1

Let's say there is an application that has IP whitelisting, all other IP's are denied. This check takes place on three different locations:

  1. iptables,
  2. .htaccess,
  3. PHP script.

Now in what OSI layers does those three locations fit? I guess something like:

  1. iptables layer 3 or 4,
  2. .htaccess layer 5,
  3. PHP script layer 7.

I recently saw a case wherein this was applied. Why would someone do this and what are the advantages and disadvantages of doing so? And can one or all of this methods be bypassed with some kind of IP spoofing?

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 1
    It seems like your understanding of the OSI layers and what they contain is a little off. I'd suggest rereading about it as really IP white list should only happen on layer 3, and the final check for client source is on layer 7 for the application to check. Layer 3 actually contains the source IP and destination IP, while layer 7 contains any forward headers and such for a client IP. Layer 5 just contains commands about the connection, and Layer 4 contains the protocol. .htaccess should check level 3 or 7 since the web server(layer 6) is decrypting the data before sending it to the app(layer 7 – Robert Mennell Jul 07 '16 at 18:14
  • is your question about the correct OSI levels or the use case? you question is a little fragmented (not sure why OSI applies) – schroeder Jul 07 '16 at 19:26

3 Answers3

3

OSI layers do not care where the check happens, but at which layer the information used in the check reside. If the check is doing whitelisting by IP address only it does not matter where the check is configured, because the decision is always purely based on the IP address, i.e. OSI layer 3.

But, depending on the setup and the validation code the check might actually not test against the real source IP of the client but against a claimed source IP. This would be the case if the check was done against the IP address from the X-Forwarded-For or similar HTTP header in the request. Such checks could be done in PHP and probably .htaccess and this would be a check based on information at the application level, i.e. OSI layer 7.

And can one or all of this methods be bypassed with some kind of IP spoofing?

Bypassing checks based on layer 3 information (IP address) can obviously only be done if you can spoof the layer 3 information. While using a spoofed IP with UDP is easily doable using a spoofed IP address with TCP is nearly impossible because of the 3-way handshake, sequence numbers etc. See also Is it possible to pass TCP handshake with spoofed IP address?

Spoofing layer 7 information (X-Forwarder-For) is easily doable with a custom client.

Community
  • 1
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
2

It depends on what you want to protect, and when.

If your server hosts a number of services, or a number of websites, then you would want the control closest to the target so as to not deny the IP from the other services/sites.

If your server hosts a website and an email server, and someone pentesting you rightly triggers a block, you don't want them blocked from sending you an email.

Or, if you are hosting multiple websites, and one site is getting hammered from a single IP, the owners of the other sites might not like it if that IP was blocked from their site, too.

Also, different targets might want different levels of protection. One site might want to be permissive while another might want to err on the side of caution.

If you dump all the filtering at the firewall level, you lose fine-grained control.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

Depending on what kind of service you are running you might want to do it in different places.

The advantage of iptables is that it runs on linux kernel and prevents data from ever reaching your processes. Meaning that if something like heartbleed or shell shock ever happens again, attacker will never be able to reach vulnerable application. It is very hard to customize and requires root access.

Using htaccess is convenient when setting conditional permissions on IP addresses, and when you don't have root access which is required for use for iptables. Downside is that it has to do the handshake, and do some checking.

Using PHP script is not efficient computation time wise because before any data can reach your application, a connection must be established which takes some time and can cause DOS attacks if your script is CPU intensive. Use it only if you are doing additional checks like "If user is admin, and has ignore ip set in database let him through, otherwise block all stuff from those IPs".

Dimi
  • 111
  • 2