I have an ASP.NET Core 6 MVC Web application. I am building a DMZ website on my company's servers. We have AD but I'm trying to avoid exposing AD to a DMZ site.
For all external users (not on intranet - basically anyone else in the world). The users will need to fill out a form first in order to see data.
For all internal users (on the intranet), this form needs to be bypassed and the information needs to automatically be displayed.
I would like to avoid any type of login/authentication system.
I need the website to immediately detect if the user is already on the company network and immediately bypass the form, but I'm having a hard time figuring this out.
Referencing HttpContext.User.Identity only works if the user is already authenticated.
It isn't detrimental if the outside user somehow bypasses the form, so I've thought about pulling the IP address and comparing it to our company's range of private IPs (I know IPs can be spoofed, but if they went as far to spoof - sure.. you can bypass a form).
Is this a good option or are there others?
My point is that we can implement security access based on Mac address.
We can create a self-host webapi application and register it as service in Intranet users's pc. To get the mac address.
In your DMZ website application, at the login page we can get mac address by invoking the api like
http://127.0.0.1:8000/GetMacAddress, then send to server side, we can save it in db and set it in header.At this time, I feel much safer. When the request comes in, even a hacker may not be able to guess that we added mac adress in the header for identification. The mac addresses of intranet users are all in the db, and we can identify them very well.
Even if the mac address is imitated, at this time we use the identification of the ip address again for filtering. Multiple detection mechanisms will make our application more secure.