1

When securing a web server/web application/website, you often have the choice between choosing something like using a password for authentication/securing a service and creating an IP whitelist or whitelisting a whole subnet. Or e.g. using/hosting the service in a subdirectory (may be faked/configured by the web server) that is not guessable, like /my_private_service_CiMMQf4aTU6sTdmkFFRuDyv5f.

So I have three common mechanisms.

Things that should be clear

Obviously, some first thoughts:

  • IP blacklists are obviously not that secure – you can't just blacklist all "bad attackers".
  • The password/passphrase/string authentication of course is only secure, if it is chosen properly, e.g. totally randomly string for the URL. (like shown in the example above)
  • Of course, you may be tempted to say "just combine them all", but let's say that for usability/convenience reasons, this is not what I want (at least not combine them all), so as I'd need to create a "best-of" trade-off I would be in the need of a ranking of what is the best?

(This is a hypothetical/general question. I deliberately did not choose a specific web service/example, to make this useful for the general public.)

rugk
  • 1,237
  • 1
  • 13
  • 25
  • IP Whitelists might be considered anonymous authorization. It is not authentication. The robustness of the security will depend on information class, system criticality, regulatory, availability and other requirements. If you need individual accountability, IP whitelist will likely not be adequate. – Sean E. M. May 06 '20 at 16:05
  • Is an randomly chosen string for the URL secure even if chosen "properly"? This feels like security through obscurity if the service is still publicly accessible. – JustAnotherDev May 06 '20 at 16:25
  • More than a few existing questions that are similar: https://security.stackexchange.com/questions/54312/is-it-a-real-security-benefit-if-a-host-uses-static-ip-addresses-for-authenticat and https://security.stackexchange.com/questions/193763/can-a-static-ip-address-be-a-trusted-user-identifier-in-a-secure-environment and https://security.stackexchange.com/questions/8803/ip-address-filtering-vs-web-application-security; search https://security.stackexchange.com/search?q=ip+address+authentication – multithr3at3d May 06 '20 at 16:50
  • Huh, searched for "ip address whitelist" and other things, but did not found those. Thanks for referencing. – rugk May 06 '20 at 17:05

2 Answers2

1

Within a network segment (e.g. an Ethernet network in an office) IP spoofing is fairly easy with tools like Ettercap, so a passphrase is much more secure.

On the wider Internet, IP spoofing a TCP connection is definitely not trivial. It's possible with BGP poisoning and maybe some other techniques, but not something your average pen tester can do. Still, I'd say a passphrase is more secure.

IP whitelisting is difficult to deploy, as a typical user will use different IP addresses - home, work, mobile - and most of these are dynamic IPs. You can often use it to whitelist whole organisations, as a company will typically have a single or a small number of outgoing IP addresses, and this can cover mobile users who connect to the office with a VPN. The main limitation with this is that you normally want to control access to individual users, not whole organisations.

Where IP whitelisting can be really useful is as an additional control mechanism to a passphrase. Quite a lot of business SaaS platforms offer this as an option. If you configure it, it means employees can only log in from work (or via VPN), not from home. This keeps business data on business workstations. And when someone leaves the company, they lose access to cloud services, even if the admin forgets to disable their account on that service.

paj28
  • 32,736
  • 8
  • 92
  • 130
0

Of course, you may be tempted to say "just combine them all"

I'd say that's the simple and simplicistic answer. Just don't exaggerate on the measures.

Security is matter of applying multiple layers of protection to reduce your site's appeal to attackers, not finding the magic potion to get your site invulnerable.

By applying multiple security layers, you get attacker's life harder. And attackers will be interested to services weaker than yours.

Here are a few cheap measures that I recommend for a website. By using best practices you get lower maintenance costs, less hassle (e.g. never to change the white list) and a very decent level of security.

Strong password

Should be the #0 rule. And a password manager. And HTTPS when authenticating. Most people stop here

Intrusion blacklisting

Tools like fail2ban detect multiple failed logins and ban the IP address. An attacker can always try for the first few attempts to hack into your service

Admin obfuscation

This is not really a security measure, because obscurity is not real security. Maybe some crawler will index your Admin path and it will be available on search engines.

But, if you run for example a popular WordPress you can simply chaff most of the attacking traffic.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • fail2ban essentially creates a dynamic blacklist, what I'd meant in the question is a whitelist approach though, i.e. whitelisting some IPs to do some action, e.g. – rugk May 06 '20 at 17:06
  • Initially, in my answer, I wrote about subnet whitelisting. But I believe dynamic blacklisting is easier and effective a lot. It depends on how often you need to switch IPs. My office has a single permanent IP address, so we whitelist it (and use SSH certificate authentication) – usr-local-ΕΨΗΕΛΩΝ May 06 '20 at 17:10