Isolate high risk terminals from the rest of a subnet

networking pfsense

You should mirror your application server from the secure network to a DMZ. Only there your insecure clients should have access with NO possibility to breach the DMZ-server and get further access into the secure area.

Important is connection security: Never connect from an insecure network to a secure network.


I'd install a reverse-proxy on the edge, keeping the secure subnet and the application server, inaccessible.

ngnix and varnish are good options for reverse-proxy. You can even create some rules allowing only a few HTTP methods and endpoints targets.

You can also add a firewall restrict external traffic target to secure subnet only from the reverse-proxy.

Related

Forward Kerberos Authentication on Ansible
Can't port forward with iptables KVM NAT
ContextInitializer in logback-classic version 1.2.9 does not support Groovy config file
JS new Date() jump to next year [duplicate]
Convert RenderTargetBitmap to BitmapImage
Navbar to Stay Still
Facing issue using QAF common step og click and clear methods
Proof of the conjecture that the kernel is of dimension 2
Show that $\arctan(n)$ is irrational for all $n \in \mathbb{N}$
Cubic root of a polynomial to modulo of another polynomial
How do I calculate $\lim_{x\to+\infty}\sqrt{x+a}-\sqrt{x}$?
Trigonometric rule on a spherical square