ASP authentification by ip-number

[Ralph Wiggum]

How safe is it to use the client's ip-number versus posting a username/password (in cleartext) in an http request? Assuming the client's ip-number is static.

A common use-case would be a web-forum, where only VIP-users should have access to specific topics. Authentification by ip is certainly the most user-friendly, as user don't have register/remember passwords, no?

Is ip-spoofing considered easier than picking up unencrypted usernames/passwords from web-traffic?

 

[Roger Abell [MVP]]

"Ralph Wiggum" <go.ahead@spam.me> wrote in message
news:TtSdnRagFNDlTI3VRVnzvQA@telenor.com...
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.

It's probably safer than a usr/pwd cred exchange in the clear.

> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?

No. Yes, you are right, but after taking inital IP verified registration
and user being struck to registered IPs into account it seems that the
use-case gets pretty weak.

> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?

No in general, and certainly not for someone one a different subnet.

 

[Steve Riley [MSFT]]

Wrong approach. IP addresses identify machines, not humans. They are easily
spoofable, since they are always clear-text and are always unauthenticated.
Plus, with your approach, authorized users will be tied to specific
machines--they won't be able to access their information from other
computers.

User ID/password pairs are specifically designed for the scenario you've
described. Please use them.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Ralph Wiggum" <go.ahead@spam.me> wrote in message
news:TtSdnRagFNDlTI3VRVnzvQA@telenor.com...
> How safe is it to use the client's ip-number versus posting a
> username/password (in cleartext) in an http request? Assuming the client's
> ip-number is static.
> A common use-case would be a web-forum, where only VIP-users should have
> access to specific topics. Authentification by ip is certainly the most
> user-friendly, as user don't have register/remember passwords, no?
>
> Is ip-spoofing considered easier than picking up unencrypted
> usernames/passwords from web-traffic?

 

[Ralph Wiggum]

Most of my users are behind their company's firewall. If I keep a database of firewall ip-numbers and check incoming requests against the database, wouldn't that be an ok solution?

Steve Riley [MSFT] wrote:
> Wrong approach. IP addresses identify machines, not humans. They are
> easily spoofable, since they are always clear-text and are always
> unauthenticated. Plus, with your approach, authorized users will be tied
> to specific machines--they won't be able to access their information
> from other computers.
>
> User ID/password pairs are specifically designed for the scenario you've
> described. Please use them.
>

 

[S. Pidgorny]

No - for the same reasons. Why do you need extravagant authentication-like
schemes when many proper ways of authentication are available?

If you just need to allow certain IPs to access the Web site, just configure
restrictions and use anonymous access.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Ralph Wiggum" <go.ahead@spam.me> wrote in message
news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...
> Most of my users are behind their company's firewall. If I keep a database
> of firewall ip-numbers and check incoming requests against the database,
> wouldn't that be an ok solution?
> Steve Riley [MSFT] wrote:
>> Wrong approach. IP addresses identify machines, not humans. They are
>> easily spoofable, since they are always clear-text and are always
>> unauthenticated. Plus, with your approach, authorized users will be tied
>> to specific machines--they won't be able to access their information from
>> other computers.
>>
>> User ID/password pairs are specifically designed for the scenario you've
>> described. Please use them.
>>

 

[Roger Abell [MVP]]

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:u2Xr7nXqIHA.1736@TK2MSFTNGP04.phx.gbl...
> No - for the same reasons. Why do you need extravagant authentication-like
> schemes when many proper ways of authentication are available?
>
> If you just need to allow certain IPs to access the Web site, just
> configure restrictions and use anonymous access.
>


Hi Slav,

As I read the poster, allowing anonymous access but gating it
based on origin IP, as you suggest, _is_ precisely what poster
was talking about doing.
As far as I can see, that is safer (less likely breached) than using
account based authentication with the creds passing in the clear.

Roger

>
> "Ralph Wiggum" <go.ahead@spam.me> wrote in message
> news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...
>> Most of my users are behind their company's firewall. If I keep a
>> database of firewall ip-numbers and check incoming requests against the
>> database, wouldn't that be an ok solution?
>> Steve Riley [MSFT] wrote:
>>> Wrong approach. IP addresses identify machines, not humans. They are
>>> easily spoofable, since they are always clear-text and are always
>>> unauthenticated. Plus, with your approach, authorized users will be tied
>>> to specific machines--they won't be able to access their information
>>> from other computers.
>>>
>>> User ID/password pairs are specifically designed for the scenario you've
>>> described. Please use them.
>>>
>
>

 

[Steve Riley [MSFT]]

Clear-text account credentials are as risky as using IP addresses for
authentication purposes. IP addresses are _also_ sent in the clear, and can
be intercepted and spoofed _in exactly the same way_ as clear-text
credentials.

Firewalls like ISA Server allow you to write user-aware rules. Credentials
are never passed between the client and ISA Server in clear-text -- it's
standard Winlogon.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OcW4NnFrIHA.3508@TK2MSFTNGP03.phx.gbl...
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:u2Xr7nXqIHA.1736@TK2MSFTNGP04.phx.gbl...
>> No - for the same reasons. Why do you need extravagant
>> authentication-like schemes when many proper ways of authentication are
>> available?
>>
>> If you just need to allow certain IPs to access the Web site, just
>> configure restrictions and use anonymous access.
>>
>
>
> Hi Slav,
>
> As I read the poster, allowing anonymous access but gating it
> based on origin IP, as you suggest, _is_ precisely what poster
> was talking about doing.
> As far as I can see, that is safer (less likely breached) than using
> account based authentication with the creds passing in the clear.
>
> Roger
>
>>
>> "Ralph Wiggum" <go.ahead@spam.me> wrote in message
>> news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...
>>> Most of my users are behind their company's firewall. If I keep a
>>> database of firewall ip-numbers and check incoming requests against the
>>> database, wouldn't that be an ok solution?
>>> Steve Riley [MSFT] wrote:
>>>> Wrong approach. IP addresses identify machines, not humans. They are
>>>> easily spoofable, since they are always clear-text and are always
>>>> unauthenticated. Plus, with your approach, authorized users will be
>>>> tied to specific machines--they won't be able to access their
>>>> information from other computers.
>>>>
>>>> User ID/password pairs are specifically designed for the scenario
>>>> you've described. Please use them.
>>>>
>>
>>
>
>