18

I have an https website that is protected by a login form (username + password). Does it add anything, protection wise, if I put this website behind a firewall that only allow certain IP address?

Gudradain
  • 6,921
  • 2
  • 26
  • 43

6 Answers6

27

Yes, locking your service down by IP will prevent your service being found by the general internet population and will dramatically reduce the attack surface if managed correctly. This will make your site safer from not just brute force attacks - your whole application will be "invisible".

Despite this fact, locking down IPs should not be done in lieu of other measures such as ensuring your web application and server is secure from other vulnerabilities - if one of your "good IPs" is compromised, an attacker could use this as a pivot in order to attack your site. Also be aware that any malware running by any of your trusted users could be used by an attacker to bypass the IP restriction.

So use it as an extra layer of security, but do not let this trick you into a false sense of security where you let your guard down. Treat your web application and platform as if it was fully internet visible - regularly scan and test it for vulnerabilities, and make sure that the management of allowed IP addresses is done properly by deleting and updating and verifying on a regular basis.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
5

An IP address whitelist at the firewall would certainly be very effective in preventing brute-force attacks against your login form, assuming that the following (fairly obvious) conditions are met:

  • You are the only person who needs to access this login form.
  • You have a static (not dynamic) IP address from your ISP - in other words, your ISP does not change your IP address regularly.
  • You don't expect to ever have to access the login form from an unfamiliar location, or if you do, you have a way to add an IP address to the "allow" list. (Of course, having a way to add an IP address to the allow list from an address not on the allow list significantly reduces the security of the system.)

If these conditions are met, then I'd say go ahead and add an IP whitelist. If not, you risk locking yourself (or others) out of the login form.

As far as implementation goes, the easiest way to do it would probably be from the web server itself (for example, using apache .htaccess files). If you decide to do it from the firewall, you will have to find a way for the firewall to know that someone is requesting the login form and not some other page on the website, assuming that there are other pages besides the login form on this server. Since you are using HTTPS, you'd probably have to terminate SSL at the firewall.

tlng05
  • 10,244
  • 1
  • 33
  • 36
  • It's the entire website that will be behind the firewall. – Gudradain Jan 19 '15 at 19:13
  • 1
    Also ranges can be added incase the IP is dynamic. For example if a ISP assigns IP-adresses out of 123.123.0.0 through 123.123.255.255, you can tell your site to allow 123.123.0.0/16, thus allowing in all customers from that particular ISP - but thats much more secure than allowing the whole world. you can also use country blocks to whitelist only certain countries. That will shrink the attack Surface very much. – sebastian nielsen Jan 19 '15 at 19:41
4

One other benefit of IP restrictions is that it can help mitigate malicious insiders.

Consider a cloud service that hosts business critical data for its clients. Each client has a number of employees with accounts, and the intention is that the employees can only access this critical data from company workstations. In the most basic arrangement, there is no technical control to prevent an employee logging in from their home computer. Adding client-configurable IP restrictions allows the administrator of a particular client to force all their users to login from IP ranges belonging to the organisation - stopping people logging in from home.

There are more advanced techniques, in the fairly new field of "federated identity" - but IP restrictions are a simple and effective way to control this.

paj28
  • 32,736
  • 8
  • 92
  • 130
3

That depends on what you are trying to protect yourself against.

If you are just trying to prevent random attackers from browsing your site and attempting to brute-force your login your approach will reduce the visibility of your site and deter some attackers in some scenarios.

But if the attacker knows your setup and a particular vulnerability he and or she might not need to read the server responce and might be able to send crafted packages with spoofed sender IP in order to compromise your service. Without testing I suppose a shellshock attact structured like this would work. I admit this is a rather unlikely scenario and requires an attacker to have a lot of knowledge about the system, the setup and vulnerabilities. But if what you are protecting is valueable you might need to consider it.

vidar
  • 124
  • 3
  • Does spoof IP attack really work on TCP with the handshake required to initiate the TCP connection? – Gudradain Jan 19 '15 at 18:54
  • I kinda checked that - http://security.stackexchange.com/questions/37481/is-it-possible-to-pass-tcp-handshake-with-spoofed-ip-address short answer no, long answer yes.. Should have included it in my answer though. Sorry. – vidar Jan 19 '15 at 19:31
  • 5
    spoofing an IP address for TCP is non-trivial. The point being if you can force an attacker to use a far more sophisticated attack to even know if you can attack the site, you've increased the security. – Steve Sether Jan 19 '15 at 19:44
2

It depends on what you mean by "restrict".

  • If you mean maintain a blacklist of every "bad" IP out there, then no, it does nothing for you.
  • If you mean maintaining a whitelist of the only client IPs that should be allowed to access a network service, then yes, this helps somewhat (but does not represent a genuine security measure by itself).

For some bizarre reason the former is by far the most common form of IP restriction. It follows the exact same fallacy as most "check by profile match" anti-virus software, of trying to enumerate everything bad in the world (the number of "bad" is unknowable; it is generally much easier to enumerate the "good" instead).

Note that a whitelist can be dynamic in nature. This idea makes whitelisting a much more interesting tool than it gets credit for. I expect exactly zero exploration of what this can really mean in the general security market.

Roughly half the sudden, mysterious, perplexing WAN connectivity issues I've dealt with in operations at large data centers originate from the ridiculous application of "blacklisting" -- and yet never have I encountered a situation where blacklisting actually did much good (botnets have pools of tens or hundreds of thousands of available IPs, and they shift every few minutes). Note that this is not quite the same thing as temporarily banning or throttling over a span of hours or minutes. Considering the stateless nature of many protocols that sort of throttling can be viewed more as an attempt at connection throttling (the connection attempts are all a related series of interactions) than an IP, MAC or block blacklist.

zxq9
  • 340
  • 2
  • 8
  • 1
    A blacklist has it advantages! I use blocklist.de on all servers I manage! While it is no replacement for other security measures, there is also no advantage of letting bots trying to bruteforce logins/try to find bugs! While I am confident that they won't be able to bruteforce crack anything, it still uses resources and fills the logs with meaningless information! – Josef Jan 20 '15 at 16:38
  • 2
    @Josef Letting a blacklist cancel wide blocks of dynamic IPs which may have a few members participating in a botnet is a random counter, at best. Those dynamic IP block are also usually your customers. If you know what IPs should be accessing then you should use a whitelist; if not, then dynamically ban or throttle (pushback) for a short time based on behavior. External blacklists always have unknown impact -- which is insidious because you can never know what the effect really was (you don't know how much legit traffic you're missing). Enumerating badness is never going to make any sense. – zxq9 Jan 20 '15 at 23:15
  • A caveat to dynamic bans based on behavior -- you have to actually keep on top of changing behaviors, and this requires effort (though this is the only actually effective solution). Just like people want a "fix my broken arm pill" and a "fix my marriage pill" we really wish we could just pay for a blacklist service and that everything will just work out OK. Which is hilarious, because even with a blacklist service you will *still* get tons of bad hits. – zxq9 Jan 20 '15 at 23:16
  • This list is not blocking IP blocks! Only single IPs that have been abusive in the last 24 hours, as reported by the members of the service! – Josef Jan 21 '15 at 11:32
-3

100% useless. Hackers can just spoof their IP address and get right through your white-list anyway.

VERY simple to do.

Patty Pauls
  • 11
  • 1
    This is not correct. Perhaps you're thinking of MAC filtering? – Xander Dec 22 '15 at 15:30
  • 1
    The question is " does it __ADD__ anything." the answer is Yes it add something (another layer to defeat). it is not presented as a Full solution. in which it fails utterly. Next time you answer a question add motivation and reasoning, like why is it useless, examples of how to simply defeat it (you would find out than that it is not that simple to actually do, over the internet.) and Read Questions thourougly! – LvB Dec 22 '15 at 15:39
  • 1
    IP spoofing will not work. This answer is wrong on the technical facts. – schroeder Dec 22 '15 at 16:28