0

I have two networks, one considered secure, lets call it A and one considered insecure, B. The software I need to use, uses HSMS, a protocol based on TCP with no security built in.
Now the problem is that the software has a server a in the secure network A and needs to connect to clients b1, b2, ... in B. The requirement from the software is that I open one port with full TCP access. But that is too risky as the whole network B and the clients can not be trusted.

My question now is, is there a way to use something like an application layer firewall to filter everything based on the protocol so that the open port is not used for anything else.
Especially is there a simple, read not too involved, way to create a protocol filter for HSMS in such a firewall.

Another requirement is that the clients are not allowed to talk to each other through that proxy.

dignifiedquire
  • 101
  • 2

1 Answers1

1

What's wrong with making a firewall only allow connections to server a on port p in the firewall? The port can't be used to connect to any other systems in network A; since the server on a is expecting that particular protocol, non-compliant clients won't be able to connect; and if you're really worried you can whitelist clients on the firewall so that only clients b1, b2, ... in B can connect to a.

Other options include VPN setups or SSH tunneling.

Another requirement is that the clients are not allowed to talk to each other through that proxy.

In a sane configuration, that's not going to be the case anyway. Beyond that, how do you intend to prevent clients from connecting to each other?

afrazier
  • 700
  • 4
  • 7
  • That doesn't solve the problem. I can't trust the clients. I need to be able to control what content, read only hsms compliant data, is sent to the server `a` otherwise other programs on the clients could hijack the tcp connection. So if I only proxy the clients can still use to complete tcp connection. – dignifiedquire Mar 20 '13 at 18:01
  • Generally speaking servers already don't trust clients when it comes to the internet. What can other programs running on the clients do that a proxy is going to prevent? They can't talk to other servers in `A`, they can't talk to other services on `a`, so the only thing left is if they send non-compliant data -- what can a proxy do that the service already in place can't? – afrazier Mar 20 '13 at 18:39