In what scenarios is relying on source IP address as a security control acceptable/unacceptable?

Question

A number of questions on this site mention relying on source IP address as a control and in most of them it is dismissed as being unreliable.

In what circumstances might using source IP address as a control be a potentially useful idea or a bad idea and why.

The idea of "spoofing" the source IP address gets brought up but people rarely go into detail about how challenging that might be in practice (eg, accurately guessing TCP sequence numbers), particularly in relation to commonly used application protocols such as HTTP

Answer 1

One thing I've noticed is that the idea of "spoofing" the source IP address gets brought up but people rarely go into detail about how challenging that might be in practice (eg, accurately guessing TCP sequence numbers), so I'd be interested in any opinions about the practicality of spoofing IP addresses with common application protocol such as HTTP.

A fair point which earns my +1.

If you're after hijacking an existing connection given you know for arguments' sake that 256.0.0.1 (deliberately not real) is on the whitelist is fairly tough, as you state.

I think we reach for IP spoofing as the most obvious threat, like with the idea that all hackers are "leet", use tiling window managers and have transparent terminals. However, there are some more obvious problems:

1. What happens if another computer acquires that IP address? If you use IP address based restrictions alone, then it becomes a problem.
2. What happens if that computer becomes compromised? Again, a problem if you use IP address filtering alone.
3. What happens when you have NAT and no access to the source IP address?

In other words, the problem is that whilst this might restrict access, it does nothing to check authorisation. Like a stateless firewall, which assumes everyone on this private subnet is good. That's all very well, but did you authorise their access? If they can acquire, by any means, an IP address in the right range, you're going to hand them trust.

By contrast, if you use some form of authentication layer, you make it harder for the would be attacker to gain access where they are not authorised.

A better solution in my mind is to use the likes of IPtables to mark certain interfaces as having access to more or fewer services. This is then tied to the physical network, which is much harder for an external (or even internal) attacker to manipulate. You still, however, need authentication on top of that.

Answer 2

Using IP-based authentication may be reasonable if security doesn't matter much. Otherwise, it is a pretty dubious practice. It provides weak security, at best.

In some settings, IP hijacking is quite easy. For instance, the typical case where people use IP-based authentication is to allow access from some other machine or machines from the same corporate local network. But if you have any open wireless network (or WEP wireless network) within that IP address space, then it's trivial to gain access, to hijack connections by other machines, etc.

For web-based systems protected by IP hijacking, open proxies are also a threat.

Another threat is the risk of compromised machines being connected to the internal network.

Bottom line: I would not recommend use of IP-based authentication, unless the consequences of unauthorized access are quite modest (and perhaps not even then).