Maricopa-IT
asked on
Need Suggestion Securing/Authenticating an IntrAnet Site Hosted Outside Network
Experts,
I work in a small organization that is not in a position to support or manage internal web hosting services so I have purchased a dedicated server package from a vendor. Works great for our external website (www.myorganization.com)!
Now I am developing our INTRANET which I would like to keep on the same server which is obviously outside my network (intranet.myorganization.c
My question is (and I'm open to suggestions), how can I keep my intranet sub domain private, accessible to only employees by way of some authentication? I need this to be as hack proof as possible.
Thanks!
I work in a small organization that is not in a position to support or manage internal web hosting services so I have purchased a dedicated server package from a vendor. Works great for our external website (www.myorganization.com)!
Now I am developing our INTRANET which I would like to keep on the same server which is obviously outside my network (intranet.myorganization.c
My question is (and I'm open to suggestions), how can I keep my intranet sub domain private, accessible to only employees by way of some authentication? I need this to be as hack proof as possible.
Thanks!
ASKER
netmunky,
Two questions:
1) How do I specify for 12.34.56.? (wildcard)
2) How secure is this?
Thanks!
Two questions:
1) How do I specify for 12.34.56.? (wildcard)
2) How secure is this?
Thanks!
Allow from 12.34.56.0/255.255.255.0
if you are not in that IP range, you will be giving i believe a 403 error (client denied by server configuration)
if you are not in that IP range, you will be giving i believe a 403 error (client denied by server configuration)
ASKER
I still have some security concerns.
Is it possible for someone to spoof my dedicated IP address and make their way in somehow?
In the options for securing web content, how does this solution compare?
Thanks again!
PS - I have added more points!
Is it possible for someone to spoof my dedicated IP address and make their way in somehow?
In the options for securing web content, how does this solution compare?
Thanks again!
PS - I have added more points!
Short answer here : you can NOT make a dedicated server secure in the sense that an in house "intranet" server would be. No matter what type of controls you put in place your dedicated is still a "public" box. On top of that if you do not have a hardware firewall in front of your dedicated server then you are even more exposed.
Now having said this, you could set up a perfectly adequate in-house server to handle your Intranet - if you are using Apache (even under windows) then you need very little resource to handle a surprisingly large number of users. For instance even an old Pentium 3 running windows 2000 and WAMP (Windows Apache MySQL PHP) will handle a company intranet with up to 50-60 employees - you couldn't do that with IIS by the way.
Your safest route is definately to move your intranet in-house - if not then ensure that absolutely NO sensitive information is maintained on your dedicated server - and try using a SSL (HTTPS) layer for your intranet coupled with login and session control on every part of the intranet.
Now having said this, you could set up a perfectly adequate in-house server to handle your Intranet - if you are using Apache (even under windows) then you need very little resource to handle a surprisingly large number of users. For instance even an old Pentium 3 running windows 2000 and WAMP (Windows Apache MySQL PHP) will handle a company intranet with up to 50-60 employees - you couldn't do that with IIS by the way.
Your safest route is definately to move your intranet in-house - if not then ensure that absolutely NO sensitive information is maintained on your dedicated server - and try using a SSL (HTTPS) layer for your intranet coupled with login and session control on every part of the intranet.
By the way the Apache mod_auth solution suggested earlier will not help you unless your office is connecting to the Internet using a Fixed IP address.
Additionally, it is not a particularly difficult task to circumvent the mod_auth settings so it should only be considered as a deterrent to script kiddies - a hardened hack master will be through it in a matter of seconds.
It does provide some level of control obviously, but is by no means fullproof.
Additionally, it is not a particularly difficult task to circumvent the mod_auth settings so it should only be considered as a deterrent to script kiddies - a hardened hack master will be through it in a matter of seconds.
It does provide some level of control obviously, but is by no means fullproof.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can use either .htaccess or modify httpd.conf to only allow your business IP address access to that particular virtualhost
<Directory /path/to/intranet>
Order deny,allow
Deny from all
Allow from your.business.ip
</Directory>