0

I'm working on implementing an IP-filter which blocks all requests by machines outside our IP-range. This is for an asp.net project (written in c#).

I've read on multiple forums that the safest way to put your IP-filter code is in an HTTP Module which picks up the request early in the aspx-pipeline.

However, I've implemented my IP-filter code directly in the page-load method of the ASPX-pages code behind.

Are there any commonly known security benefits of using a module instead or other reasons why it's considered best practice? I don't know much about ASPX but I'm using IIS 7 if it's any help.

user1531921
  • 103
  • 1

1 Answers1

0

From a security perspective, it's desirable to discard the unwanted traffic further up the chain and typically at the lowest level of the OSI model you can.

This is beneficial because it reduces unwanted noise, can save processing cycles on the equipment downstream, and makes the control less likely to be bypassed.

In regards to IIS specifically, the request filtering module (Where IP address restrictions are specified) is processed before all other modules.

IIS Request Filtering Pipeline

Image from: http://www.iis.net/learn/extensions/url-rewrite-module/iis-request-filtering-and-url-rewriting

So the answer would be the above falls under best practice.

Is there a reason that you aren't taking advantage of the native IIS IP address filtering capabilities?

Please reference: Configure IPv4 Address and Domain Name Deny Rules (IIS7)

k1DBLITZ
  • 3,933
  • 14
  • 20
  • Yes, I would like to apply the IP-filter to one page specifically. I figured that getting that done with the IIS would be cumbersome. Also, I like programming things on my own! – user1531921 May 13 '15 at 14:10
  • FWIW, IP address restrictions can be placed on one page specifically. – k1DBLITZ May 13 '15 at 14:38