Protect legacy hardware dmz corporate systems



  • Good evening-

    Hopefully an easy question for someone much more experienced than me in regards to firewalling.

    I have some legacy equipment (and by legacy, I mean ISA bus type) that would require a complete replacement of the hardware (to the tune of several hundred K$).  There is hope that we can find compatible mobos that will accept the custom fpga hardware cards and still allow us to run.

    It becomes complicated when we start discussing IT requirements to run application monitoring software.  I've seen i5s slowed to a crawl with this new image, and I can't possibly accept a CAD system driving a CNC machine to go through that.

    That said, can (and please feel free to correct) pfsene route all traffic on a network directed at a particular port to a specific machine, say, one on the DMZ?  Said machine could be IT compliant, whereas the CNC computer could sit behind pfsense and have NAT/firewall done to protect it.  All requests would look like the corporate machine, but instead would be served by the CNC machine- and all legit corporate traffic would only be on the corporate machine.

    Am I making sense?

    The other possibility was  KVMing each machine with a corporate/local on two different LANs that meet at some NAS somewhere to transport files.  Not ideal, but still doable.

    Suggestions very much welcome.  Most of the support I've received is "Not doable, buy new hardware, we're busy, get a dell" which has not met any of the simple requirements.



  • Can you elaborate a bit on where the traffic is sourced and destined that you want to redirect? In general, yeah you have a lot of options for traffic redirection. You can force all traffic to a given port to be redirected to a specific machine. That's doable via port forwards. There may be a need for outbound NAT too to translate the source IP depending on specifics.



  • Indeed.

    In theory (and it is a moving target ) we're on a protected network already. We want to attach all the standalone computers, but in order to do so they have to run the compliance software.

    There are hundreds of ports used to monitor the machine, whereas our poor cnc machine might use 2 .

    My thoughts were to put the corporate machine in the dmz and have all incoming traffic sent to it. Behind the firewall/Nat I would out the CNC machine, it could send files out but still be protected - all incoming attacks go to the corporate machine.


  • Netgate Administrator

    So you want to have a separate machine that is running in another subnet (though I suppose it doesn't have to be) just to run the compliance software so that some central infrastructure can talk to it and it will report 'everything is fine'?

    The biggest problem I see with this is that in reality your CNC control machine will not be compliant and it would be obvious to anyone who actually came down to look at it.

    Are you doing this purely so you can transfer files more easily? It sounds like a machine that should not be internet connected!  ;)

    Do you mind if I ask what this monitoring software is that can eat all the resources on an i5?

    Steve



  • Hm. I am still not getting the "big picture".

    But maybe I don't want to. Perhaps that's another of these scenarios where management insists that every packet gets virus-scanned, especially the ASCII files which go to the CNC machines. Yup, what would happen if your lathe gets infected by a virus?

    Actually, I do remember manually checking all the files which went to the big lathe - not because of a virus threat, but to check if the CAD software didn't do something stupid. You don't want to take any chances with a few tons of spinning metal.

    Whatever: what about putting pfSense on a VM on the "compliant machine"? The machine could get a second NIC which connects to the "CNC hardware" only. If the "compliant machine" runs Windows, the second NIC could be installed without protocols, so it's unusable from Windows applications, but can be used from VMWare. The other virtual VMWare NIC should be set to NAT, with the needed port forwarding configured in VMWare (vmnetcfg).



  • A port forward on WAN (assuming the traffic comes in via WAN), destination "any" and the port in question, with a target of the host you want to send the traffic to would accomplish redirecting all that traffic to a different host.



  • @stephenw10:

    So you want to have a separate machine that is running in another subnet (though I suppose it doesn't have to be) just to run the compliance software so that some central infrastructure can talk to it and it will report 'everything is fine'?

    The biggest problem I see with this is that in reality your CNC control machine will not be compliant and it would be obvious to anyone who actually came down to look at it.

    Are you doing this purely so you can transfer files more easily? It sounds like a machine that should not be internet connected!  ;)

    Do you mind if I ask what this monitoring software is that can eat all the resources on an i5?

    Steve

    Altiris.

    Every 2 hours we lose focus on all the system windows, and a few other problems.  McAfee virus scan, and a few other auditing tools- all of them slam the computers at random times- including forced reboots- which, as you could imagine, would be a particularly stupid thing to have happen to a CNC machine in the middle of a job.

    But yes, it's also to move files back and forth, securely, and safely.  The users do all their work on the compliant machine, but then move the released drawings to the CNC machine for use.  At least that's the theory.

    The next post about VMWare and a second NIC is going to need more research on my part; I didn't think it could be bound in that manner, but since it can be that might be an even easier method- if I'm allowed to run VMware…


  • Netgate Administrator

    Hmm, well your situation seems to be slightly bizzare.
    Presumably the monitoring software wants to see an 'everything is fine' report coming back from every IP it can see otherwise it starts sounding alerts. By inserting an additional NATing router between you and the central server it will only see one IP lease so you can have several machines (or VMs) reporting back. However I would have thought any half decent monitoring agent would be able to detect it's behind NAT and report that.

    It looks like you are fighting your IT department on this which is generally not a good thing!  ;)
    What exactly are they asking you to do?
    Presumably there are plenty of other bits of equipment on the network that cannot run the monitoring agent, printers wifi access points etc.

    This is above my pay grade to be honest.  :)

    Steve



  • @stephenw10:

    Hmm, well your situation seems to be slightly bizzare.
    Presumably the monitoring software wants to see an 'everything is fine' report coming back from every IP it can see otherwise it starts sounding alerts. By inserting an additional NATing router between you and the central server it will only see one IP lease so you can have several machines (or VMs) reporting back. However I would have thought any half decent monitoring agent would be able to detect it's behind NAT and report that.

    It looks like you are fighting your IT department on this which is generally not a good thing!  ;)
    What exactly are they asking you to do?
    Presumably there are plenty of other bits of equipment on the network that cannot run the monitoring agent, printers wifi access points etc.

    This is above my pay grade to be honest.  :)

    Steve

    snicker You think it's bizarre :)

    The goal is to protect the legacy hardware yet still provide networking capability.  In some sense, how we get there doesn't matter- but upgrading the machines it is attached to (by say, going modern) isn't an option.

    It's not so much as a fight as disagreement in what is needed.


Log in to reply