Identifying computers that logon to the a site

[thepreacher]

I'll describe by problem:
I have an online site that clients login to. Each client is a company with staff and branches. Staff for each client can switch branches. I need to have  control over staff movement and validating login. I want to be able to restrict login to only PCs that belong to the various clients and not from any cafe.

How do i solve this problem.

[GrandSchtroumpf]

You can accept login based on the IP address.
That should work If your client's internet connection does not use a dynamic IP address.

[VGR]

IMHO if you manage to get the (authorized) clients get their IP@ via DHCP, then you know the (internal) IP@ range and can restrict access to it.

personally, I would install a small service (or cron task) on each authorized computer, so that even if connected from outside, access is granted. The program would send the NIC MAC address to the web server in such a way that only authorized hardware can connect ; coupled with the user login, I think this ensures a safe access, unless someone steals both the hardware (in the PC) and password (in the user's mind) at the same time.

[GrandSchtroumpf]

> then you know the (internal) IP@ range and can restrict access to it.
How would you know the range?  You'll need to aks the ISP for that, no?
DHCP means that other computers use the same range, so it's not 100% bullet proof, but it should be safe enough.

I don't see how sending the MAC address would improve security...  The only advantage is that the mechanism is hidden from the end-user.  If it's to protect the system against social hacking or evil end-users, then it might be a fair solution.  Instead of sending the MAC address, you could send any arbitrary key/id, as long as you keep that hidden from the end-user.  Anyway, it's possible to change the MAC address on most NIC's.  If you are really paranoid, you can use a time-based key....

I would go for the IP restriction alone...  Simple, efficient, easy to implement, does not waist bandwidth or CPU.

[VGR]

well you can't set the NIC to a mac address if it's already present in the network (IMHO). It's more robust than the IP@ alone.

For the range, I meant if your LAN is on DCHCP then you knwo the range it's been assigend to.

perhaps I misunderstood the issue.

if the question is "how to allow safe remote access from the internet address space to my extranet" then identifying user (login+password) is usually enough ; add the hardware identification( MAC address is the best ; the volume ID of the hard drive is an other option - and you can't change it ;-) - but it's probably for paranoid sysadmins ;-)

[rdivilbiss]

If the branches have dedicated connections, as well they should, then this is safe as you are on a private net, not necessarialy connected to the Internet, nor necessarialy connected to the Internet.

I your client locations can not afford private data connections and must connect to the home office via the Internet you must use some sort of secure tunnelling protocol to insure security. Even mac alone will not suffice to keep the hackers away.

AKA a virtual private network.

For example: http://www.cisco.com/en/US/products/sw/secursw/ps2308/

[thepreacher]

Thanks for your help guys, all the ideas are great however there is one thing that needs to be addressed we need to be able to restrict access to a staff with an authentic username and password who is trying to login from a branch he is not authorised in, is there any way we can identify via router mac address, if it is going through the internet

[GrandSchtroumpf]

> well you can't set the NIC to a mac address if it's already present in the network (IMHO).

I'm not sure that is correct... I think it depends on the "network".  By "network" we understand all the computers that use the same internet connection (same public IP visible from the internet).

Anyway, the server is on the internet which means that there is no way it can access the MAC address directly.  Any computer could mimic the conversation that sends the MAC address to the server.

IPv6 should allow to identify a specific computer, but we'll need to wait a little bit for that.


> For the range, I meant if your LAN is on DCHCP then you knwo the range it's been assigend to.

We are talking about the public IP of the internet connection which has nothing to do with the LAN.
You'll need to ask for the ISP's DHCP range(s).


> we need to be able to restrict access to a staff with an authentic username and password who is trying to login from a branch he is not authorised in

That's what we said.  If the branches have different public IP's (or IP ranges) then you can restrict the login based on the IP address.  Visit a page that echoes your public IP, like http://whatsmyip.org/ or http://whatismyipaddress.com/ from each branch to see what their public IP is.  If the IP's are diffent, then you have a way to identify each branch.

If the public IP's are dynamically allocated (they might change), most routers support dynamic DNS with services like No-IP (http://www.no-ip.com/).  If the branches use that, your server can do a DNS lookup to identify which branch uses which IP address.  For instance "branch1.no-ip.com" would resolve to branch 1's IP address,  "branch2.no-ip.com" would resolve to branch 2's IP address.


> is there any way we can identify via router mac address, if it is going through the internet

No, there is no way using IPv4...  IPv6 might make it possible.  IPv6 adds some routing information as well as the MAC address.


Cheers.

[VGR]

you can know if a connection is going via a router without any MAC address. The server should try to traceroute (tracert) the remote IP@ and thius get the complete route ; if the first device out of the company's network is some internet router, then it's an external connection.

you may do that.

You should perhaps simply drop a small executable or service on the valid nomad PCs, like I wrote earlier. You would lnow which machine it is and if it's genuine.

[thepreacher]

Thanks guys for all your help much appreciated.

[rdivilbiss]

MAC addresses can be cloned and spoofed.