I’ve got a good friend that runs a small business.  He has one application that is critical to the business, and if it were compromised he fears it could end the company.  Having spoken with several computer consulting firms in the area they’ve assured him that modern A/V software is all he needs.  I’m fairly confident in modern anti-virus software, and I also doubt he would have anyone come after him specifically.  That being said, how could he protect that one application?  Oh – and before you say “air wall”, it has to have Internet access.

There are lots of firewall options out there, but they are more complex than I like.  They are also more expensive than I’d like to see him spend based on the risk level.  And he also needs a solution that he can understand and work around if it prevents his office manager from keeping things working.

What I’ve decided on is a small PC running Linux and IP Tables.  Have 3 network ports on it:

1. One facing the Internet.
2. One facing his main office.  Not quite a “DMZ”, but the typical “anything initiated from in here can get out.”  I might add an IDS too, just to help him feeling safe that none of the other systems have been compromised.
3. One that is purely for his critical application.  It will only allow that system to connect to the one system it needs.  Might even have a few entries hard coded in /etc/hosts and do away with DNS all together.  Of course there also is Hyas to think about!

This article will grow as I add notes about different GUIs for controlling IP tables as well as how we’ll solve locking down network #3.  Watch this space!