IP whitelisting is a common security measure used to reduce the attack surface of sensitive resources. More than 30% of Secure Access Cloud customers use IP address restrictions to restrict access to corporate resources to a specific set of IP addresses while still performing strong user authentication.
In this post, we will discuss the benefits and drawbacks of three different IP whitelisting scenarios, as well as potential alternative approaches to increasing security while improving user experience.
Scenario #1: Restricting ‘Office-Only’ Access To Cloud Resources
The restriction of access to a particular IP address (or range) can significantly reduce access to corporate resources, platforms environments, and resources. This scenario will use the public IP addresses for the corporate office locations.
Unless the connection was initiated from the office network, any attempt to connect to your environment will be blocked at Layer 3 without even the opportunity to present a username/password.
Your users will be unable to connect remotely if you use this method.
Remote connectivity, on the other hand, may be a business requirement (especially for a business relying on remote workers, or when employees are working from home and need to access the environment).
To address this issue, organizations typically provide remote access to their office network via VPN before allowing connectivity to the cloud environment using ‘office-only’ IP whitelist rules.
The level of security provided by IP whitelisting was overshadowed in this case by the end-user’s exposure to the entire corporate and cloud networks once VPN’d to the office, with the VPN service, which accepts connections from anywhere on the internet.
A better approach to IP whitelisting is to limit access to resources through a solution that provides strong user and device authentication.
Scenario #2 – Ensuring That Traffic Is Inspected
The IP whitelist rule in this approach contains the IP address or IP range of your cloud or on-premise inspection points.
By blocking any traffic that did not pass through the inspection point, the possibility of malicious or unauthorized access is reduced. Furthermore, it ensures that organizational policies are followed.
As in the first scenario, if remote access to the office network is provided via a VPN solution, the level of security provided by IP whitelisting is overshadowed by the end-user’s exposure to the entire corporate and cloud networks once VPN to the office.
Furthermore, because today’s cloud infrastructure is dynamic and scales up and down automatically, the IP addresses of cloud solutions may change or increase over time.
Prefer cloud or hybrid inspection point deployments. To address the remote user scenario without requiring a VPN connection to the corporate network, look for a cloud-based secure web gateway solution.
Scenario #3: Use Known IP Addresses To Grant Access To ‘Trusted Users.’
An IP address is NOT a unique identifier!! IP addresses change (for the better or for the worse), causing the IP whitelisting rules to become out of date.
When attempting to create a ‘per-user’ authorization, the challenge of reviewing, purging, and maintaining IP lists and rules is difficult, and with the growth of the environment and the number of users and rules, it becomes unbelievable to stay ahead of the changes.
Rather than machines or dynamically assigned IP addresses, rely on authenticating users, preferably through your existing authentication provider.