Solved

How to check if a user is connecting through a VPN

Posted on 2006-06-23
20
312 Views
Last Modified: 2010-03-18
It's very important for me to learn a way for checking if  a user is using a VPN.

In my software different users get access to the same database through Microsoft Network (a shared folder).
Currently this software can detect if the database is located on an hard drive or on the network.
For (local) network i release a FREE license of my software.. so some users are began to use VPNs to simulate LAN and they get free UNAUTHORIZED access to my software.
It's became important for me to be able to detect such circumstance in some way.

Thank you so much in advance, and plz excuse my bad english.
0
Comment
Question by:Iguanoide
  • 7
  • 6
  • 4
  • +1
20 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
How are they establishing the VPN? Through a hardware device or to a server? If so both of those have the ability to monitor connected VPN users. On the other hand if using a 3rd party VPN tool such as Hamachi, it may be much harder to detect.
Could you provide some more details?
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
How are you checking at the moment if it is on a LAN.  If you are just checking what the drive type is there is nothing stopping someone putting it on c:\myfolder and sharing myfolder then mapping a drive on the same machine to \\pcname\myfolder.  Bingo it's now on a network.

Are you saying it is free for network use but not local hard drive or that it is free for LAN but not for use by multiple sites over WAN / VPN etc.??
0
 

Author Comment

by:Iguanoide
Comment Utility
Some little datails...

Now, I detect the drive type (local/remote) through an API call, not from path.
[I will not explain you the reasons for this type of license organization... my english makes this work hard for me. But there are good commercial reasons based on the kind of software, the db contents etc... VPN represents an exception that was not contemplated when the software was ported from DOS to Windows, years ago (from other developers, not me)]

I can't give you datails about users VPN's... I don't know.
What I can tell you is that I  think (99%) they are using the simplest and cheaper solution (windows VPN ?)...
In any case, if I could detect only software  VPNs (or only windows VPNs)... it would not be a little thing, for now, but a great help.

So any help will be very usefull... thank you!
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
So what I am getting at is are you detecting the drive type of the connection.  In which case VPN or LAN will not be any differerent I'm afraid.

So are you saying software should only work on local C: drive or should only work on a LAN drive or that it must not work over a WAN / multiple office link?
Steve
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You would need to know more about the VPN connection as different solutions use different ports. Foe example the Windows VPN uses port 1723. However, I am doubtful they are connecting in that way unless they have access to the firewall as almost all VPN's require some firewall configuration. The could as suggested, be using Hamachi, or even tools such as http://www.logmein.com. If you do not know the actual connection method you would need to set up a system to "listen" to the traffic, a hub (not switch) and computer with something like http://www.ethereal.com/  and you can analyze the traffic and look for problematic services. Without knowing what you are looking for, it may take a while to locate.
0
 

Author Comment

by:Iguanoide
Comment Utility
Hi.
I think that is impossible for me to  "listen" their network traffic in any way...
Some of the users are in other cities up to hundreds Km of distance from here (the various nodes of the VPN are situated quite distant too).
The only way I can act is through my software that is running on the varios machines in the VPN.

Really I'm not very sure that they are using a VPN or another kind of remote connection.
I don't know, for example, if is it possible to connect a remote access database using  a "virtual folder" on a FTP server.. or any other kind of remote connection that is seen as a Network Drive from the Windows API.

(The software is written in VB6 using ADO - Jet4.0, the database is an Access DB)

Thank you.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I think that it would be virtually impossible to diagnose if you do not have access to monitor the network.
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Again what is it that you don't want people to be able to do - connect as a local drive, vpn, wan. lan or any network drive.

If its differentiating between a network drive over wan and vpn or lan and vpn then I agree impossible - after all do you count an individulal with a vpn client, and individual with a vpn connection with the router doing the work or even a companys wan connection which happens to be a vpn?

Steve
0
 

Author Comment

by:Iguanoide
Comment Utility
Now I try to explain you in more detail the situation (with the limitation of my english that is bad) and some ideas I have got in past and the difficuties I encountered in implementation. After this, if I don't succeed in getting some help to solve this problem that seems to be hard and bothersome, I will retire this post and I will stop boring you. So...

The software is a fusion of three different programs: two are policy estimation softwares and the other one is a bookkeeping software. All are selled to  agencies of a big Italian insurance company. They are located all around Italy.
In the past, the marketing division choosed to give a free license to all PCs of a single agency that are sharing the same database with a "server" PC. In other words, they choosed to make a single license valid for a whole agency (fisically located in a single place). As I said, the software detect if the database is located on a local hard drive or on a network drive, and according to that, it enable a "server serial number" or "client serial number" (relative to a specific "server serial number"). Paying a licence, a user got a single "server serial number" that is valid ONLY for a specific machine that MUST locate the database on a local hard drive, and the user got a "client serial number" that is valid for an undefined number of computers, given these computers are using the same database used by the server computer relative to this serial number (I wrote in an awful way.. I know). So, serial number are given in pairs client/server; 1 licence -> 1 pair.
The choose of using this kind of licensing strategy was not very happy... I know. And it was not studied enough.

The problem is born when a "master agency" decided to buy the software, and as often happened, they decided to buy it for all the sub-agencies too. They made an order for dozens of licenses.. but after a few days, when they used the software with a temporary server/client serial number.. they changed the order in a single license order.  From various clues we understood that they are using the software in all their sub-agencies even if they bought a single license. Being the sub-agencies located all around a certain  Italian city, we know without doubts that they are not in a LAN. The hypothesis of a WAN of any type was not taken into account when the licensing strategy was choosed because it was the time of porting of software from DOS to windows and some kinds of technologies was very uncommon and expensive in those years (fast internet connections and so WAN of any sort... you have to know that hardware of subagencies is bought at their own expense, not bought by the company... for example it is often happened that they disallow to buy a CD-burner [20€] to do backups of their database, as we suggest for safety of their data... so I'm sure enough they got no expensive hardware for VPN or WAN of other sort).

After some time this kind of problem was found in other cities where the "master agency" canceled all their licences except a single one. This problem is getting bigger and bigger.

Here some ideas I got in the past to try to solve it... (I try to be concise...)
- Check IP number: if the PC are located in a single office, they are using the same internet connection from the same ISP so they must have "similar" "internet IP addresses" if they are not using a router, or the same one (seen from the outside of their network) if they are using it... "LAN IP addresses" (192.168...) are well known too...
- Check ping time between "server cumputer" and "client" ones... tipically < 5ms if residing in the same LAN (less chic solution ;)

I failed miserably both times... Really I don't know if there was implementation errors.. but the main problem was that "this" user (incriminated one) said (and not without arrogance) that "the proxy window pops up when the software run"... so we was coerced to momentary disable the checking code... and remand the solution of this problem. I thinked a solution not involving requests destined to the outside of the LAN to bypass the "proxy window" problem... but I found no one.
So hare I am asking for a help.
I hope the problem is cleaner, now... and I hope in your help.
Thank you very much in any case...
Bye.

Valerio



0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Thankyou, that is much clearer now, your English is good actually!

Could it not be that they are simply running a copy of the software on each server.  I presume this is shared file database system not a client-server system with a component that runs on a server - that would be easier to deal with of course as you could license it for servername xxxxx and encrypt that in your software configuration files then if they move it elsewhere too it would not work.

You could also implement a mapped drive name check against an copy of the server name you install in the software, i.e. if you run on S: which maps to \\server\share then record \\server\share in your database and if someone is found using it from a different share log it, send an email, whatever is open to you to use.

What my be needed is a combination of things.  As you say a PING check <5ms to the server which it is running from would be the best idea -- get the server name from the drive letter using API or even just a net use redirected into a file then PING it.

It could be the 'proxy' window is poping up because the server you are trying to ping is in act on another site...

Steve
0
 

Author Comment

by:Iguanoide
Comment Utility
Some little additional datails to make things cleaner and knock misinterpretations out..

*) Yes it's a shared database system. I use to say client machine or server machine to differentiate between the machine that holds the database locally (paying machine) and the others that connect to it by the LAN (non paying ones).

*) The database location is user-defined and the shared folder name too. This paths are not taken in account in any configuration file not even in the software code (it would be impossible with hundreds of users around Italy). User choose the folder (local or not) that contains the DB and it is saved in a registry key. For this reason I use an API  to detect network folders... One could use a network folder and maps it to a "virtual drive" or even use a local folder and share it on the network resulting in an alternative network path for a local folder. The API I use give me the real "nature" of the folder besides of the path syntax.

*) A single "server licence password" (let me call it "password" avoiding equivokes) works ONLY for a specified machine. First time user run the software on a machine a "serial number" (equivoke avoided ;) for this machine is randomly generated and saved into the registry (well hidden). This "serial number" is notified to us (via email or phone) and  the relative password is released to user (if he paid ;). The "client licence password" relative to a certain "server licence password" instead, is valid for a undefined number of machines assuming these machine are using the database located on the "right server". (The client-server password pair)

*) The PING check I wanted to do was from the "clients" running the software and the "server" (running it too) where database is located. Taking into account that users could use a "network mapped drive" (X:\) instead of a usual shared folder (//server/share)... I don't know the server name on the windows network... so the idea was that the server shold save his IP into the DB and all the clients, at software starting, should ping this IP. In "normal" (legal) situation this IP shold be in the same LAN so a really fast ping should happen (<5ms). In an illegal situation the client machine is situated far away the server and it's sharing the DB with the server using a VPN or another networking method... so ping should result bigger.

Indeed it's the "proxy window" the problem that makes (for now) unapplicable the ping strategy... :(

Bye..
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
Comment Utility
Interesting problem. Can you obtain the IP of the "server", the computer hosting the data. For example if the data were always on the domain controller, you could obtain server name from %logonserver% and then pinging it, retrieve it's IP.  If so, you could compare it to the local computer IP. This would allow you to determine if they were located at different sites, as VPN's require different sites use different subnets. For example site#1 192.168.1.x, site#2 192.168.2.x and so on. If the subnets were different, they mus be on different sites or a large sub-netted LAN.
Just a thought, and may be difficult to obtain the IP, if the data could be on any PC.
0
 
LVL 43

Assisted Solution

by:Steve Knight
Steve Knight earned 250 total points
Comment Utility
That was what I was trying to work out -- do the clients talk to the file system a with an Access database, i.e. a shared file database, or over a TCP port etc. to the remote server.

If it is shared file the only knowledge they can have of where the data resides is by working out where the drive maps to and resolving the IP address of the name returned from the drive mapping.

If it is client / server and there is an actual server program, not just the same shared file database running on another node that happens to be the 'server' then the server program could do what you want and also perhaps deny access to anyone not on the same subnet -- the problem then is maybe one customer uses L3 switches with multiple VLAN's for wireless, servers, dhcp clients, static clients etc. and therefore user will always be on a different subnet to users.

0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Well a split robwill and dragon-it would go down just as well with me.

steve
0
 
LVL 48

Expert Comment

by:Jay_Jay70
Comment Utility
I really wasn't sure on this one Steve, so i checked with some powers above and they reccomended a delete, however, if you think it's deffinitely worth keeping then i will reccomend a split of the points, If Rob could comment too it would make my life a little easier, you know there's nothing personal going on here!
0
 
LVL 43

Expert Comment

by:Steve Knight
Comment Utility
Not that bothered really :-)
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Tough one. Some good ideas presented, which may work, but all theoretical. Only Iguanoide, could say whether a viable solution was found. Then again based on efforts, the fact that they are plausible, and may help someone in the future, perhaps a 'B' spit. But I have no problem with closing out the question with out an acceptance, as I am am not convinced there is a completely workable solution presented.
I leave it in the hands of the clean-up gods and bow to their wisdom. <G>
--Rob
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks Iguanoide. Appreciate that.
--Rob
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Nslookup is a command line driven utility supplied as part of most Windows operating systems that can reveal information related to domain names and the Internet Protocol (IP) addresses associated with them. In simple terms, it is a tool that can …
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now