4

We have a web application behind a firewall that requires no user authentication.

If we open up access to this application via the firewall to a small list of IP addresses what is the risk of unauthorized access from other hosts?

Is there a risk to the web server and other hosts behind the firewall.

If there is a risk what else can be done to minimize the risk?

  • Attempting to filter by an ip address unless your talking about your own local network is sort of difficult to do. There are not enough ipV4 addresses to give to everyone, besides even if you do create an accurate filter, there are ways around it. My suggestion would be to only allow access outside of your network if the user is connected to a VPN, which to your network, will treat the user as being within your network. Be sure to make sure the VPN encryts the connection. – Ramhound Nov 10 '11 at 17:21

1 Answers1

2

If you're using IP only authentication, attacker can still use the web application through pivot attacks against a host that is allowed by firewall to access your application.

For example, let's assume your application is inside intranet (http://192.168.0.5) and one of the clients (192.168.0.100) is browsing the internet and visits a malicious web page that does intranet fingerprinting, requesting http://192.168.0.x/ (x=0..255) URLs through the victim (192.168.0.100) browser, effectively finding IPs with port 80 open and reporting them to attackers. Attacker can do it e.g. with BeEF framework. Later on, using the victim browser like a proxy, attacker can issue requests to the target application (http://192.168.0.5). There even is a framework for detecting what types of software do you have installed in the intranet - e.g. Yokoso. Using these will make further attacks easier.

Of course, attacker can also attack OS on one of the clients (e.g. with spear phishing or drive-by-download attack), so that he has more possibilities to attack the intranet application and is not restricted by Same Origin Policy.

If you're allowing access to the application only for some hosts in the same subnet (and other hosts are denied access), internal attacker has more possibilites because he has more knowledge (e.g. he might know the exact URLs for the application, it's version number) and is within the same network, so he can try e.g. ARP spoofing attack to hijack traffic between application and one of allowed clients.

I would recommend hosting the application only on SSL (to protect from man-in-the-middle) and adding login/password authentication (either cookie-based or a simple HTTP authentication)

Krzysztof Kotowicz
  • 4,068
  • 20
  • 30