• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 142
  • Last Modified:

LAN or WAN ?

My Backup Application (using Sockets) has a Server.exe (on one machine) and Client.exe (on each desktop).
Currently all the Client.exe are meant to be within the LAN of the Server.exe.
Now I want to permit users to work across the WAN too.
I want to recognize the users connecting via WAN how do I check that ?
Can I understand from within the Sockets details or will I have to use Geolocation ?
I use Delphi / Windows OS/ TServerSocket+TClientSocket
0
Allan_Fernandes
Asked:
Allan_Fernandes
  • 5
  • 4
  • 2
1 Solution
 
skullnobrainsCommented:
you probably should combine techniques among
- filtering by ip if you know your client's addresses. this is availablle in the socket's meta data
- i assume you already use passwords ?
- SSL authentication with client certificates

or you can take a different approach and setup a vpn orn ssh tunnels for your clients. if you have a commercial firewall, it probably comes with a VPN
0
 
Geert GruwezOracle dbaCommented:
the most important thing is overcoming connection loss
another issue is the speed

are meant to be within the LAN of the Server.exe.
> how can you be sure there is no WAN connections now ?

with a vpn in between it's possible the ip address looks like it's in the lan
0
 
Allan_FernandesAuthor Commented:
Hi
Sorry for the Delay in responding.
>> filtering by ip if you know your client's addresses
My Application is being currently used on MPLS (LAN as far as I am concerned) and here the IP's across the country do not have any format that I can filter them on.

>> - i assume you already use passwords ?- SSL authentication with client certificates
No. I am transferring via WinSoc and I use an Identity pattern to avoid any external intrusion.

>> the most important thing is overcoming connection loss another issue is the speed
Very valid point and I have to check it out practically, but since the backups are incremental (even PST) it should not be much of an issue.

>> how can you be sure there is no WAN connections now ?
Currently I am using a separate Server/Client Socket pair to send files from the Server machine to the Clients. This fails as it is not to the Public IP of the clients.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Geert GruwezOracle dbaCommented:
backups incremental ? not an issue ?

if you have connection loss, then you need to "redo" the failed part
how the redo is done depends on what the failed part is ...

a really easy way ...
robocopy source dest backupfiles /Z

robocopy has a builtin retry mechanism
even across the wan

why reinvent the wheel ?

but i assume you want more control than that
0
 
skullnobrainsCommented:
given this extra information, i'd go the VPN way

if your server has to connect back to the client, you are bound to run into firewall issues on the client side so you'd have many things to change to get it to work over the WAN... or rewrite your app accordingly if for some reason setting up a VPN is not feasible for you
0
 
Allan_FernandesAuthor Commented:
I think we have moved away from the question I seek. As far as Connectivity etc is concerned I will check that out and maybe come to you'll later. Now I want to know if there is any pattern of Public addresses allocated as per Geo location ?
0
 
skullnobrainsCommented:
Now I want to know if there is any pattern of Public addresses allocated as per Geo location ?

simple answer, no.

but then if a greek ISP possesses a number of ips, there are high chances that their owners/users are in greece.

there is a tool named geoiplookup that can resolve the country. it is about 90-95% reliable which is not great but not too bad. the paid version can resolve with better precision ( cities, states, ... ) and is supposed to be less error-prone regarding countries.

maybe if you provide more information regarding the users connexions, i'll be able to provide a useful tip. it could be sensible to register per user ips and ranges, or possibly get them to authenticate on the firewall in order to open the required network flow, or there may be a whole different way to get proper security without that much hassle both for yourself and the end users.

which country are you in, btw ?
0
 
Allan_FernandesAuthor Commented:
I am in India.
>>  if you provide more information regarding the users connexions
I did not understand what kind of info you seek ?
0
 
skullnobrainsCommented:
i gather your app requires the client to access the server and the server to connect back to the client.

Currently I am using a separate Server/Client Socket pair to send files from the Server machine to the Clients. This fails as it is not to the Public IP of the clients.

the server is behind a router which is a problem you can handle.
the reverse is not unless you know something about the users that makes you sure a home or hotel router does not get in the way. any wifi internet connection won't probide a public ip so it just won't work.

the first thing you need is to modify your app so all connections are initiated by the clients

then you either build the security in your app. you can do client cert authentication with SSL for example,  use passwords, more or less complication depending on the criticity in terms of security.

or you can rely on an external tool such as SSH tunnels or VPNs. VPNs should let you work without changes to your existing code because your clients will receive a lan address that will be routed. SSH tunnels can be made to open remote tunnels on demand but i see no point in piloting ssh from your app.

... or you may consider modifying your app so it uses sftp or a similar standard protocol to discuss with the server rather than having a server.exe


from what i understand, the simplest is probably to use ssl as a transport and modify your code so connections are not initiated by the server any more
0
 
Allan_FernandesAuthor Commented:
All my connections are initiated by the Client machine only.  The Client machine is fed with Server IP, in this case it will be a public IP. The Client connects to the Server and has a active connection. Until now I have been initiating a new connection from the Server to the Client for File copy. Recently I changed my plans and experimented with a VPS I have hired in Atlanta and send files back on the first connection itself (ie: Client initiated) this worked perfectly.
0
 
skullnobrainsCommented:
so you covered step 1.

all that's left would be to add some kind of security layer.
basic passwords and SSL might be enough, preferably using a challenge-response mechanism for the authentication. you can also authenticate with client certs. i'd assume you don't need retinal scans.

additional reasonable security measures could be
- prevent brute force attacks by disabling ( possibly temporarily ) accounts that try invalid authentications
- possibly blacklist the corresponding ips
- possibly identify weird stuff such as authenticating from 2 distant locations with the same account in a short period of time
- ... a wealth of other stuff depending on how secure you need it to be
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now