Restricting access for users outside of network

pjgonzales · August 13, 2012, 5:20pm

I have a application that is being used on-site to monitor and control by an operator. This operators username has rights to change setpoints and start/stop equipment. I have additional users that can log in through the internet to view data only. What I would like to do is ensure that the operator cannot log in remotely and change/start/stop anything unless they are logged in to a machine on the local network. For example, if he logs into a machine on-site using his proper name and password he will have no issues. If he logs in using the same username/password from say, his house, he can monitor, but not change anything. Can I do this via a script? What would be the best method of implementing this? Thanks.

Paul Gonzales, Jr.

Greg.Buehler · August 13, 2012, 6:43pm

I see two possible options: open read only screens or change the session mode.

On buttons or navigation features:

ip = sytem.net.getExternalIpAddress()
#check if this matches the site IP address
if ip == "66.102.7.104":
   system.nav.swapTo("Normal Xyz")
else:
   system.nav.swapTo("Read Only Xyz")

On a client scoped timer / login event (timer so if the interface is on a laptop, the operator cannot start the session at the site and then reconnect at another location with the same access level):

ip = sytem.net.getExternalIpAddress()
#check if this matches the site IP address
if ip == "66.102.7.104":
   system.util.setConnectionMode(3)
else:
   system.util.setConnectionMode(2)

nathan · August 13, 2012, 6:51pm

Check with IT on how to best determine inclusion/exlusion by IP range (if you’re going that route). Your VPN clients may use IP addresses that look like they’re within your local scope.

pjgonzales · August 13, 2012, 7:50pm

ip = sytem.net.getExternalIpAddress()
#check if this matches the site IP address
if ip == “66.102.7.104”:

How would you script to allow any IP on the local area network? As in 66.102.7.XX? Sorry, I am not great at scripting (yet!).

Greg.Buehler · August 13, 2012, 8:54pm

Take for example the following network diagram

On premesis, the call should return the IP of your firewall which would be 68.17.45.36 while the same call should return the IP of the Operator’s home modem which which would be 13.5.100.2 if called from the Operator’s home.

Basically you want to find out what your endpoint to the internet is and classify the access type on that. If the call to get the external IP doesn’t return that endpoint, then you’re not on premises.

Like nathan said you’ll want to ask your IT people if remote users are using VPN clients, and if they do, where they will resolve the external IP address.

dave.fogle · August 13, 2012, 9:04pm

Like Greg and Nathan said you’ll want to check with your network guys to see how you can identify people connecting via a VPN. But to answer your question relating to string comparison, “is 66.85.45.23 part of 66.85.45.xx” you can use the find method of strings.

test = "66.85.45.23"
print test.find("66.85.45.")
print test.find("66.96.48.")

The first will print 0 which is the starting index of the substring “66.85.45.” and the second will print -1 meaning that the substring was not found. Hope this helps.

pjgonzales · August 13, 2012, 11:04pm

How do I get the result of the print into a variable? I ran your test, and I get a printed result, but everything I have tried doesnt seem to capture it. Thanks.

James.Lorenz · August 13, 2012, 11:49pm

You can just use variable assignment such as:

test = "66.85.45.23" your_variable = test.find("66.85.45.") if your_variable == 0: # do something else: # do something else

Carl.Gould · August 13, 2012, 11:49pm

You also might try using a client tag bound to a runScript expression, like:

runScript("system.net.getExternalIpAddress().contains('xx.xx.xx')")

Then you’d have a tag whose value corresponded to the subnet of the actual client PC.