2

As my knowledge about information security is not THAT good and Google did not give me a satisfactory answer I would like to ask the community here:

I am working for a company offering online services (as an ASP) where high-value target information of customers is stored (e.g. confidential documents of different companies). Access to the backend (source, database, and so on) of the application (root) server should be protected as good as possible. Now our host suggested to only allow certain static IP addresses as part of the authentication process, to make it more secure.

So my first question is: Is there a REAL security benefit in this measure OR not? (Beside the fact that it may be a bit harder for attackers to get into the backend as they must know of the measure itself and the required static IP Adresses, also think of IP Spoofing and high anonymous proxies)? If not, please give me a reasonable explanation as the stakeholders of my company want to force every programmer in the company to get a static IP address for their home internet connections ;-)

Second question: If there is a REAL security benefit in this, is there a real difference regarding security between getting a static IP address from my Internet Provider directly and renting a static IP from a service like http://dyndns.com/ or http://www.noip.com/ [as this is cheaper ;-)]?

@Edit: You cannot rent a static IP for this purposes from dyndns/noip, but from VPN service providers as e.g. strongvpn (http://strongvpn.name/static_ip.shtml).

Blackbam
  • 151
  • 6
  • I don't think dyndns or noip will give you a static _IP_ -- what they do is give you a known static DNS _hostname_ that updates itself to point to whatever dynamic IP your home server happens to have. So it's a static hostname, but that's different from a static IP. There are some VPN providers that can offer you a static IP, but that's really what your company should be doing -- set up a VPN server with two factor authentication to give you access to their servers. A static IP provides only a small amount of additional security, they should be able to trust in their VPN server's security. – Johnny Mar 27 '14 at 22:27
  • [There was a similar question a couple of years ago](http://security.stackexchange.com/questions/12701/can-ip-address-be-a-component-of-2-factor-authentication) where I came to a very similar conclusion to Rory. It is a measurable improvement in security depending on how many systems can use the IP address but it is not adequate on its own. – Ladadadada Mar 27 '14 at 22:31

2 Answers2

8

I'd say that there can be a benefit from using static IP addresses. Essentially if at the firewall you can say "only allow traffic to this port from these specific IP addresses" then there are a number of effects.

  • An attacker scanning the Internet for vulnerable hosts is unlikely to detect the service and therefore be able to attack it
  • An attacker who is more determined will have to compromise a host which has one of the allowed IP addresses to get access to the service. Depending on how the list is configured this would be more or less difficult. For example if one of the IPs is a proxy server which allowed anyone in a large company to get to the service then the benefit is reduced as there's more systems for the attacker to try and compromise. However if it's server-to-server then the attacker has a likely harder job.

As to IP address spoofing, on the Internet this is an overplayed risk (IMO). Spoofing TCP based services (e.g. HTTP) is impractical on modern Operating systems. UDP services can be spoofed but you need to know information about the receiving service so it's still likely to be an impractical attack for most attackers.

As to rented against ISP assigned, I'd say there's not a major difference although there is a risk with rented that after the rent expires someone might forget to update the ACL so you end up with more systems than necessary having access...

So overall I'd say it's a reasonable part of service security, although I wouldn't rely on it, on it's own.

Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • Blind TCP spoofing is again feasible due to SYN-Cookies. It is "easier" to guess the initial SEQ, you can skip the 1st SYN packet due to SYN-Cookies. This mean you only send the third packet in a handshake. This can also contain a payload. Details here http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ - Does not apply in all environments (stateful firewalls which do not understand syncookies will enforce the complete handshake) – Dog eat cat world Mar 31 '14 at 10:43
  • 1
    interesting paper but unless I'm missing something to get a single spoofed connection he's sending out 300,000 packets per second for 8 minutes and that give 1 packet to ACK and do a blind request. Not the most practical for application level attacks like HTTP unless the attacker knows how to attack the system with a single request. all the same a good illustration of my last point which is "don't rely on it on its own" – Rory McCune Mar 31 '14 at 12:41
1

It Certainly would reduce the exposure and increase the obscurity of the connection to narrow the possible connections to a small sub group of specific IP addresses. What would be a safer approach is to have your users connect to a VPN endpoint and then connect to that system from there, This obfuscates the traffic with encryption and makes it un-viewable to anyone not possessing the Key. The VPN endpoint can also assure that users who do not possess an Authorized Cert are not able to connect - this effectively pushes the connection from somewhere inside the DMZ, to a connection that fully resides on the interior of your network Firewall appliance without exposure on a DMZ.

MattMetal
  • 11
  • 2