Solved

LAN or WAN ?

Posted on 2016-10-12
11
81 Views
Last Modified: 2016-11-08
My Backup Application (using Sockets) has a Server.exe (on one machine) and Client.exe (on each desktop).
Currently all the Client.exe are meant to be within the LAN of the Server.exe.
Now I want to permit users to work across the WAN too.
I want to recognize the users connecting via WAN how do I check that ?
Can I understand from within the Sockets details or will I have to use Geolocation ?
I use Delphi / Windows OS/ TServerSocket+TClientSocket
0
Comment
Question by:Allan_Fernandes
  • 5
  • 4
  • 2
11 Comments
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41840117
you probably should combine techniques among
- filtering by ip if you know your client's addresses. this is availablle in the socket's meta data
- i assume you already use passwords ?
- SSL authentication with client certificates

or you can take a different approach and setup a vpn orn ssh tunnels for your clients. if you have a commercial firewall, it probably comes with a VPN
0
 
LVL 37

Expert Comment

by:Geert Gruwez
ID: 41840672
the most important thing is overcoming connection loss
another issue is the speed

are meant to be within the LAN of the Server.exe.
> how can you be sure there is no WAN connections now ?

with a vpn in between it's possible the ip address looks like it's in the lan
0
 

Author Comment

by:Allan_Fernandes
ID: 41846591
Hi
Sorry for the Delay in responding.
>> filtering by ip if you know your client's addresses
My Application is being currently used on MPLS (LAN as far as I am concerned) and here the IP's across the country do not have any format that I can filter them on.

>> - i assume you already use passwords ?- SSL authentication with client certificates
No. I am transferring via WinSoc and I use an Identity pattern to avoid any external intrusion.

>> the most important thing is overcoming connection loss another issue is the speed
Very valid point and I have to check it out practically, but since the backups are incremental (even PST) it should not be much of an issue.

>> how can you be sure there is no WAN connections now ?
Currently I am using a separate Server/Client Socket pair to send files from the Server machine to the Clients. This fails as it is not to the Public IP of the clients.
0
 
LVL 37

Expert Comment

by:Geert Gruwez
ID: 41846627
backups incremental ? not an issue ?

if you have connection loss, then you need to "redo" the failed part
how the redo is done depends on what the failed part is ...

a really easy way ...
robocopy source dest backupfiles /Z

robocopy has a builtin retry mechanism
even across the wan

why reinvent the wheel ?

but i assume you want more control than that
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41846842
given this extra information, i'd go the VPN way

if your server has to connect back to the client, you are bound to run into firewall issues on the client side so you'd have many things to change to get it to work over the WAN... or rewrite your app accordingly if for some reason setting up a VPN is not feasible for you
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Allan_Fernandes
ID: 41857315
I think we have moved away from the question I seek. As far as Connectivity etc is concerned I will check that out and maybe come to you'll later. Now I want to know if there is any pattern of Public addresses allocated as per Geo location ?
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41857346
Now I want to know if there is any pattern of Public addresses allocated as per Geo location ?

simple answer, no.

but then if a greek ISP possesses a number of ips, there are high chances that their owners/users are in greece.

there is a tool named geoiplookup that can resolve the country. it is about 90-95% reliable which is not great but not too bad. the paid version can resolve with better precision ( cities, states, ... ) and is supposed to be less error-prone regarding countries.

maybe if you provide more information regarding the users connexions, i'll be able to provide a useful tip. it could be sensible to register per user ips and ranges, or possibly get them to authenticate on the firewall in order to open the required network flow, or there may be a whole different way to get proper security without that much hassle both for yourself and the end users.

which country are you in, btw ?
0
 

Author Comment

by:Allan_Fernandes
ID: 41858364
I am in India.
>>  if you provide more information regarding the users connexions
I did not understand what kind of info you seek ?
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41859202
i gather your app requires the client to access the server and the server to connect back to the client.

Currently I am using a separate Server/Client Socket pair to send files from the Server machine to the Clients. This fails as it is not to the Public IP of the clients.

the server is behind a router which is a problem you can handle.
the reverse is not unless you know something about the users that makes you sure a home or hotel router does not get in the way. any wifi internet connection won't probide a public ip so it just won't work.

the first thing you need is to modify your app so all connections are initiated by the clients

then you either build the security in your app. you can do client cert authentication with SSL for example,  use passwords, more or less complication depending on the criticity in terms of security.

or you can rely on an external tool such as SSH tunnels or VPNs. VPNs should let you work without changes to your existing code because your clients will receive a lan address that will be routed. SSH tunnels can be made to open remote tunnels on demand but i see no point in piloting ssh from your app.

... or you may consider modifying your app so it uses sftp or a similar standard protocol to discuss with the server rather than having a server.exe


from what i understand, the simplest is probably to use ssl as a transport and modify your code so connections are not initiated by the server any more
0
 

Author Comment

by:Allan_Fernandes
ID: 41860925
All my connections are initiated by the Client machine only.  The Client machine is fed with Server IP, in this case it will be a public IP. The Client connects to the Server and has a active connection. Until now I have been initiating a new connection from the Server to the Client for File copy. Recently I changed my plans and experimented with a VPS I have hired in Atlanta and send files back on the first connection itself (ie: Client initiated) this worked perfectly.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 41861915
so you covered step 1.

all that's left would be to add some kind of security layer.
basic passwords and SSL might be enough, preferably using a challenge-response mechanism for the authentication. you can also authenticate with client certs. i'd assume you don't need retinal scans.

additional reasonable security measures could be
- prevent brute force attacks by disabling ( possibly temporarily ) accounts that try invalid authentications
- possibly blacklist the corresponding ips
- possibly identify weird stuff such as authenticating from 2 distant locations with the same account in a short period of time
- ... a wealth of other stuff depending on how secure you need it to be
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now