Security

The Intricacies of IP Whitelisting

Whitelist

What is an IP Whitelist?

An IP whitelist restricts incoming traffic so that it may only arrive from an IP address or list of IP addresses. Traffic from any other address is ignored before any further processing.

This is useful because you can immediately and simply restrict incoming traffic so that it only comes from the sources that you expect it to come from.

Where are IP Whitelists Used?

This is often used in business to business communication where one business’s API is private and only expects to be called from servers owned by other specified businesses.

How does it work?

The earlier traffic can be filtered out the better as the further unwanted traffic can get into your network, the more resources it could potentially interfere with. This can be implemented close to the entry point of your network, like a firewall.

IP whitelisting can also be implemented at application level, where the application has code and configuration to apply the whitelist. An example of this would be a web based API. The down side of whitelisting at the application is that traffic that isn’t from whitelisted IP addresses is crossing your network and reaching the application. At the least this could cause some extra resource use, like logging and possibly database access in the API, at worst this means that traffic from a non-whitelisted IP could be gathering information on your network and API and attempting to perform malicious actions.

The whitelist itself can consist of a list of addresses or address ranges.

What is an IP blacklist?

A blacklist is the opposite of a whitelist (surprise!). If you use a blacklist then only the addresses on the list will be denied access to your servers.

Blacklists tend not to be of much use as someone with a blacklisted IP address would find it relatively easy to change their IP address.

Whitelist limitations?

Only static IP addresses should be used, this generally isn’t a problem for business to business services.

Some networking protocols don’t guarantee the IP address hasn’t been spoofed.

UDP packets can easily have their IP address spoofed and so they could easily get past an IP whitelist. The reason for this is that UDP doesn’t have a handshaking process, UDP packets are just sent and received.

TCP on the other hand requires a handshake before communication commences. Handshaking starts with a synchronise (SYN) message, that gets a response which is a synchronise-acknowledgement (SYN-ACK) and that responds with an acknowledgement (ACK). If the SYN has a spoofed IP address then the SYN-ACK message will never get back to it and so the handshake cannot complete. IP whitelisting therefore works for TCP communications in most cases.

If your whitelist is set up in your firewall then you need to ensure there isn’t a route in your network that allows access bypassing the firewall. This should go without saying.

IP Whitelisting is part of an overlapping defence

IP whitelisting is a good addition to the security of an application, but shouldn’t be your only defence!

Maintenance

Whitelist maintenance is important to maintain its usefulness. If someone using your service is going to change their IP address then you may need their new and old addresses whitelisted for a while but it’s important to remove the old ones when they are no longer used. This means regular auditing of the whitelist – easy if there aren’t many addresses on there.

Conclusion

IP whitelists have their place in software, typically for private TCP/IP based API’s where there are a limited number of users. They restrict access to the service in a simple yet powerful way


Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.




My Pluralsight Courses: (Get a free Pluaralsight trial)

API Security with the OWASP API Security Top 10

OWASP Top 10: What's New

API Security with the OWASP API Security Top 10

Secure Coding in ASP.NET Core

Secure Coding: Broken Access Control

Python Secure Coding Playbook

You've successfully subscribed to Gavin Johnson-Lynn!