topic Re: Use IP-Address Whitelisting as a second factor? in Industry News

Use IP-Address Whitelisting as a second factor?

deja — Wed, 17 Jan 2018 15:26:52 GMT

Hello,

I'm currently evaluating a SaaS Cloud provider and I would like to get your opinion on a certain topic.

The problem:

The cloud provider which I'm evaluating provides local user management in the application. Our company has certain requirements regarding the use of multifactor authentication.

Unfortunately the only "second factor" which is currently being provided by the provider, ist the configuration of IP-Address-Whitelisting.

In my opinion this isn't a reliable second factor for authenticating user in the year 2018. Even though the possibility of spoofing public IP-Addresses (in a TCP session) is relatively low, a public IP-Address may be used by multiple companies (e.g. using NAT).

I would like to hear your the opinion of other security professionals on this topic.

Best regards from Germany

Marcel

PS: I know, this is not "Industry News", but I didn't find any better category.

Re: Use IP-Address Whitelisting as a second factor?

Ackis — Wed, 17 Jan 2018 16:02:09 GMT

If your company has multi-factor authentication, white listing an IP isn't going to cut it.

Re: Use IP-Address Whitelisting as a second factor?

JoePete — Wed, 17 Jan 2018 21:14:50 GMT

White listing IPs isn't a second factor.

If I understand the concern, the SaaS provider says that each user with access to the software can be authenticated by password and a specific IP or (range of IP). That doesn't qualify as multi-factor. At best you're getting close to device authentication - not the user. Practically speaking, an entire organization can share one IP. I suppose if you could map each user to a specific dedicated IP, you get close to a claim of multi-factor (the network card or alias is something you have). Again, however, that's more device authentication and you would really want a full 802.1x solution rather than just IP filtering. What's interesting is let's say you were to go this route somehow, you essentially defeat the value of having a SaaS solution; you essentially anchor users to a specific IP/device. What's the point of having a cloud service if you can only access the application from a fixed location (i.e. couldn't you just run it on a local server firewalled from the world)?

Re: Use IP-Address Whitelisting as a second factor?

Del — Thu, 18 Jan 2018 13:36:13 GMT

IP address isn't a standalone second factor in my view.

They can be spoofed, they can be re-used, and not all end users are aware of their current IP address.

It seems really odd that the cloud provider would expect the end-users to have static IPs or a known range of IPs. What happens when a user tries to access the service from a new location, new ISP, or even a new Starbucks?

Re: Use IP-Address Whitelisting as a second factor?

deja — Thu, 18 Jan 2018 14:06:19 GMT

Hi all,

thanks for your replies.

@JoePete: Yes, the entire company shares the same IP Address. That's the idea behind the cloud provider's offer: They want us (the customer) to name a public IP-range of our network. Our entire traffic is routed through a proxy-server with a static IP-Address. So technically this will work. In my opinion in not even “something you have”, it’s rather “somewhere you are”. There are a lot of users in our network who will not use the service, but they could theoretically reach it.

@Del: Yes, this is odd. Working from outside of the company will not work in this case. Only if every user opens a VPN connection and comes from the whitelisted network.

Conclusion: IP-Address whitelisting is not a good idea to use as second factor.

Re: Use IP-Address Whitelisting as a second factor?

JoePete — Thu, 18 Jan 2018 14:17:55 GMT

@deja wrote:

Conclusion: IP-Address whitelisting is not a good idea to use as second factor.

I don't know the criteria that had you looking at this SaaS provider, but if they genuinely suggested IP whitelisting was an equivalent of multi-factor authentication, I would drop them and let them know why (likely the sales folks kept pitching when they should called in the technical folks). In all cloud services, Identity and Access Management is critical, but with SaaS a consumer is really reliant on just the application layer for security (assuming the provider does its job everywhere else). Multi-factor authentication isn't a big ask; it's a good practice. If a provider can't deliver - nevermind gets confused as to just what is multi-factor authentication - it should really make you wonder about the quality of its identity and access management tools.

Re: Use IP-Address Whitelisting as a second factor?

deja — Thu, 18 Jan 2018 14:28:17 GMT

@JoePete: You nailed it. I think this "Cloud" provider cannot be taken for serious.

Our business representative will not be amused when I'm telling him to evaluate another vendor...

Best regards

Marcel

Re: Use IP-Address Whitelisting as a second factor?

HTCPCP-TEA — Thu, 18 Jan 2018 16:21:09 GMT

Hi,

Just to echo previous points, IP address whitelisting is not fit for purpose as an authentication method. It's useful as an extra step by all means, but no as part of a multi-factor authentication system.

Mac Address whitelisting is in a similar category, if not slightly easier to bypass.

The fact that your SaaS provider hasn't offered any alternative is quite concerning. Could they not even go about providing a third party integration for something like an authenticator? Not a whole lot better, granted, but the fact that they didn't even consider something is a worry.

Though it's for that very reason most of our professions exist, I suppose.....

Re: Use IP-Address Whitelisting as a second factor?

EIAKPKP452 — Thu, 18 Jan 2018 16:36:30 GMT

Lots of good replies already about the need for better authentication options. Only other thought I have is that you will likely continue to face challenges in this space as more and more services provide varying degrees of user authentication methods. The most consistent and reliable option is likely to be to manage all SaaS authentication in-house using a SAML / multi-factor capable platform. This will also allow for more granular control of authorizations and monitoring. Good luck!

Adam

Re: Use IP-Address Whitelisting as a second factor?

Early_Adopter — Fri, 19 Jan 2018 16:28:17 GMT

Could you *ahem* share the vendor? It might be a good idea to reach out to them and let someone a bit higher up know.

Re: Use IP-Address Whitelisting as a second factor?

deja — Mon, 22 Jan 2018 07:48:16 GMT

@EIAKPKP452: SAML is another provided option. The problem is, that not all connected affiliates have an ADFS in place. Local accounts with MFA is our fallback scenario.

@Early_Adopter: I'm sorry, but I signed an NDA with the vendor.

I now think the vendor uses the word "cloud" only for marketing purposes. In fact it is classical hosting and has nothing to do with the cloud principles (scalability, pay-as-you-go, ...). So it isn't surprising anymore that there is no valid MFA solution in place.

Re: Use IP-Address Whitelisting as a second factor?

sdurbin — Mon, 22 Jan 2018 11:24:11 GMT

As many people have already commented; whilst IP white-listing can be useful, from a security perspective, it is insufficient as an authentication factor.

This sounds like a scenario that I have experienced many times.

The vendor is attempting to proposition their product based upon current industry trends rather than legitimate technical capabilities.

It is very important to study RFP responses, and the technical validity of Sales pitches, to be sure you are getting a good product and working with a technically capable vendor.

You can also mitigate risk by seeking references from the vendor's other customers.

Technology research organisations can provide good independent insight.

Re: Use IP-Address Whitelisting as a second factor?

JoePete — Mon, 22 Jan 2018 17:01:42 GMT

@deja wrote:

I now think the vendor uses the word "cloud" only for marketing purposes. In fact it is classical hosting and has nothing to do with the cloud principles (scalability, pay-as-you-go, ...).

Yes, a good point to make organizationally - "cloud" is a marketing term, not a standard. What is interesting to note, multi-factor authentication is not one of the requisite five attributes that (ISC)2 and Cloud Security Alliance designate (self-service, broad access, resource pooling, elasticity, pay as you go). A lot of this points toward that these services are still pretty cloudy (pun intended) in terms of what they offer and what they are. This can also greatly skew the metrics for measuring cost, benefit and risk.

Re: Use IP-Address Whitelisting as a second factor?

Early_Adopter — Tue, 23 Jan 2018 05:42:51 GMT

Pedant's corner... 😛

I would term MFA a control to secure access as opposed to an attribute, I wouldn't expect it to be called out by CSA as such.

On those attributes, I think 'measured service' is preferred to 'pay-as-you-go' and addition of the ISO/IEC 17788 contribution of 'multi-tenancy'.

@deja On the NDA bit, why not refer the vendor to this thread? They can then have a look and a think and then perhaps consider how to enhance the security their service.