Re: Use IP-Address Whitelisting as a second factor...

deja · ‎01-17-2018

Hello,

I'm currently evaluating a SaaS Cloud provider and I would like to get your opinion on a certain topic.

The problem:

The cloud provider which I'm evaluating provides local user management in the application. Our company has certain requirements regarding the use of multifactor authentication.

Unfortunately the only "second factor" which is currently being provided by the provider, ist the configuration of IP-Address-Whitelisting.

In my opinion this isn't a reliable second factor for authenticating user in the year 2018. Even though the possibility of spoofing public IP-Addresses (in a TCP session) is relatively low, a public IP-Address may be used by multiple companies (e.g. using NAT).

I would like to hear your the opinion of other security professionals on this topic.

Best regards from Germany

Marcel

PS: I know, this is not "Industry News", but I didn't find any better category.

Ackis · ‎01-17-2018

If your company has multi-factor authentication, white listing an IP isn't going to cut it.

JoePete · ‎01-17-2018

White listing IPs isn't a second factor.

If I understand the concern, the SaaS provider says that each user with access to the software can be authenticated by password and a specific IP or (range of IP). That doesn't qualify as multi-factor. At best you're getting close to device authentication - not the user. Practically speaking, an entire organization can share one IP. I suppose if you could map each user to a specific dedicated IP, you get close to a claim of multi-factor (the network card or alias is something you have). Again, however, that's more device authentication and you would really want a full 802.1x solution rather than just IP filtering. What's interesting is let's say you were to go this route somehow, you essentially defeat the value of having a SaaS solution; you essentially anchor users to a specific IP/device. What's the point of having a cloud service if you can only access the application from a fixed location (i.e. couldn't you just run it on a local server firewalled from the world)?

Del · ‎01-18-2018

IP address isn't a standalone second factor in my view.

They can be spoofed, they can be re-used, and not all end users are aware of their current IP address.

It seems really odd that the cloud provider would expect the end-users to have static IPs or a known range of IPs. What happens when a user tries to access the service from a new location, new ISP, or even a new Starbucks?

deja · ‎01-18-2018

Hi all,

thanks for your replies.

@JoePete: Yes, the entire company shares the same IP Address. That's the idea behind the cloud provider's offer: They want us (the customer) to name a public IP-range of our network. Our entire traffic is routed through a proxy-server with a static IP-Address. So technically this will work. In my opinion in not even “something you have”, it’s rather “somewhere you are”. There are a lot of users in our network who will not use the service, but they could theoretically reach it.

@Del: Yes, this is odd. Working from outside of the company will not work in this case. Only if every user opens a VPN connection and comes from the whitelisted network.

Conclusion: IP-Address whitelisting is not a good idea to use as second factor.

JoePete · ‎01-18-2018

@deja wrote:

Conclusion: IP-Address whitelisting is not a good idea to use as second factor.

I don't know the criteria that had you looking at this SaaS provider, but if they genuinely suggested IP whitelisting was an equivalent of multi-factor authentication, I would drop them and let them know why (likely the sales folks kept pitching when they should called in the technical folks). In all cloud services, Identity and Access Management is critical, but with SaaS a consumer is really reliant on just the application layer for security (assuming the provider does its job everywhere else). Multi-factor authentication isn't a big ask; it's a good practice. If a provider can't deliver - nevermind gets confused as to just what is multi-factor authentication - it should really make you wonder about the quality of its identity and access management tools.

deja · ‎01-18-2018

@JoePete: You nailed it. I think this "Cloud" provider cannot be taken for serious.

Our business representative will not be amused when I'm telling him to evaluate another vendor...

Best regards

Marcel

HTCPCP-TEA · ‎01-18-2018

Hi,

Just to echo previous points, IP address whitelisting is not fit for purpose as an authentication method. It's useful as an extra step by all means, but no as part of a multi-factor authentication system.

Mac Address whitelisting is in a similar category, if not slightly easier to bypass.

The fact that your SaaS provider hasn't offered any alternative is quite concerning. Could they not even go about providing a third party integration for something like an authenticator? Not a whole lot better, granted, but the fact that they didn't even consider something is a worry.

Though it's for that very reason most of our professions exist, I suppose.....

EIAKPKP452 · ‎01-18-2018

Lots of good replies already about the need for better authentication options. Only other thought I have is that you will likely continue to face challenges in this space as more and more services provide varying degrees of user authentication methods. The most consistent and reliable option is likely to be to manage all SaaS authentication in-house using a SAML / multi-factor capable platform. This will also allow for more granular control of authorizations and monitoring. Good luck!

Adam

Early_Adopter · ‎01-19-2018

Could you *ahem* share the vendor? It might be a good idea to reach out to them and let someone a bit higher up know.

Use IP-Address Whitelisting as a second factor?