firewall over a dedicated LAN, through a firewall set to just pass ports 80 and 443 to a short list of IP addresses, with local DNS for a few addresses from a static table on the firewall. If a service vendor gets 0wned, the local windows box might too, but it cannot call home to base, spread the infection, or hammer on the linux LAN. I might also open the IP addresses for M$ updates. My biggest concern is that I am underestimating the number of IP addresses I will need to talk to and how often they change. Perhaps there is some tool to update the local DNS table without a lot of effort. Updates should happen only when I tell the firewall to do so, and can review the table, a few times a year. Any helpful ideas? Keith P.S. The Great Windoze Meltdown could happen any day - the fact that 80% of windoze machines do not seem to be 0wned does not guarantee that they will never be. Large scale attacks are probably already seeded out there, and may be launched if some general has a bad day. I prefer to be ready to help my neighbors, instead of another victim. P.P.S. xkcd 974, The General Problem, alt text: "I find that when someone's taking time to do something right in the present, they're a perfectionist with no ability to prioritize, whereas when someone took time to do something right in the past, they're a master artisan of great foresight." -- Keith Lofstrom [email protected] Voice (503)-520-1993 KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon" Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
