Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Need Suggestion Securing/Authenticating an IntrAnet Site Hosted Outside Network

Posted on 2007-11-29
7
Medium Priority
?
319 Views
Last Modified: 2008-06-02
Experts,

I work in a small organization that is not in a position to support or manage internal web hosting services so I have purchased a dedicated server package from a vendor. Works great for our external website (www.myorganization.com)!

Now I am developing our INTRANET which I would like to keep on the same server which is obviously outside my network (intranet.myorganization.com).

My question is (and I'm open to suggestions), how can I keep my intranet sub domain private, accessible to only employees by way of some authentication? I need this to be as hack proof as possible.

Thanks!
0
Comment
Question by:Maricopa-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:netmunky
ID: 20377400
i'm assuming apache

you can use either .htaccess or modify httpd.conf to only allow your business IP address access to that particular virtualhost

<Directory /path/to/intranet>
    Order deny,allow
    Deny from all
    Allow from your.business.ip
</Directory>
0
 

Author Comment

by:Maricopa-IT
ID: 20377727
netmunky,

Two questions:

1) How do I specify for 12.34.56.? (wildcard)
2) How secure is this?

Thanks!
0
 
LVL 8

Expert Comment

by:netmunky
ID: 20377748
Allow from 12.34.56.0/255.255.255.0

if you are not in that IP range, you will be giving i believe a 403 error (client denied by server configuration)
0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 

Author Comment

by:Maricopa-IT
ID: 20377970
I still have some security concerns.

Is it possible for someone to spoof my dedicated IP address and make their way in somehow?

In the options for securing web content, how does this solution compare?

Thanks again!

PS - I have added more points!
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20378206
Short answer here : you can NOT make a dedicated server secure in the sense that an in house "intranet" server would be. No matter what type of controls you put in place your dedicated is still a "public" box. On top of that if you do not have a hardware firewall in front of your dedicated server then you are even more exposed.

Now having said this, you could set up a perfectly adequate in-house server to handle your Intranet - if you are using Apache (even under windows) then you need very little resource to handle a surprisingly large number of users. For instance even an old Pentium 3 running windows 2000 and WAMP (Windows Apache MySQL PHP) will handle a company intranet with up to 50-60 employees - you couldn't do that with IIS by the way.

Your safest route is definately to move your intranet in-house - if not then ensure that absolutely NO sensitive information is maintained on your dedicated server - and try using a SSL (HTTPS) layer for your intranet coupled with login and session control on every part of the intranet.
0
 
LVL 16

Expert Comment

by:grahamnonweiler
ID: 20378237
By the way the Apache mod_auth solution suggested earlier will not help you unless your office is connecting to the Internet using a Fixed IP address.

Additionally, it is not a particularly difficult task to circumvent the mod_auth settings so it should only be considered as a deterrent to script kiddies - a hardened hack master will be through it in a matter of seconds.

It does provide some level of control obviously, but is by no means fullproof.
0
 
LVL 8

Accepted Solution

by:
netmunky earned 1200 total points
ID: 20378501
i absolutely agree that the best intranet sites are kept internal, but it is still reasonable that a good sysadmin to keep an intranet site on a public server and keep it secure. any point of entry, regardless of where it is being hosted, can be considered a security risk (ie - dialin or vpn access to the business intranet).

using ip restrictions via mod_access and/or iptables (or ipfw if using freebsd), and having some form of password authentication should provide resonable security for most intranet sites. if you are storing sensitive information that is subject to specific security requirements (ie - HIPPA), you will probably need more security measures than what has been mentioned.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question