I have an idea I'd like to float to the smart people of serverFault to pick holes in it.
I'm looking for a way to lock down a 3rd party application in IIS. It's a web service, so there's no login page or anything, it's meant for use in a VPN environment. I'm trying to put it online without a VPN and am thinking of ways to add some sort of security to it. I need to restrict it to certain networks, its a business product, so I can probably get away with saying that you need to be on a private network (ie not public wifi) to use it. My idea is to use IP Address Restriction in IIS, and write an app that the users install and have it update the server with their current IP every few minutes, the server then blocks all except the ones recently updated.
How secure would this be? Is there a major flaw in this idea? Or is there perhaps a better way to do this in IIS?
I can see one major flaw with this - all an attacker has to do is hijack one communication and the app will then only talk to their computer. Realistically, it wouldn't be too hard to watch the traffic to see what would be required.
Of course you could use encryption using a public/private key pair to avoid this issue, then you are authenticating - which seems like a much better idea.
We used client certificates. They're required at the IIS level, not in the app so no mods there. Then anyone that wants in has to have a client cert issued by us so it doesn't matter where they run it from. Of course that doesn't restrict it to a certain network, just certain machines that have the cert.