Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » ElevateDB Technical Support » Support Forums » ElevateDB General » View Thread |
Messages 1 to 10 of 11 total |
Remote Security - Local Subnet |
Tue, May 7 2013 12:11 PM | Permanent Link |
Norman Clark Clark-Tech Inc. | Not specifically an ElevateDB issue but my client wishes to restrict use of an application I am developing to certain users such that only some can use the application away from "the office". Since the application is self-contained and the users accesses an ElevateDB server in client-server fashion it is somewhat difficult to restrict the use of the application if a user simply copies the app to a USB stick and takes it home. I have already developed a user security system to control the functional access to components of the application so I have a backbone to build on.
The difficulty I'm facing is to somehow detect if the user is running the application from "the office'. Obviously I can determine the IP address of the user's station as well as the external (assigned to the NAT router by the IP provider) behind which the user's station is running. Since most offices operate behind a NAT router, the IP's assigned by the DHCP server are usually a non-routeable address. Since such IP ranges are not unique, I can't rely only on the IP address of the user's station being in a specified range/subnet (i.e. 192.168.1.1-192.168.1.254). Additionally, if the client's LAN is serviced by an internet provider that only issues a dynamic IP then I can't rely on a "static" external IP address of the stations in "the office" since that could change each day or anytime the router is rebooted. I understand that each session of an ElevateDB server knows the IP address of the station that has initiated the session but as above, that in of itself is not sufficient to determine if the session was originated from within "the office" or outside the local LAN. Obviously I could write a messaging service that runs on a server in "the office" LAN that pings the stations on the LAN but obviously wouldn't ping a station outside the router/LAN subnet but that seems like such overkill and needless overhead for such a simple restriction. Do any of my colleagues on these fine forums have any brilliant suggestions to my client's requirement? |
Tue, May 7 2013 1:33 PM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Norman
Never had to do anything of that nature myself. Only one thought occurs to me - have a server side routine that reads the local MAC address and hard driver serial number and merges them together. Hard code that into the app and check on start up. Roy Lambert |
Tue, May 7 2013 2:04 PM | Permanent Link |
Norman Clark Clark-Tech Inc. | Roy Lambert wrote:
Norman Never had to do anything of that nature myself. Only one thought occurs to me - have a server side routine that reads the local MAC address and hard driver serial number and merges them together. Hard code that into the app and check on start up. Roy Lambert -------------------------------- Roy: What you are implying is to maintain a list of stations on the LAN and compare the user's station to that list in order to confirm that it is a station "in the office". On the surface, that approach appears to be a maintenance headache My experience is that stations come and go due to hardware/software failures and users can log in/access the application from any station on the LAN. I think I need an other approach that doesn't require any administrative maintenance. Thanks for the suggestion. |
Tue, May 7 2013 3:07 PM | Permanent Link |
Raul Team Elevate | Norman,
Would need some more info on various scenarios that are allowed (it almost lokos like there might be multiple "offices" here) to better suggest things. How do the users access the EDB server remotely vs "in the office" - just by public IP or is there VPN involved. if they're using a public IP then you can determine that at connect time and just check that username logging in is allowed remote access (since DB connection is going to remote IP which you know). If VPN then see if you can detect that (in our office for example I get a special DHCP IP for VPN connections) or maybe some other way to check for the presence of vpn connection. Other ways to detect if PC is "in the office" - is the DNS domain on the internal LAN something unique or is workstation in a windows domain? If either is yes then you can check for that. - this is most work but i would not ping workstations from yoru service but reverse. Have a service running in the office that your app can ping and if if gets a reponse then it knows it's on the LAN. Can even use some existing services (like ftp or web server that is internal only). Raul On 5/7/2013 12:11 PM, Norman Clark wrote: > Not specifically an ElevateDB issue but my client wishes to restrict use of an application I am developing to certain users such that only some can use the application away from "the office". Since the application is self-contained and the users accesses an ElevateDB server in client-server fashion it is somewhat difficult to restrict the use of the application if a user simply copies the app to a USB stick and takes it home. I have already developed a user security system to control the functional access to components of the application so I have a backbone to build on. > > The difficulty I'm facing is to somehow detect if the user is running the application from "the office'. Obviously I can determine the IP address of the user's station as well as the external (assigned to the NAT router by the IP provider) behind which the user's station is running. Since most offices operate behind a NAT router, the IP's assigned by the DHCP server are usually a non-routeable address. Since such IP ranges are not unique, I can't rely only on the IP address of the user's station being in a specified range/subnet (i.e. 192.168.1.1-192.168.1.254). Additionally, if the client's LAN is serviced by an internet provider that only issues a dynamic IP then I can't rely on a "static" external IP address of the stations in "the office" since that could change each day or anytime the router is rebooted. I understand that each session of an ElevateDB server knows the IP address of the station that has initiated the session but as above, that in of itself is not sufficien t to determine if the session was originated from within "the office" or outside the local LAN. > > Obviously I could write a messaging service that runs on a server in "the office" LAN that pings the stations on the LAN but obviously wouldn't ping a station outside the router/LAN subnet but that seems like such overkill and needless overhead for such a simple restriction. > > Do any of my colleagues on these fine forums have any brilliant suggestions to my client's requirement? > |
Tue, May 7 2013 4:00 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Norman,
<< Not specifically an ElevateDB issue but my client wishes to restrict use of an application I am developing to certain users such that only some can use the application away from "the office". Since the application is self-contained and the users accesses an ElevateDB server in client-server fashion it is somewhat difficult to restrict the use of the application if a user simply copies the app to a USB stick and takes it home. I have already developed a user security system to control the functional access to components of the application so I have a backbone to build on. The difficulty I'm facing is to somehow detect if the user is running the application from "the office'. >> Are they using a domain controller and active directory services on their network in the office ? If so, then a simple ADS lookup as part of this event handler in a customized EDB Server (edbsrvr.dpr project) will do what you want: http://www.elevatesoft.com/manual?action=viewtype&id=edb2&product=delphi&version=7&type=TEDBServerSessionLoginEvent You can use the ProcessName that comes through this event to do an ADS computer lookup. The part of the ProcessName up to the colon (is the Windows computer name that can be used for the lookup. If the lookup fails, then you can reject the login of the user to the EDB Server. If you'd like to pursue this, just let me know and I'll post some code. Tim Young Elevate Software www.elevatesoft.com |
Wed, May 8 2013 2:30 AM | Permanent Link |
Roy Lambert NLH Associates Team Elevate | Norman
Sorry I obviously misunderstood what you were asking. Just to clarify - anyone is allowed to access your app if they are on the LAN, but only a selected few if on a WAN. Is that what you're saying? I'd post this over on the Embarcaderoo groups as well. There are some very good people on there as well as a sprinkling of idiots and prats. Roy Lambert |
Wed, May 8 2013 6:02 PM | Permanent Link |
Norman Clark Clark-Tech Inc. | "Tim Young [Elevate Software]" wrote:
Norman, << Not specifically an ElevateDB issue but my client wishes to restrict use of an application I am developing to certain users such that only some can use the application away from "the office". Since the application is self-contained and the users accesses an ElevateDB server in client-server fashion it is somewhat difficult to restrict the use of the application if a user simply copies the app to a USB stick and takes it home. I have already developed a user security system to control the functional access to components of the application so I have a backbone to build on. The difficulty I'm facing is to somehow detect if the user is running the application from "the office'. >> Are they using a domain controller and active directory services on their network in the office ? If so, then a simple ADS lookup as part of this event handler in a customized EDB Server (edbsrvr.dpr project) will do what you want: http://www.elevatesoft.com/manual?action=viewtype&id=edb2&product=delphi&version=7&type=TEDBServerSessionLoginEvent You can use the ProcessName that comes through this event to do an ADS computer lookup. The part of the ProcessName up to the colon (is the Windows computer name that can be used for the lookup. If the lookup fails, then you can reject the login of the user to the EDB Server. If you'd like to pursue this, just let me know and I'll post some code. Tim Young Elevate Software www.elevatesoft.com ------------------------------------------------------------------ Tim: Good approach but unfortunately I can not guarantee that the application will always be run on a LAN governed by an Active Directory server. This application will be used by several different companies and not all of them will have an active domain server. Some could rightly be run on a workgroup LAN. I've pretty much come to the conclusion that I need to have a small service running on the network that can be queried by the application to confirm a local connection. Ideally, I could find a very small telnet server running as a service that would produce a unique "hello there" response to a client socket connection. I've started looking for such a beast but to date I have not found an example. I hate to have to roll my own but will venture into the maze of threads and such unless a simple solution surfaces soon. It would be oh so convenient if the ElevateDB server could somehow know if the session originated from a LAN connection. On the other hand it is a dumb requirement of my client ... on the other hand, the client is always right Thanks again, |
Wed, May 8 2013 7:15 PM | Permanent Link |
Raul Team Elevate | On 5/8/2013 6:02 PM, Norman Clark wrote:
> I've pretty much come to the conclusion that I need to have a small service running on the network that can be queried by the application to confirm a local connection. Ideally, I could find a very small telnet server running as a service that would produce a unique "hello there" response to a client socket connection. I'd suggest use a web server instead of telnet - easier to query and return a unique response (just echo client remote IP back or something like that). Plenty of light http server around or you can write your own (as i recall even EDB source code includes one in the edbutils i think or EWB if you own that) Raul |
Thu, May 9 2013 10:59 AM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | Norman,
<< I've pretty much come to the conclusion that I need to have a small service running on the network that can be queried by the application to confirm a local connection. Ideally, I could find a very small telnet server running as a service that would produce a unique "hello there" response to a client socket connection. I've started looking for such a beast but to date I have not found an example. I hate to have to roll my own but will venture into the maze of threads and such unless a simple solution surfaces soon. >> Why not just pop a TEDBEngine component in a small application and use this event to handle a custom procedure for responding to such requests: http://www.elevatesoft.com/manual?action=viewevent&id=edb2&product=delphi&version=7&comp=TEDBEngine&event=OnServerProcedure Then you don't need anything extra in your application besides a separate TEDBSession component (SessionType=stRemote) along with a couple of settings that determine the IP address/host/port of your "special server" to connect to and send the "confirmation request". Just throwing out ideas here. Tim Young Elevate Software www.elevatesoft.com |
Mon, May 13 2013 11:54 AM | Permanent Link |
Norman Clark Clark-Tech Inc. | "Tim Young [Elevate Software]" wrote:
Norman, << I've pretty much come to the conclusion that I need to have a small service running on the network that can be queried by the application to confirm a local connection. Ideally, I could find a very small telnet server running as a service that would produce a unique "hello there" response to a client socket connection. I've started looking for such a beast but to date I have not found an example. I hate to have to roll my own but will venture into the maze of threads and such unless a simple solution surfaces soon. >> Why not just pop a TEDBEngine component in a small application and use this event to handle a custom procedure for responding to such requests: http://www.elevatesoft.com/manual?action=viewevent&id=edb2&product=delphi&version=7&comp=TEDBEngine&event=OnServerProcedure Then you don't need anything extra in your application besides a separate TEDBSession component (SessionType=stRemote) along with a couple of settings that determine the IP address/host/port of your "special server" to connect to and send the "confirmation request". Just throwing out ideas here. Tim Young Elevate Software www.elevatesoft.com ---------------------------------------------- Tim: Good suggestion. I wanted a simple, easy-to-maintain/support solution to this problem so I preferred a service application that could be installed as part of the engine deploy. I finally wrote a simple TCP service based on Francois Piette's ICS products (http://www.overbyte.be) that would respond to a socket connection from the client application using an uncommon port. In this way I could be absolutely assured that the application was operating on the LAN hosting the engine. The other suggested approaches could be thwarted by a knowledgeable user who added an entry to their Hosts file that mapped the local server name to the remote engine port. Perhaps I overthink these kind of potential problems but I do like my apps to be rather bullet-proof. Thanks to all for the suggestions. I anyone needs a copy of the sample service /client code then drop me a line. |
Page 1 of 2 | Next Page » | |
Jump to Page: 1 2 |
This web page was last updated on Saturday, May 4, 2024 at 12:54 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |