On 10/24/2011 08:40, Ryan Wong wrote:
and the addon could talk to server with standard HTTP protocol
so before any further, suggest to get back to the solution, try in other
way.
There is a deeper problem here, and that is the fact that you have to
trust the client to be honest about its MAC address. As was pointed out
earlier, the MAC address of a machine is pretty trivial to change, but
if you rely on the client itself to report its MAC address to the
server, the client may report anything at all without even touching the
system.
In a real security situation, you can’t trust the client to be honest
about anything (it could always be hacked and likely will be if the
information it accesses is important enough), so the only thing the
server can count on is information it can confirm for itself.
Rajesh, your requirement to limit the client machines which are able to
access your server is possible but can only be used to help harden
your server. Any method you attempt will be portable to other machines
by someone with the knowledge and access to do so, so you’ll also need
user authentication.
There are a couple options I can think of available to you:
- Use SSL client authentication as mentioned previously.
- Use VPNs between the clients and the server.
SSL client authentication isn’t frequently used in web applications as
far as I know, so its use is likely to be difficult. You’ll need to
check browser support and find a secure way to generate and distribute
the client keys. Your application stack will also need to somehow be
configured to reject unauthenticated connections.
A VPN may be a better solution. OpenVPN supports client authentication
with SSL, so you still have the client key problem to manage with that.
Other VPN solutions will be fundamentally similar. However, the web
browser can be used as usual once the VPN is up, and your application
can be configured to only listen on the subnet of the VPN, thereby being
completely unavailable to external clients.
There is a third, simpler option. Trust the user and ignore the
machine. Set up authentication in your application and train the
users to only operate from trusted systems. If you want to steer the
users away from untrusted systems, have your application check their IP
addresses against a white list of trusted addresses and refuse them
access as necessary, but don’t count on this as anything more than a
courteous reminder to the legitimate users to use trusted systems.
The advantage of this solution is that it should be much easier to set
up and maintain. Depending on what your application is protecting, it
may be sufficient for your needs.
-Jeremy