I have an ASP.NET site and some clients want a better layer of security for accessing it. The site today asks for a username and password, but a lot of clients want to restrict the access to some machines and I need to do this on my server side. So, I'm asking for some advice.
我有一个ASP.NET站点,一些客户希望有更好的安全层来访问它。该网站今天要求输入用户名和密码,但很多客户想要限制对某些机器的访问,我需要在我的服务器端执行此操作。所以,我要求一些建议。
-
Use a VPN to restrict the access? (With mobile devices will not work)
使用VPN限制访问? (移动设备不起作用)
-
Is possible to check the mac address?
有可能检查mac地址吗?
-
Is possible to use client certificate?
可以使用客户端证书吗?
3 个解决方案
#1
3
Easiest for the User
I would examine multi-factor authentication (to which Andrew Walters' comment alludes) with all content delivered over SSL and extra care taken around things like page timeout, session fixation, password policies, etc.
我将检查多因素身份验证(Andrew Walters的评论暗示),所有内容都通过SSL提供,并对页面超时,会话固定,密码策略等内容进行额外的关注。
A PIN delivered to a cell phone is a commonly used second factor.
递送到手机的PIN是常用的第二因素。
I assert that this is "easiest for the user" because so many large sites (e.g. Google and Facebook, their bank) operate in this fashion. There's nothing to install and nothing new to learn.
我断言这对用户来说“最简单”,因为有很多大型网站(例如Google和Facebook,他们的银行)以这种方式运营。没有什么可以安装的,也没什么好学的。
This many not be desirable from a business perspective.
从商业角度来看,这许多都是不可取的。
VPN
Use a VPN to restrict the access? (With mobile devices will not work)
使用VPN限制访问? (移动设备不起作用)
This is a common option in corporate environments and is typically considered secure (although not an excuse for abandoning other good practices like password policies). However, you do have options for mobile devices.
这是企业环境中的常见选项,通常被认为是安全的(尽管不是放弃密码策略等其他良好实践的借口)。但是,您确实有移动设备选项。
See F5's SSL VPNs, specifically their whitepaper on mobile access for iOS and Android which states, "The BIG-IP Edge Portal app for iOS and Android devices streamlines secure mobile access to corporate web applications [...] users can access internal web pages and web applications securely."
请参阅F5的SSL VPN,特别是关于iOS和Android移动访问的白皮书,其中指出:“适用于iOS和Android设备的BIG-IP Edge Portal应用程序简化了对企业Web应用程序的安全移动访问[...]用户可以访问内部网页和安全的网络应用程序。“
You can increase security by adding another factor into the authentication process: a token with a continually changing PIN.
您可以通过在身份验证过程中添加其他因素来提高安全性:具有不断变化的PIN的令牌。
Certificates
Is possible to use client certificate ?
可以使用客户端证书吗?
Yes, it is possible; whether or not it meets your business needs is a different matter (e.g. there is skill/time required in managing such a solution).
对的,这是可能的;它是否满足您的业务需求是另一回事(例如,管理此类解决方案需要技能/时间)。
If you aren't familiar with the subject, I suggest reading this KB article (a quick read).
如果您不熟悉该主题,我建议您阅读这篇知识库文章(快速阅读)。
For implementation, here's an old but highly detailed walkthrough and a newer walkthrough for IIS 7.
为了实现,这里是一个旧的但非常详细的演练和IIS 7的新演练。
#2
2
If you want to lock down access to certain machines, use IIS's http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions. Specify which IPs have access > make sure you set them to static in dhcp. This is the "access on a need be basis approach" used by payroll vendors and credit card companies in IIS.
如果要锁定对某些计算机的访问权限,请使用IIS的http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions。指定哪些IP有权访问>确保在dhcp中将它们设置为静态。这是IIS中的工资单供应商和信用卡公司使用的“基于需求的访问方法”。
#3
0
1) Use a VPN to restrict the access?
1)使用VPN限制访问?
Would definitely work. It does limit the machines you can work with.
肯定会有用。它确实限制了您可以使用的机器。
2) Is possible to check the mac address ?
2)可以检查mac地址吗?
It is, but it's not a secure method as MAC addresses can be spoofed.
它是,但它不是一种安全的方法,因为MAC地址可能是欺骗性的。
3) Is possible to use client certificate ?
3)可以使用客户证书吗?
That might be your best bet actually.
这实际上可能是你最好的选择。
#1
3
Easiest for the User
I would examine multi-factor authentication (to which Andrew Walters' comment alludes) with all content delivered over SSL and extra care taken around things like page timeout, session fixation, password policies, etc.
我将检查多因素身份验证(Andrew Walters的评论暗示),所有内容都通过SSL提供,并对页面超时,会话固定,密码策略等内容进行额外的关注。
A PIN delivered to a cell phone is a commonly used second factor.
递送到手机的PIN是常用的第二因素。
I assert that this is "easiest for the user" because so many large sites (e.g. Google and Facebook, their bank) operate in this fashion. There's nothing to install and nothing new to learn.
我断言这对用户来说“最简单”,因为有很多大型网站(例如Google和Facebook,他们的银行)以这种方式运营。没有什么可以安装的,也没什么好学的。
This many not be desirable from a business perspective.
从商业角度来看,这许多都是不可取的。
VPN
Use a VPN to restrict the access? (With mobile devices will not work)
使用VPN限制访问? (移动设备不起作用)
This is a common option in corporate environments and is typically considered secure (although not an excuse for abandoning other good practices like password policies). However, you do have options for mobile devices.
这是企业环境中的常见选项,通常被认为是安全的(尽管不是放弃密码策略等其他良好实践的借口)。但是,您确实有移动设备选项。
See F5's SSL VPNs, specifically their whitepaper on mobile access for iOS and Android which states, "The BIG-IP Edge Portal app for iOS and Android devices streamlines secure mobile access to corporate web applications [...] users can access internal web pages and web applications securely."
请参阅F5的SSL VPN,特别是关于iOS和Android移动访问的白皮书,其中指出:“适用于iOS和Android设备的BIG-IP Edge Portal应用程序简化了对企业Web应用程序的安全移动访问[...]用户可以访问内部网页和安全的网络应用程序。“
You can increase security by adding another factor into the authentication process: a token with a continually changing PIN.
您可以通过在身份验证过程中添加其他因素来提高安全性:具有不断变化的PIN的令牌。
Certificates
Is possible to use client certificate ?
可以使用客户端证书吗?
Yes, it is possible; whether or not it meets your business needs is a different matter (e.g. there is skill/time required in managing such a solution).
对的,这是可能的;它是否满足您的业务需求是另一回事(例如,管理此类解决方案需要技能/时间)。
If you aren't familiar with the subject, I suggest reading this KB article (a quick read).
如果您不熟悉该主题,我建议您阅读这篇知识库文章(快速阅读)。
For implementation, here's an old but highly detailed walkthrough and a newer walkthrough for IIS 7.
为了实现,这里是一个旧的但非常详细的演练和IIS 7的新演练。
#2
2
If you want to lock down access to certain machines, use IIS's http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions. Specify which IPs have access > make sure you set them to static in dhcp. This is the "access on a need be basis approach" used by payroll vendors and credit card companies in IIS.
如果要锁定对某些计算机的访问权限,请使用IIS的http://www.iis.net/downloads/microsoft/dynamic-ip-restrictions。指定哪些IP有权访问>确保在dhcp中将它们设置为静态。这是IIS中的工资单供应商和信用卡公司使用的“基于需求的访问方法”。
#3
0
1) Use a VPN to restrict the access?
1)使用VPN限制访问?
Would definitely work. It does limit the machines you can work with.
肯定会有用。它确实限制了您可以使用的机器。
2) Is possible to check the mac address ?
2)可以检查mac地址吗?
It is, but it's not a secure method as MAC addresses can be spoofed.
它是,但它不是一种安全的方法,因为MAC地址可能是欺骗性的。
3) Is possible to use client certificate ?
3)可以使用客户证书吗?
That might be your best bet actually.
这实际上可能是你最好的选择。