Limit access to web system

I am going to use a web-based erp system in my company.  The problem is I don't want my staff to log in anywhere beside at their shop.  Since the shop only uses a regular dsl with no static ip and it is too far away to setup a vpn, it will be hard to restrict access based only on ip.  Can I install some kind of special cookie or certificate on their browser and use that to recognize access?  Or is there a better way to do this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Use dynamic DNS Then block with domain name at your side

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
Put up a web server on a machine on the shop local network so it can't be accessed from anywhere else.
Alexandre SimõesManager / Technology SpecialistCommented:
Certificates will have to be integrated with the ERP. If it supports certificate authentication then you're safe.

Otherwise, and if VPN is not on the table, I think your only option left is filtering by MAC Address directly on the router config.
But basically this means that your router must support MAC address filters and you have to add each single MAC address of all computer you want to grant access. This might give you some problems because basically you'll be filtering all requests to port 80 on your server.

You can also specify another port, and expose your ERP only on that port and filter only requests those, but this really depends on your router capabilities.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Frankly;  yes, there is a better way:  I would get a site-to-site  VPN between your shop  and the location of the remote server.

You seriously think the round trip latency is too poor for a VPN,  but somehow at the same time good enough  to provide access to  a critical business application such as ERP?

You could contemplate browser certificates as well.   Keep in mind;  this ties authentication to the computer,  not (per se) to your location.

As long as you have control over the web server the ERP is running on;   it is possible for you to generate a private CA;  generate client-side SSL certificates from that private CA.

Then configure the web server,  to require that the connecting browser use SSL with a client-side certificate  validated by your CA.

With some web servers;  you can get a client-side certificate from any source, and set more complicated rules such as  "OU is X"  or   "Certificate was issued to company named Xyz"
as conditions before the web server will accept the certificate.

I do not recommend this.

The use of a VPN  or IP-based checks are much more so within your reach;  without hiring a consultant  to help you with the  setup of a PKI;  generation and installation of certificates, and server configurations to require them.
johnyu1997Author Commented:
I think this is the easiest and best solution for me to implement.
johnyu1997Author Commented:
Plus using vpn is hell if the shop is in China.  They run all sort of stuffs at the back to break up vpn.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.