Isolate high risk terminals from the rest of a subnet

You should mirror your application server from the secure network to a DMZ. Only there your insecure clients should have access with NO possibility to breach the DMZ-server and get further access into the secure area.

Important is connection security: Never connect from an insecure network to a secure network.


I'd install a reverse-proxy on the edge, keeping the secure subnet and the application server, inaccessible.

ngnix and varnish are good options for reverse-proxy. You can even create some rules allowing only a few HTTP methods and endpoints targets.

You can also add a firewall restrict external traffic target to secure subnet only from the reverse-proxy.