My IP Is Not My Password
In the last several years, I’ve seen an alarming number of requests to implement a system where we allow access based on the user’s IP address. In my experience this creates a false sense of security and causes a significant amount of pain, specifically in cloud environments. But before I go on, a brief history of the internet and security to give context.
A Brief History of the Internet¹
- 1983 — Vint and Bob create TCP/IP V4 and it is implemented in ARPANET
- 1985 — People start hoarding IPv4 CIDR blocks
- 1999 — Cloud computing becomes a thing
- 2002 — Static IPs are limited and start changing frequently
A Brief History of Security¹
- 1988 — People realize that static IPv4 addresses are a thing
- 1990 — Companies use whitelists to allow traffic according to these IPv4 addresses
- 1991 — Companies think this is a good idea
I may have missed some stuff here. You get the point. IP whitelisting became the first security implementation that every network admin deployed for years. More frequently (and more terrifyingly), they just stopped right there.
What’s wrong with that?
Let’s talk about the implications of using IPs as your only security measure. First, IP spoofing is a thing. Of course this will not allow bi-directional attacks, but it can be used in DOS attacks. Secondly, BGP hijacking can be used to attack these types of defenses.
These are fairly sophisticated attacks that would require a serious attacker, however they make a good case for why this should not be your only security mechanism.
An even bigger issue with IP filtering is that the modern use of cloud computing makes this type of security measure entirely untenable. Most cloud instances don’t use static IP addresses by default. Cloud providers only have a limited amount of IP space, and they aren’t going to just hand it out to everyone. The much more common use case is that every time a resource is created, it gets a random new IP, or even better, it gets an internal address and is hidden behind some form of gateway. With good reason, cloud providers are urging people to use models that consume fewer IP addresses.²
This means that we need to stop relying on static IP addresses as a security mechanism. </rant>
Isn’t it better than nothing?
In the world of tech, we frequently talk about security by saying, “Anything is better than nothing.” You can’t really argue with this statement because of how vague and obvious it is. I want to encourage everyone that works in technology to stop saying this and instead start asking “How do we implement security that is good enough?” This question encourages us to reconsider our entire strategy and decide if it’s enough to protect the value of our business. A strategy might include IP blacklisting on a large scale to avoid traffic from known dangerous actors, or it might include any number of other measures that by themselves are inadequate but put together provide good security. Let’s get rid of the defeatist attitude of “better than nothing” and focus on security that’s “good enough”.
¹Please note that the dates in the article are almost entirely fictional and should not be taken as fact
²AWS documentation specifically states that IPv4 addresses are scarce. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-limit