i am using windows server 2003 and 2008
i am about to install a web application on a server that is connected to other computers using simple wired network i.e. no active directory, no domain controller etc..
my question is:
is there a way to prevent mac addresses outside my specified list from accessing my application ? should it be through IIS or Web.config or should i put certain code in the page load events.
another concern: if i use an SSL to secure my application, is it enough along with a reputable anti virus to prevent a virus to access my server through any network computer using my web application
I don't think this is possible.
If you visualise the route from the client to your server; along this route there are 'hops', i.e., routers and switches which route the client's request down one of multiple paths.
At each hop a different MAC address is inserted into the packet - this is the MAC address of the next hop on the route.
So although the IP address always stays the same throughout the entire route (hence you can use the server variables or such like to determine the client's IP address) the MAC that you receive at the server after the final hop is actually the MAC address of the last networking device that the request was directed through.
The only way you'd be able to accurately use this MAC address for some sort of access control is if you had no routing or switching hardware between you and all the clients.
What if routing is involved - the MAC address you'd like to exclude is on another network? In that case you'll never see the MAC address. Using IIS you CAN filter specific IP addresses.
the simplest way to secure a network (also minimum requirement, else considered non-secure network)
1-get CISCO switches and router or (multilayer switch)
2-change native VLAN then create and configure VLANs for example 10, 20, 30 and put ranges of IP for each VLAN
3-enable port security: set max number of mac addresses and enable MAC address "sticky"
4-configure routing protocol to allow switches to "talk" to each other
good luck
Related
I have an embedded webserver running on a device. Now I want a smartphone app to connect to the webserver. They are on the same wifi network but they don't know each others IP addresses.
I understand that this problem is often solved by implementing the mDNS protocol on the server. But are there any alternatives? Can the server maybe ask for specific IP address or similar?
If it has to be entirely automated, such that the embedded webserver is discoverable, perhaps scan the entire netblock looking for the correct response "http://[IP_address]/yes-im-the-one" from your embedded webserver?
Although beware, some network monitors may then consider the IP of your smartphone/device that does that scan "dangerous" and cut it off from the network - this is probably only a "big enterprise" problem.
...after you "find" your server, perhaps the application should cache/remember this, so it doesn't have to scan next time.
Other things you could do: give your embedded webserver a static IP on the LAN, either by setting this on the device itself, or via a DHCP reservation from whatever is the local DHCP server on the LAN.
What allot of emended devices do is come delivered with a static LAN IP already set on it, then it's up to the sysadmin to change their computer's IP temporarily to be in the same range, then they can visit the webserver or telnet into the default IP, and change it to what they want (to match their network's IP range)
I am at a large University, with servers set up on the Univeristy network. The network has internal (10...) IP addresses, and external (129...) IP addresses. I have a ColdFusion-based business process which FTP's data from an external server.
The server on which the ColdFusion instance is based has several (about 10) IP addresses associated with it, both internal and external. It has one primary address, which has been, until recently, external.
Using Wireshark, we have been able see which IP is used, and it is never the primary, but other than that, does not seem to follow any logic.
We recently changed the primary IP for the server to an internal address, to comply with new University-wide security policies, and the FTP connection from Coldfusion stopped working. Using Wireshark, we've confirmed it is going out on one of the internal (10...*) IP addresses (not the primary).
Is there a way to control which IP ColdFusion uses for an FTP connection, either through system configuration, or programmatically?
Code for the FTP call:
var ftpService= new ftp(
username = partnerConfig.sftpLogin,
connection = "MyConnection",
password = partnerConfig.sftpPw,
fingerprint = partnerConfig.sftpFingerprint,
server = partnerConfig.sftpServer,
secure = "yes"
);
var result=ftpService.open();
var result2=ftpService.listdir(directory = partnerConfig.inFolder, name="dirlist");
var result3=result2.getResult();
EDIT: My server guy tells me that this University is fairly unique in how it configures the subnets. NO firewall exceptions are allowed from the 10.* subnet. The "Public" IP's are not public by default, simply the ones which are capable of having exceptions.
FURTHER EXPLANATION: It comes down to the Rules and IP addresses the main IT org at the university set up. the 10.x.x.x IPs are never allowed access outside the university ("internal"). 129.x.x.x IP, may have firewall exceptions ("external"). If I type ipconfig (it's Windows), I see about 10 static IP addresses, half of which are 10.x.x.x, and half of which are 129.x.x.x. When the "primary" IP for the machine was a 129.x.x.x address, Coldfusion chose one of the OTHER 129.x.x.x addresses for the outgoing IP for the connection. With the "primary" IP switched to a 10.x.x.x IP, ColdFusion is choosing one of the OTHER 10.x.x.x addresses for the outgoing connection. My choices, as far as I can tell are 1) Switch the primary back to a 129.x.x.x for the server; 2) Move the site to a different server with a primary of 129.x.x.x, and keep other sites on the server in compliance with the new policy; 3)See if I can figure out how to control which IP Coldfusion chooses from the 10 static IPs on the server.
Our admin figured it out. We needed to add a static route to the server, so that whenever ColdFusion (or any application) tries to connect to the specific destination we were FTPing to, it goes through a specific outgoing IP address.
This was not something I was familiar with, but a quick search gives the basics: http://technet.microsoft.com/en-us/library/dd469825.aspx
You have an internal IP address and you are not sure what the external is? This sound like a network bridge issue. What you are looking for is FTP proxy or some tool that associates an externally assigned IP to an internally assigned IP for port 22 (or whatever you set your port to). Look at: http://wiki.squid-cache.org/Features/FtpGateway
FTP reverse proxy
It sounds like your IPs (even internally may not be static)...or maybe it just feels that way. Make sure your internal IP is static.
Read about FTP port forwarding: Here are some port forwarding guides.
Other keywords FTP bridge, FTP one-to-one mapping, among others.
Good luck.
I had a similar question regarding the cfmail tag:
Force cfmail tag to send from a specfic server IP address
Unfortunately, I didn't get an answer that worked. ColdFusion seems to pick (seemingly at random) which source IP address is used.
According to Obtain client MAC address in ASP.NET Application, it is not possible. I am not entirely convinced because whenever I connect to Tim Hortons WiFi, my MAC address is known.
Occasionally, the network is slow and I see this URL like this before being redirected to the Connect page:
http://timhortonswifi.com/cp/tdl3/index.asp
?cmd=login
&switchip=172.30.129.73
&mac=60:6c:66:17:1a:83
&ip=10.40.66.229
&essid=Tim%20Hortons%20WiFi
&apname=TDL-ON-NEP-02177-WAP1
&apgroup=02177
&url=http%3A%2F%2Fweather%2Egc%2Eca%2Fcity%2Fpages%2Fon-72_metric_e%2Ehtml
So according to this URL, the site knows the IP address of the router, my MAC address, the IP address assigned to my device by the router, the network SSID, some other pieces of information, and the URL I was trying to access prior to connecting.
There's two options: Tim Hortons WiFi Basic and Tim Hortons WiFi Plus, where the "Plus" option allows me to connect to any Tim Hortons WiFi access point in Canada automatically with this device. Registration requires an email address, so I'm assuming this is possible by checking the MAC address and storing it in a database that routers ping upon connection. More info here.
According to the extension of this page, I can safely assume it is ASP. How are they obtaining this information?
When your client traffic reaches the first router, that router will route the traffic to the adecuated port, changing the response MAC address with its own MAC address so the answer will be routed to it. And this will happen for each of the routers the packets travel by. So, at the end, the web server will only see the MAC address of the last router where the answer will be sent to be routed back to the previous roter, and this process repeated until the answer reaches the client.
No, there is not way to obtain the MAC address of client from server side.
But, what you are seeing is a client sending its information to a server. So, the answer can be converted into "how can i obtain my local mac address and send it to the server?".
Browsers do not allow to read this information. Some properly signed/configured ActiveX or Java applets can do it, but they can be blocked, or you can have some device that will not execute java nor activex, so it is not a reliable way of doing it.
In the case in your post, the easiest way of doing it is configuring the wifi access point dhcp or dns server to serve a proxy configuration file that will allow to configure a redirection to the desired web server, redirection that has been created inside the access point, which have all the shown information in your post.
In an ASP.NET (C#) WebApp, I can get the IP of the visitors' PC easily, But How to get the MAC address of the visitors' PC in an ASP.NET webApp?
And this ASP.NET app is runing on the inner intranet of our company, and the visitors are also in the same inner intranet of our company.
The MAC address is not part of the IP header (or any other protocols above that), and thus not available if all you see is the HTTP traffic.
EDIT (after OP's update): Since clients and servers are on the same internal network, wouldn't it be better to get a host name from the IP address instead of the MAC address? You can easily look up the host name based on the IP address.
The answer that immediately comes to mind, is that this is only possible if you write an ActiveX control that runs in the client browser to obtain this information on your behalf. On the other hand it might be possible with JavaScript on the client if the javascript can instantiate a COM object that will get the information. The only other way I can think of is have a windows service that does an ARP request once the IP has been captured.
You can't easily do this. There are protocols such as ARP which allow translation between MAC and IP addresses, but this traffic is typically behind a firewall and so not available to you on a public website.
On an intranet, you might be able to do something, but not via ASP.NET. You would need to use other mechanisms to capture this information - but those kinds of tools (e.g. packet sniffers) are generally not available to developers and may contravene corporate IS policies.
Since you're on the same subnet, you can P/Invoke GetIpNetTable to get the webserver's ARP table. If you do this real-time, no additional work would be necessary - since you're having a conversation with the client, you'll have the ARP info. Otherwise, you'd need to construct an ARP request or some IP traffic (say, a ping) to get it in the cache - and note that due to DHCP and other network vagaries (like a machine being turned off), it is possible that converting IP to MAC later will yield a different answer.
Note also that any external clients (ie., ones across a router) just won't show up in the table - so be prepared to deal with that as well. If you need a MAC for them for some reason, it's technically your router's MAC.
In short: How to reliably discover a server running somewhere on a (presumably multi-segmented) local area network with zero client configuration
My client application has to locate the server application without knowing the server IP address. It has to work on a local LAN that may be split into segments with hubs or other switching devices.
I already have a working solution, but it is a bit cumbersome to get it working on multi-segment networks. It works as follows:
When the client starts up, it sends UDP broadcasts on its own network segment. If the server is running on the same segment, it works without any issues - the server responds with the appropriate messages.
If the server and client are running on networks separated by a hub / switch that won't forward UDP (the most likely case), then I have a server instance running on each segment, and they forward client requests to each other via TCP - but I need to configure this for the server instances (simple, but still a pain for tech support.) This is the main problem that I need to address. There are sites where we have hundreds of clients running on 5 or 6 separate segments.
The problems I'm facing:
1. Although my application installer enables the appropriate ports on the firewall, sometimes I come across situations where this doesn't seem to happen correctly.
2. Having to run multiple server instances (and therefore configure and maintain them) on hub/switched networks that won't forward UDP
Finally I need a solution that will work without maintenance on a minimal Windows network (XP / 2000 / Vista) that probably doesn't have Active Directory or other lookup services configured.
I don't want to tag on any runtime stuff for this - should be able to do it with plain VC++ or Delphi.
What approaches do commercial apps usually take? I know that SQL Server uses a combination of broadcast and NetBEUI calls (I may be wrong about this).
Thanks in advance.
You have a few terminology issues:
Where you say "network segment" you appear to mean "IP subnet". Devices on the same network segment can see the same IP broadcasts.
Where you say "hub/switch" you appear mean "IP router".
Where you say "won't forward UDP", the problem is actually "won't forward IP broadcasts".
Once we get past that, you have a few options:
Your servers could register themselves under a well-known name in DNS, if you have a DNS server that allows dynamic DNS updates. You should probably use a SRV record as specified in RFC2782. The clients then do a DNS lookup to find the server(s).
You could statically assign your server(s) well-known names in the organisation's DNS, perhaps with a SRV record as with the previous option.
Your servers could join an IP multicast group, if your routers support IP multicast. The clients then send their initial discovery request as a UDP packet to the (pre-ordained) multicast address.
If you have domain server, I would go with small service on it. You can connect with other services to it and use it as distribution point.
Why domain server? It is relatively easy to find it's name (DsGetDcName).
Other choices would include DHCP server, DNS server or something of that kind that needs to be filled by maintenance staff anyhow.