1

I would like to restrict access to a cloud service based on the network where the requests are coming from. I have control over both the network, and the cloud service receiving requests from within the network. The network is behind a router, i.e. all users have the same outgoing (dynamic) IP address.

I'll provide an example: company A buys a service from company B. The service by B is hosted in the cloud. Now, A wants users to be able to use this service if and only if users are in the corporate network of A. Thus, B needs to make sure the requests from A's users originate from A's corporate network.

So what I want to do is: let company A restrict access to company B's services by requiring that all users accessing the services are within company A's network.

This would be easy if it were one network only, and I wanted to prevent outside access.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Carl
  • 13
  • 3
  • `based on where the request originates from` Meaning... what? You want to filter access based on... country of origin? User? Device? Whether they're in the break room or not? This needs clarification and more precise language to be a useful question. – HopelessN00b Apr 07 '14 at 15:02
  • @HopelessN00b I am sorry for being unclear. I'll provide an example: company A buys a service from company B. The service by B is hosted in the cloud. Now, A wants users to be able to use this service if and only if users are in the corporate network of A. Thus, B needs to make sure the requests from A's users originate from A's corporate network. Does this aid in understanding the situation? – Carl Apr 07 '14 at 16:01
  • Yeah, that helps. You should edit it into your question. – HopelessN00b Apr 07 '14 at 16:30
  • What does this have to do with "WiFi hubs"? – Michael Hampton Apr 07 '14 at 18:52
  • In my specific case, it would be WiFi hubs. But it doesn't matter, I have taken it out of the question. – Carl Apr 07 '14 at 18:55

2 Answers2

2

The two possible solutions I can think of are:

  1. Split the network into segments. You can use VLAN tagging to run two different segments on one physical network. Then you hand out two different ranges of IP addresses with DHCP, and use one or more routers to rout traffic between the segments.
  2. Put a DHCP relay on each AP and have the AP block the DHCP request from being forwarded - except through its own relay. Then arrange for the relayed DHCP request getting IP addresses that are distinguishable from those handed out to wired equipment. Notice that this is not a strong access control mechanism. Users can easily bypass this version by assigning a static IP address.
kasperd
  • 30,455
  • 17
  • 76
  • 124
  • The problem is, access happens to a service on the internet. Users connect to the WiFi, and then are allowed to use only a particular set of online services. Would your suggestions still work in that case? – Carl Apr 07 '14 at 15:59
  • My suggestions would give WiFi users IP addresses from a distinct IP range. You could have firewall rules treat those differently. If you want to allow wired users to access certain services, but not WiFi users, then a packet filer applied on each AP would probably be the easiest solution. But it sounds like you want to do it the other way around. – kasperd Apr 07 '14 at 18:30
  • Thanks for your help! Please see my edited question. In this case, the receiving service in the cloud still wouldn't know if the requests came from company A's users or not. Or am I missing something? – Carl Apr 07 '14 at 18:50
  • If NAT is involved, you'd have to filter the traffic before it gets NATted, possibly by applying a filter on the NAT. Alternatively you could force all traffic through a "transparent" proxy, which inserts the client IP from the LAN in an X-Forwarded-For header. Or you could upgrade to IPv6 and get rid of the NAT. – kasperd Apr 07 '14 at 19:02
0

This is a classic use case for RADIUS authentication. You haven't provided a platform, so we can't give specific implementation details, but this generally is the solution of choice for corporate networks precisely because it allows you to define allowed user groups for network access, including Wifi. Coupled with PKI, it can even do so completely transparently to the end user - users or devices with the requisite certificates are allowed to connect, others are not.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • I will look into that. Do you think there is an easier solution? E.g. tagging IP packets? – Carl Apr 07 '14 at 18:56
  • @user3504092 I can't imagine any situation where tagging packets would be easier than having a RADIUS server or two, no. And for whatever it's worth, RADIUS is not particularly difficult to implement, either. Like most things (and any scheme you use to achieve this goal), it's just a matter of having a solid plan up front, and getting the details right when you execute that plan. – HopelessN00b Apr 07 '14 at 19:00