Last post Oct 07, 2017 04:44 AM by Corrado.Guy
Oct 06, 2017 04:51 AM|Corrado.Guy|LINK
I have an appliance on our corporate network that does not have security built in but we need to lock it down. I created an ASP.NET with VS 2017 and C# web page that uses AD authentication and AD groups to control the security but there is no way to lock
down the appliance. We moved the appliance to a sub-net that is restricted but the problem I am seeing is when I access it with a standard machine it is not able to access the appliance because it is on a restricted sub-net. If I run if from the server with
IIS installed (Server 2012) it works because they are both on the same sub-net. What I need to do is have user authenticate through my web app and then have the appliance web page open through the server so it can actually access the appliance. I looked at
the code from the appliance but it is using Jscript and the actual scripts are on this device so it is harder to configure. It also means each time the code on the appliance is updated I would have to update my application. I was thinking about using the authentication
page as it sits and then create another page that uses something such as an Iframe which would point to the appliance.
Does this make sense or is there any another way to do this? Basically whatever I make has to run on the server and not the local machine so it is on the correct part of the network. The appliance uses a simple web interface so I need to embed this into
a web page.
Thanks for any help with this.
Oct 06, 2017 12:55 PM|march11|LINK
That will not secure the device. There will always be a back way to access it if it only sits on a separate subnet. Spoofing sounds like one threat you will not be able to stop.
I think if you could share more about the appliance there may be a way to offer better suggestions. You may wish to talk to the manufacturer to find our some recommendations.
Perhaps your best bet, would be to have the JScript call out to an authenticating device when the appliance page first loads to determine if the user accessing it is allowed. If so, complete the page load, if not, drop or redirect. At best less than 2 or
three lines of code, should be easy to maintain. Even after updates.
Oct 06, 2017 01:05 PM|mgebhard|LINK
It could be as simple as configuring IIS to proxy the requests and locking down the appliance so only the proxy can get to it.
Anyway, I would use a proxy. How to configure it is unknown at this point because there is simply not enough information in your original.
Oct 06, 2017 09:29 PM|Corrado.Guy|LINK
Thanks for the feed-back. The appliance is a light controller for coloured lights outside of our building so we are not really worried about someone hacking it. The manufactures of this device have no security in it and no plans to add it so it basically
is what it is. The device has a web interface and that is what we are connecting to right now but we would like to have some controls to limit access into it. The sub-net we put it on is the same as the server so while the users can access IIS they are not
able to access other machines on this sub-net. The idea is to control which users have access to the interface simply to ensure the colour schemes it is running are the ones that department wants.
We did create a reverse proxy which works but it takes away the authentication method I had setup with ASP.NET. If the user is connecting to this device from a computer, AD authentication would work but if they are connecting from their mobile device I am
not sure what would happen at that time. Because the reverse proxy works maybe I will look more into this and see if I can integrate it.
Oct 07, 2017 04:44 AM|Corrado.Guy|LINK
I think the hardest part with this is I do not know the terminology for what I need so it is hard to search for examples to work with. I thought it may be easier if I just wrote out the basic requirements in point form which is probably easier to follow
that what I wrote above.
That is the basic requirements, I can use whatever method to pull this off but because I can program I decided to use ASP.NET. I work with systems and do not program for a living but this seemed pretty simple and there are a lot of examples so I started
here. We are not trying to secure the site as such but only control which users can access the appliance web page. Out users only have 'user' rights on their machines and there would be little to no point trying to hack into it.
Maybe I am just going about this the hard way, when I looked at the requirements I thought of ASP.NET but maybe there is a better way to do this.
Thanks for any guidance.