1

The IT department of my company refused to host an ASP .Net Web App on our intranet. For security reasons that would be the best solution. Right now I'm considering other options. One of those is to use ipSecurity on the web.config file in order to only allow people inside the organization to access it.

Since every computer in a office branch have the same IP address I'm wondering if the following code is enough to block the access of anyone outside our organization.

<system.webServer>
  <security>
    <ipSecurity enableReverseDns="true" allowUnlisted="false">
      <add ipAddress="123.123.123.123" allowed="true" />
      <add domainName="out1.mycompany.com" allowed="true" />
    </ipSecurity>
  </security>
</system.webServer>

In your opinion what are the security risks involved? Can this not be enough to restrict the audience that can use the web site?

cap7
  • 113
  • 4

1 Answers1

2

From What I understand, this web server will be placed outside the intranet. Have your IT department considered placing this web server in a dedicated VLAN?

the above code will only allow access from one particular IP address(the Public IP of your network)and make sure that the Domain Name matches with the IP address. Typically you are turning your web server into a firewall. IIS(with proper setup) is sturdy, but the risk of a DDoS is still there.

The reverseDNS lookup may slow things down. even Microsoft warns about it.

As long as you have HTTPS enabled along with Client authentication, so that all the traffic gets encrypted - this setup will work. But better yet, Use a VPN(or SSH tunnel).

JOW
  • 2,317
  • 2
  • 17
  • 24
  • 1
    You understood it correctly. I've try it out on Azure (Https is auto enabled if we use azurewebsites.net) and so far so good – cap7 Feb 13 '16 at 16:14