appear to come from an IP
-
Love legacy stuff.
Clients primary software relies on IP lockdown for one layer of their security (*EDIT: I'm making this assumption to the motives). There is the likely situation where they will not support a hostname for my mobile users. So DDNS is likely out (waiting for that confirmation - though level one support didn't think it likely).
I really don't want to, but might have little choice in setting up a VPN host at one of the client sites for them to send traffic through to get past the IP lockout.
Any other suggestions from anyone?
-
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
-
@dashrender said in appear to come from an IP:
Any other suggestions from anyone?
Actually ask them how they can both say that they need this software AND continue using it knowing that at any moment access to it could evaporate and they'll be stuck.
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Any other suggestions from anyone?
Actually ask them how they can both say that they need this software AND continue using it knowing that at any moment access to it could evaporate and they'll be stuck.
Sadly - so many just don't understand this. And there aren't as many options for pharmacy software as you might think.
-
@pete-s said in appear to come from an IP:
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.I now believe that they lock down to IP because the rest of their security is so bad.
-
@dashrender said in appear to come from an IP:
And there aren't as many options for pharmacy software
Which Pharmacy software are you using currently? We have Liberty - not the best and even worse is how it's 'built'.
We have two pharmacies,.. ... and that means with Liberty we have two servers. It wasn't built to really handle more than one office. But somehow - they have managed to cross link them ... Not my monkey so I can't same much on it the matter.
-
@gjacobse said in appear to come from an IP:
@dashrender said in appear to come from an IP:
And there aren't as many options for pharmacy software
Which Pharmacy software are you using currently? We have Liberty - not the best and even worse is how it's 'built'.
We have two pharmacies,.. ... and that means with Liberty we have two servers. It wasn't built to really handle more than one office. But somehow - they have managed to cross link them ... Not my monkey so I can't same much on it the matter.
This company also has 2 RX software for two different companies - perhaps they'll be merging soon.
RX30 - designed to be locally hosted on CentOS
RXDispense - SaaSThen someone else I support uses
QS/1All three of these solutions mandate locking down access to IP. I'm fairly certain that RX30 will support host names though.
-
@dashrender said in appear to come from an IP:
Then someone else I support uses
QS/1I was told that QS1 is an absolute joke and the support is worse.
-
@gjacobse said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Then someone else I support uses
QS/1I was told that QS1 is an absolute joke and the support is worse.
It's one or two notches above worse... I've definitely dealt with worse.
I know this client simply bought what their GPO sold them, no other research was ever allowed.
-
@dashrender said in appear to come from an IP:
All three of these solutions mandate locking down access to IP. I'm fairly certain that RX30 will support host names though.
How does someone lock to a hostname? Doesn't that 100% defeat the purpose of the lock since you can arbitrarily change the hostname at will anytime?
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
All three of these solutions mandate locking down access to IP. I'm fairly certain that RX30 will support host names though.
How does someone lock to a hostname? Doesn't that 100% defeat the purpose of the lock since you can arbitrarily change the hostname at will anytime?
Well, it's not a lock - obviously - but a trusting of the DNS system to not be compromised.
Pretty sure I didn't say 'lock to a hostname' either
-
@dashrender said in appear to come from an IP:
relies on IP lockdown
Literally used the word lock for the IP. What would the hostname be for other than defeating the lock?
-
@dashrender said in appear to come from an IP:
Well, it's not a lock - obviously - but a trusting of the DNS system to not be compromised.
THe point started as a lock. So I'm not following. Don't you want DNS specifically to avoid the lock?
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Well, it's not a lock - obviously - but a trusting of the DNS system to not be compromised.
THe point started as a lock. So I'm not following. Don't you want DNS specifically to avoid the lock?
Of course "I" do. This is a vendor imposed restriction which makes our use challenging to say the least. The vendor hasn't supplied a reason they IP lock - but I can really only imagine it's more about security than anything else - and I say this because they will add additional IPs at a whim (well, at least one vendor will).
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
-
@dashrender said in appear to come from an IP:
The vendor hasn't supplied a reason they IP lock - but I can really only imagine it's more about security than anything else
No, IT does that for security. Dev does that for licensing. They are Devs, you are IT. Any IP lock from the app is always for licensing reasons.
-
@dashrender said in appear to come from an IP:
and I say this because they will add additional IPs at a whim (well, at least one vendor will).
Sure, that's normal. FOrces you to talk to them and expose that your IPs are changing.
-
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
I also think it's a licensing thing, with a bit of security sprinkled on top.
Each client location would normally have a different static IP so it's easy to keep track of them. And with IP whitelisting you get some DDOS protection.
IP whitelisting is normally on IP, not FQDNs, to avoid a DNS lookup for every access and to avoid DNS spoofing. When you do use FQDN in a firewall, it's actually still static IPs but the IP list is usually updated when the DNS entry expires or on a fixed schedule, like every 5 minutes or something.
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.I now believe that they lock down to IP because the rest of their security is so bad.
If it's web based I'd look at using an outgoing http proxy. This is a forward proxy, not a reverse proxy as you commonly see in front of websites.
Mobile users traffic that is going to the SaaS solution goes through the proxy first, everything else goes the directly as normal. You just need to change proxy settings on the mobile users to get this up and running, nothing to install.
You can host the proxy yourself or use a service. IMHO it would be better if it's located outside your LAN to avoid using up valuable bandwidth.
You'll whitelist the IP of the proxy since all your mobile users will appear to have that IP.
-
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?
