appear to come from an IP
-
@pete-s said in appear to come from an IP:
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.I now believe that they lock down to IP because the rest of their security is so bad.
-
@dashrender said in appear to come from an IP:
And there aren't as many options for pharmacy software
Which Pharmacy software are you using currently? We have Liberty - not the best and even worse is how it's 'built'.
We have two pharmacies,.. ... and that means with Liberty we have two servers. It wasn't built to really handle more than one office. But somehow - they have managed to cross link them ... Not my monkey so I can't same much on it the matter.
-
@gjacobse said in appear to come from an IP:
@dashrender said in appear to come from an IP:
And there aren't as many options for pharmacy software
Which Pharmacy software are you using currently? We have Liberty - not the best and even worse is how it's 'built'.
We have two pharmacies,.. ... and that means with Liberty we have two servers. It wasn't built to really handle more than one office. But somehow - they have managed to cross link them ... Not my monkey so I can't same much on it the matter.
This company also has 2 RX software for two different companies - perhaps they'll be merging soon.
RX30 - designed to be locally hosted on CentOS
RXDispense - SaaSThen someone else I support uses
QS/1All three of these solutions mandate locking down access to IP. I'm fairly certain that RX30 will support host names though.
-
@dashrender said in appear to come from an IP:
Then someone else I support uses
QS/1I was told that QS1 is an absolute joke and the support is worse.
-
@gjacobse said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Then someone else I support uses
QS/1I was told that QS1 is an absolute joke and the support is worse.
It's one or two notches above worse... I've definitely dealt with worse.
I know this client simply bought what their GPO sold them, no other research was ever allowed.
-
@dashrender said in appear to come from an IP:
All three of these solutions mandate locking down access to IP. I'm fairly certain that RX30 will support host names though.
How does someone lock to a hostname? Doesn't that 100% defeat the purpose of the lock since you can arbitrarily change the hostname at will anytime?
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
All three of these solutions mandate locking down access to IP. I'm fairly certain that RX30 will support host names though.
How does someone lock to a hostname? Doesn't that 100% defeat the purpose of the lock since you can arbitrarily change the hostname at will anytime?
Well, it's not a lock - obviously - but a trusting of the DNS system to not be compromised.
Pretty sure I didn't say 'lock to a hostname' either
-
@dashrender said in appear to come from an IP:
relies on IP lockdown
Literally used the word lock for the IP. What would the hostname be for other than defeating the lock?
-
@dashrender said in appear to come from an IP:
Well, it's not a lock - obviously - but a trusting of the DNS system to not be compromised.
THe point started as a lock. So I'm not following. Don't you want DNS specifically to avoid the lock?
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Well, it's not a lock - obviously - but a trusting of the DNS system to not be compromised.
THe point started as a lock. So I'm not following. Don't you want DNS specifically to avoid the lock?
Of course "I" do. This is a vendor imposed restriction which makes our use challenging to say the least. The vendor hasn't supplied a reason they IP lock - but I can really only imagine it's more about security than anything else - and I say this because they will add additional IPs at a whim (well, at least one vendor will).
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
-
@dashrender said in appear to come from an IP:
The vendor hasn't supplied a reason they IP lock - but I can really only imagine it's more about security than anything else
No, IT does that for security. Dev does that for licensing. They are Devs, you are IT. Any IP lock from the app is always for licensing reasons.
-
@dashrender said in appear to come from an IP:
and I say this because they will add additional IPs at a whim (well, at least one vendor will).
Sure, that's normal. FOrces you to talk to them and expose that your IPs are changing.
-
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
-
@scottalanmiller said in appear to come from an IP:
@dashrender said in appear to come from an IP:
Once when we asked to add an additional IP the vendor did say - now you know, you can't use this software to dispense at another location under this license? Which we knew - we wanted remote access for reports.
Yup, gives them a chance to enforce your knowledge of a potential violation.
I also think it's a licensing thing, with a bit of security sprinkled on top.
Each client location would normally have a different static IP so it's easy to keep track of them. And with IP whitelisting you get some DDOS protection.
IP whitelisting is normally on IP, not FQDNs, to avoid a DNS lookup for every access and to avoid DNS spoofing. When you do use FQDN in a firewall, it's actually still static IPs but the IP list is usually updated when the DNS entry expires or on a fixed schedule, like every 5 minutes or something.
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender Where does the IP whitelisting happen and how do the users connect?
Is it a SaaS provider or a hosted solution of some kind that is doing the whitelisting?
Are we talking about one IP or a subnet or just that it has to one or several static IP ranges?
This is a SaaS solution. They are the ones who manage the whitelist.
The level one techs are claiming that their system will only accept IP addresses, not hosts in the whitelist. Of course we've all seen systems like that - 20 years ago. And as I just got done telling Scott - RX vendors rarely update their solutions - and unrelated vendor is actively deploying a version of xming from 2006, even though there is active development in 2022.I now believe that they lock down to IP because the rest of their security is so bad.
If it's web based I'd look at using an outgoing http proxy. This is a forward proxy, not a reverse proxy as you commonly see in front of websites.
Mobile users traffic that is going to the SaaS solution goes through the proxy first, everything else goes the directly as normal. You just need to change proxy settings on the mobile users to get this up and running, nothing to install.
You can host the proxy yourself or use a service. IMHO it would be better if it's located outside your LAN to avoid using up valuable bandwidth.
You'll whitelist the IP of the proxy since all your mobile users will appear to have that IP.
-
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed? -
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
-
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
-
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
@dashrender said in appear to come from an IP:
@pete-s said in appear to come from an IP:
Either way for mobile users FQDNs is also a little problematic because you need DDNS service on each client. And you probably need FQDN wildcard support as well in the IP whitelisting.
I know I need DDNS - I've already got it in place.
Why do you think wildcard support would be needed?Don't know how many clients you have but if you want to enter FQDN for each client it could be a lot. With wildcard you would just do *.example.com which cover client1.example.com, client2.example.com etc. Then you could add and remove clients without having to change the wildcard FQDN at the SaaS provider.
OK, that makes sense. In my case it's around 10. With as ancient as most of these RX systems are - I'd be very surprised if they'd support a wildcard entry.
Probably not. Most likely you're going to have to stick to IPs. That's why I think a forward proxy might be the best solution.
I've only ever setup a proxy for the same network that I'm on.
In this case I'd need a solution that allows a remote user to be anywhere, proxy through a known source to the destination.
I know VPNs can be setup to do this, VPN to office network - all traffic, including internet traffic goes through VPN and out office ISP. (I'm sure one could also setup some type of rule that only this particular website's traffic is what goes through the VPN)
Though I assume there are other ways to do this as well.
Thoughts - recommendations?
