The security of IP whitelisting large ranges

Question

I am not a network expert but; a recent conversation has come up with a client asking to whitelist a range of ip's (let's say 250 odd for now) to transfer their data to us for processing. I should add here that we would provide an IP address to the client and we would whitelist their IP. It's not a 'here's our domain name to search for' deal.

Networks are uncomfortable with doing this as (I quote) it shreds the firewall. A member of security has justified saying no by saying DNS attacks might occur.

Can someone help enlighten me why whitelisting a large range or even just a range of ip's is bad and what the technical rationale is.

The DNS explanation seems irrelevant to what's actually occurring and IP whitelisting is a valid defence. What's the real issue or threat?

Is it just that we need to couple additional defences on a ngfw to offset this?

Anyone who's enlightened, please help me!

Answer 1

Can someone help enlighten me why whitelisting a large range or even just a range of IP's is bad and what the technical rationale is.

Whitelisting 250 IP's is a work so light the firewall will barely notice. Blacklisting or whitelisting is something firewalls do all the time. I have a 256MB VPS with around 50,000 rules (blocking entire countries, and blocking any attacker for a day via fail2ban and portsentry) and the load on it is almost the same when the firewall is up or down.

Whitelisting those addresses will not shred the firewall, not incur any extra load, except maintenance load: someone have to add the rules, document them, and maintain them. Besides that, isn't making any difference.

Just make sure to get the rules correct. Specify on the whitelist the origin IP (or network) and respective destination IP and port. Don't just add a rule allowing the customer to connect to every IP and port, that would be a lazy and dangerous rule.

The DNS explanation seems irrelevant to what's actually occurring and IP whitelisting is a valid defence. What's the real issue or threat?

DNS has not anything to do with it at all. You are whitelisting an IP address, not a domain. So no matter what the domain responds for that IP, your firewall doesn't care. DNS rebinding, DNS takeover, no matter the DNS attack, it will occur on a layer above the firewall, so it does not matter.

Is it just that we need to couple additional defences on a ngfw to offset this?

No, your firewall will do it just fine. It's the job of the most rudimentary of the firewalls, you don't need an extra more modern firewall.

Answer 2

Firewall rules are defined by the following:

protocol (usually tcp)
Source IP
Source port (usually any)
Destination IP
destination port

In addition, most networks have a border zone (or DMZ) and an internal zone.

It’s not clear what you mean by “whitelisting”. Hopefully you mean that you want to permit a specific /24 on the internet to be able to reach a specific /32 inside your company on a specific tcp destination port. Like this:

Firewall request:
Protocol tcp
Source IP: 192.0.2.0/24 (partner company)
Source port: any
Destination IP: 198.51.100.3/32 (internal server)
destination port: 443
Justification: needed to allow partner company to upload shipping data

If you were requesting that 192.0.2.0/24 be “whitelisted” to the extent that it could access your whole network, I would reject your request (with both my network engineer hat and my Infosec hat). Why make your whole network vulnerable to attack from a partner when only 1 IP/port need be opened?

The specific request above might still be problematic for some organizations if the destination is in an internal zone (as opposed to DMZ). That’s an Infosec judgement call.

In general it’s safer to make outbound network requests to pull data, than allow an outsider to initiate them inbound. But outbound to you is inbound to the partner.