1
I have an application running on an external server, accessible to anyone who has the URL. However, I need you to only have access to certain groups that are on the intranet.
Example: "Employee A" from "Company A" needs to access the application. It will only get if the "Employee A" is connected on the internet of "Company A".
Restrict IP access. If the IP of the company you need to access is dynamic, you will need to use a DDNS service.
– rodorgas
@IP rodorgas can be easily defrauded. A more mature solution from the security point of view should be adopted.
– utluiz
@utluiz Defraud the IP?? Ips are controlled by the ISP, how could there be fraud? Maybe we’re talking about different things, I mean setting up on the external server a firewall rule that only frees access to connections made from the company IP A (external IP). In that case, the possibility of fraud is totally absurd.
– rodorgas
@Ips are controlled by Isps just as phone numbers are controlled by operators. Anyone can clone a chip or fake the IP of a request, which arrives at the target server after going through a series of routers that you do not control and have no way to verify the source safely. Unless you are inside a VPN, an IP number means nothing, otherwise we wouldn’t need certifying authorities to certify the origin of the data.
– utluiz
@utluiz I am interested in any reference that supports the statement "anyone can falsify the IP of a request [at internet level]". Between that and cloning a chip is an argumentative leap, remembering that the OP probably does not use mobile internet. I consider the restriction by IP measure sufficient in this case, even more pq in corporate plans the IP is in the contract. The VPN is safer for other reasons, but it seems Verkill in this situation. Anyway, I usually restrict by IP also the connection requests in VPN.
– rodorgas
@rodorgas It’s not Overkill, it’s basic. Falsifying IP is the oldest thing on the Internet. https://en.m.wikipedia.org/wiki/Spoofing_attack
– utluiz
@rodorgas It’s not just IP. Some routers usually come with MAC address filter. In the same way as an IP, this is a number that can be easily forged by changing fan board extras. You can add a minimum of security against nosy nephews, but it’s nothing against a real attack. In any discussion about security you will hear that the minimum security required for secure communication is to use asymmetric encryption. An acceptable answer could involve using HTTPS plus filter per IP, but never only IP.
– utluiz
@utluiz Through MITM. You need to have control of the network to compromise it, and this does not happen at the internet level.
– rodorgas
@rodorgas The Internet is composed of thousands of routers. Routers when checking who is sending the packages. You can assemble a network package as if it were from an acceptable source and send by any router.
– utluiz
@rodorgas MITM is one of the possible attacks that can be combined with IP Spoofing. Some more details here: http://stackoverflow.com/q/437146/1683070
– utluiz
@rodorgas I found your argument about having an ISP contract particularly interesting. If someone circumvents the contract’s IP address, you think they’ll be held accountable?
– utluiz
Let’s go continue this discussion in chat.
– rodorgas