0

Our company develops web applications and uses them on the internal network. We need to set up a mechanism to control and monitor internal network traffic so that only approved applications on the network can be used by clients and not-certified applications are forbidden. Also there is no need to authenticate user or check access. All internal users should be able to access all certified applications. Is there any routine solution to this need? Should I implement local CA? How to certify applications in this mechanism?

Edited: Thanks to replies, In order for readers to better understand the problem: The problem is that some users have access to deploy or update internal web applications, but we need to make sure they are trusty. For each update, a set of reviews must be performed on and then a license should be publish for them. I'm looking for a mechanism to run this process. Also, all internal web applications should be monitored in this mechanism to detect untrusted application.

Saeed MH
  • 1
  • 1
  • What exactly is the *"rest of the applications"*? What do you mean with *"restricted"* - forbidden, allowed for selected users? *"Can be used"* - by whom, users? How do you authenticate users in your network? Too much context and details are missing. – Steffen Ullrich May 21 '21 at 21:05
  • 1
    Depending on the sophistication and dedication of the "attackers" (who might just be users trying to run unapproved clients), this is likely impossible. There is no way to tell the difference between a trusted client and an untrusted one that behaves the same with regard to network traffic. You *might* be able to use hardware security features on some locked-down devices to attest to the integrity of the running code using keys that are very hard to extract, but for general-purpose computers this is basically impossible. You can, at best, make it very inconvenient. – CBHacking May 22 '21 at 07:31
  • @CBHacking It isn't a matter of client approval. It is the about certify of web applications on the internal network and block or find not-certified apps. – Saeed MH May 22 '21 at 08:39
  • @SteffenUllrich Thanks for the feedback. I edited the post. – Saeed MH May 22 '21 at 08:53
  • Ah, I misunderstood. Still impossible, though, unless you have complete control over all the hardware on the company LAN. I can run a web server, hosting an arbitrary web app, on my phone. I can run a few dozen of them on any PC, or smart TV, that isn't locked down so hard I can't open a listening network socket. Any of these web apps will allow any client (which could also be running on any such device) to connect; you can only prevent that by preventing clients from running at all. You could try setting firewall rules on all your company hardware that limits outbound requests, I guess... – CBHacking May 22 '21 at 11:01
  • @SaeedMH: I still don't get it. If all certified applications are internal and all internal user should be able to access but nobody else, than just don't make the applications accessible from outside in the first place. Since this sounds too obvious I assume that I still don't understand your problem. Maybe don't make it that abstract, but more concrete, i.e. add detailed examples for what you mean. – Steffen Ullrich May 22 '21 at 11:32
  • @SteffenUllrich The problem is that some users have access to deploy or update internal web applications, but we need to make sure they are trusty. For each update, a set of reviews must be performed on and then a license should be publish for them. I'm looking for a mechanism to run this process. Also, all internal web applications should be monitored in this mechanism to detect untrusted application. – Saeed MH May 23 '21 at 16:49
  • @SaeedMH: The process you need to implement depends on how you work, i.e. existing processes. These are not known. But if everybody can install arbitrary web applications without review (or why do you want to monitor for this case?), you might need to change who is allowed to install web applications in the first place: only trusted developers and only after they done a review. If you need to formalize this again depends on your specific organisation and the requirements. Technical solutions can help, but you likely need to adapt business processes first. – Steffen Ullrich May 23 '21 at 17:29

0 Answers0