Restricting access to website from public

[wrytat]

Hi! I'm very new to ASP.NET and really need some good advice from experts
here.

I'm creating a web application for my company now. This application has 2
parts. 1 part for the customers to access. The 2nd part is for our staff to
access only. My director hopes to make the 2nd part to be something like an
intranet, such that only our company's computers (maybe only 1 or 2 in the
company) can login to this part of the application.

1. My company's intending to put the application on shared server with a web
host. Windows Authentication is NOT allowed.

2. My company doesn't have a static IP address.

3. My manager suggested using Network Card number (which I don't really
quite understand. Is there a way to get the Network Card number that's on a
client PC?).

How??

Some ISP told us that they can provide a firewall management feature such
that it will restrict access to the website from anyone that is not coming
from my company's network. This requires Static IP.

Another told me that IIS Manager has the security feature that restrict
access based on IP address. This requires Static IP again.

Is it possible to implement the 2nd part (the part that is to be accessed by
my company's PC) as a windows application instead? Then we only put the
windows application on one computer. So, 1st part (for the public) will be a
web application, 2nd part (for my company) is a windows application, both
accessing the same database server from an ISP. Will the ISP allow the
windows application to access its database server? I've no experience in
making a windows application at all, is it the same as making a web
application? Please advise.

Do my company really have to get a Static IP? Any comments or other
suggestions please? Thank you.

 

[Thomas]

one workaround for dynamic ips would be to issue client ssl certificates and
then identify your "intranet" users through their ssl certs... in iis6 you
can map client-certificates to windows accounts. but this of course needs
additional requirements on the hoster's side...

another "easy" way is to set up a vpn. this implies having your own server
tho, but lets you very easily create an intranet and access it securely from
anywhere and even with dynamic ips.

- thomas

 

[wrytat]

Thanks. Does that mean my company has to buy a SSL cert? How to identify
users through SSL certs using ASP.NET codes? Is there any articles online? Or
can you help? Sorry for being annoying.

 

[wrytat]

And also what about the web application + windows application suggestion? Is
it not possible? Or is it bad implementation? Or too complicated? Sorry.

 

[wrytat]

I've read up about SSL, and configuring a web application to require client
certificates. So this is how I understand it. Please correct me if I'm wrong.

1. Firstly, I need to go to a certificate authority's web site to apply for
the certificates. The authority will request a CSR file. So, if I'm putting
my web application on an ISP's web server, my ISP will have to generate the
CSR file for me?

2. I'll receive my server certificate from the authority. My ISP will have
to install the certificate on the web server I'm putting the web application
on.

3. My ISP will also have to configure the IIS Settings of the folder where I
put the 2nd part (the "intranet" part) of my application, so that client
certificate authentication is enabled.

4. I've to install the client certificate on my company's computer's web
browser.

What I don't understand is the last step: Installing the client certificate.
Will I get a client certificate from the certificate authority or what? Where
shall I get it? And also, is this client certificate unique? If not, if
someone else's computer also has this client certifcate installed, won't he
be able to access to my website?

 

[Sean]

It should be very easy to implement if you use a database and code to check
who logs in. You can then redirect the user to either part 1 or part 2 of
your web app. Of course you should put some checking code on top of each
page that only allows for certain users.

Happy coding.
Shen

 

[wrytat]

Yes, I understand what you mean. That was actually what I intended to do
initially. But my director was thinking that it's not secure enough as some
hackers (or whoever) might somehow get access to these pages after hacking
the database to find out the password. So he wants to make it such that only
our computer can access to these pages.

 

[Jeff Cochran]

Hi! I'm very new to ASP.NET and really need some good advice from experts
here.

Then you really want to post in the ASP.NET groups, those with dotnet
in the name. This one is for classic ASP code.

Jeff