I have a bit of a one-off situation here as i don’t normally help someone with a networking issue unless they are a managed client or partner.
My wife has a family member who is a CPA (accountant). They asked me to do the whole “make me secure, i’ll pay you” thing. No problem.
It is a small office so I will replace their ASUS Best Buy router with a SG-1100. I’ll set them up with a remote access VPN and a site2site VPN back to my house and I’ll monitor it with my Zabbix.
The challenge for myself I am running into is the accounting server. What ive done in the past for smallish deployments is put Squid in front of it, explict proxy so im using certificates. From there I use access control and whitelist only sites they need such as Microsoft updates or whitelist an application so it can get updates - in this case, the tax software has domains I can whitelist. I can (and have in the past) do content control by blocking file extensions like .exe’s. This is normally doesn’t cause an issue because in a highly controlled environment, i want to know whats being installed. And thats it. Squid is great for that focused solution.
The problem is Squid is going away. I cant use the firewall as my forward proxy anymore. I don’t have the time or desire to set up Squid on a Raspberry Pi but i do want to make sure that Internet control for this server is locked down. Any ideas?
It depends on your level of lockdown. If it were me I’d setup its own VLAN and then lock it down based on rules.
If the accounting server is web based then you can through authelia in from of it for added protection with authentication. Just a few suggestions.
Looks like you’ve been stung !
I’d say the best thing for your family member is to have a laptop for work and another for play, that will do the most to reduce any risk. Must be the case that if the accounting server is running on windows then it needs to dial out to at least check the product key every so often. So a total lockdown might not work without receiving a call in the middle of the night.
Though I agree with @xMAXIMUSx just stick it on its own vlan and lockdown the vlan.
Squid is another open source project that was widely used but had no funding model so it’s no longer maintained and using is not a security risk. We use the commercial software Zorus as part of our stack to lock down clients.
If possible, I would require remote access VPN in order to access it.