ASP authentification by ip-number

R

Ralph Wiggum

Guest
How safe is it to use the client's ip-number versus posting a username/password (in cleartext) in an http request? Assuming the client's ip-number is static.

A common use-case would be a web-forum, where only VIP-users should have access to specific topics. Authentification by ip is certainly the most user-friendly, as user don't have register/remember passwords, no?

Is ip-spoofing considered easier than picking up unencrypted usernames/passwords from web-traffic?

 
R

Roger Abell [MVP]

Guest
"Ralph Wiggum" <go.ahead@spam.me> wrote in message

news:TtSdnRagFNDlTI3VRVnzvQA@telenor.com...<span style="color:blue">

> How safe is it to use the client's ip-number versus posting a

> username/password (in cleartext) in an http request? Assuming the client's

> ip-number is static.</span>

It's probably safer than a usr/pwd cred exchange in the clear.

<span style="color:blue">

> A common use-case would be a web-forum, where only VIP-users should have

> access to specific topics. Authentification by ip is certainly the most

> user-friendly, as user don't have register/remember passwords, no?</span>

No. Yes, you are right, but after taking inital IP verified registration

and user being struck to registered IPs into account it seems that the

use-case gets pretty weak.

<span style="color:blue">

> Is ip-spoofing considered easier than picking up unencrypted

> usernames/passwords from web-traffic?</span>

No in general, and certainly not for someone one a different subnet.

 
S

Steve Riley [MSFT]

Guest
Wrong approach. IP addresses identify machines, not humans. They are easily

spoofable, since they are always clear-text and are always unauthenticated.

Plus, with your approach, authorized users will be tied to specific

machines--they won't be able to access their information from other

computers.

User ID/password pairs are specifically designed for the scenario you've

described. Please use them.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"Ralph Wiggum" <go.ahead@spam.me> wrote in message

news:TtSdnRagFNDlTI3VRVnzvQA@telenor.com...<span style="color:blue">

> How safe is it to use the client's ip-number versus posting a

> username/password (in cleartext) in an http request? Assuming the client's

> ip-number is static.

> A common use-case would be a web-forum, where only VIP-users should have

> access to specific topics. Authentification by ip is certainly the most

> user-friendly, as user don't have register/remember passwords, no?

>

> Is ip-spoofing considered easier than picking up unencrypted

> usernames/passwords from web-traffic? </span>

 
R

Ralph Wiggum

Guest
Most of my users are behind their company's firewall. If I keep a database of firewall ip-numbers and check incoming requests against the database, wouldn't that be an ok solution?

Steve Riley [MSFT] wrote:<span style="color:blue">

> Wrong approach. IP addresses identify machines, not humans. They are

> easily spoofable, since they are always clear-text and are always

> unauthenticated. Plus, with your approach, authorized users will be tied

> to specific machines--they won't be able to access their information

> from other computers.

>

> User ID/password pairs are specifically designed for the scenario you've

> described. Please use them.

> </span>

 
S

S. Pidgorny

Guest
No - for the same reasons. Why do you need extravagant authentication-like

schemes when many proper ways of authentication are available?

If you just need to allow certain IPs to access the Web site, just configure

restrictions and use anonymous access.

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Ralph Wiggum" <go.ahead@spam.me> wrote in message

news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...<span style="color:blue">

> Most of my users are behind their company's firewall. If I keep a database

> of firewall ip-numbers and check incoming requests against the database,

> wouldn't that be an ok solution?

> Steve Riley [MSFT] wrote:<span style="color:green">

>> Wrong approach. IP addresses identify machines, not humans. They are

>> easily spoofable, since they are always clear-text and are always

>> unauthenticated. Plus, with your approach, authorized users will be tied

>> to specific machines--they won't be able to access their information from

>> other computers.

>>

>> User ID/password pairs are specifically designed for the scenario you've

>> described. Please use them.

>> </span></span>

 
R

Roger Abell [MVP]

Guest
"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

news:u2Xr7nXqIHA.1736@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> No - for the same reasons. Why do you need extravagant authentication-like

> schemes when many proper ways of authentication are available?

>

> If you just need to allow certain IPs to access the Web site, just

> configure restrictions and use anonymous access.

></span>

Hi Slav,

As I read the poster, allowing anonymous access but gating it

based on origin IP, as you suggest, _is_ precisely what poster

was talking about doing.

As far as I can see, that is safer (less likely breached) than using

account based authentication with the creds passing in the clear.

Roger

<span style="color:blue">

>

> "Ralph Wiggum" <go.ahead@spam.me> wrote in message

> news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...<span style="color:green">

>> Most of my users are behind their company's firewall. If I keep a

>> database of firewall ip-numbers and check incoming requests against the

>> database, wouldn't that be an ok solution?

>> Steve Riley [MSFT] wrote:<span style="color:darkred">

>>> Wrong approach. IP addresses identify machines, not humans. They are

>>> easily spoofable, since they are always clear-text and are always

>>> unauthenticated. Plus, with your approach, authorized users will be tied

>>> to specific machines--they won't be able to access their information

>>> from other computers.

>>>

>>> User ID/password pairs are specifically designed for the scenario you've

>>> described. Please use them.

>>></span></span>

>

> </span>

 
S

Steve Riley [MSFT]

Guest
Clear-text account credentials are as risky as using IP addresses for

authentication purposes. IP addresses are _also_ sent in the clear, and can

be intercepted and spoofed _in exactly the same way_ as clear-text

credentials.

Firewalls like ISA Server allow you to write user-aware rules. Credentials

are never passed between the client and ISA Server in clear-text -- it's

standard Winlogon.

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:OcW4NnFrIHA.3508@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

> news:u2Xr7nXqIHA.1736@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>> No - for the same reasons. Why do you need extravagant

>> authentication-like schemes when many proper ways of authentication are

>> available?

>>

>> If you just need to allow certain IPs to access the Web site, just

>> configure restrictions and use anonymous access.

>></span>

>

>

> Hi Slav,

>

> As I read the poster, allowing anonymous access but gating it

> based on origin IP, as you suggest, _is_ precisely what poster

> was talking about doing.

> As far as I can see, that is safer (less likely breached) than using

> account based authentication with the creds passing in the clear.

>

> Roger

><span style="color:green">

>>

>> "Ralph Wiggum" <go.ahead@spam.me> wrote in message

>> news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...<span style="color:darkred">

>>> Most of my users are behind their company's firewall. If I keep a

>>> database of firewall ip-numbers and check incoming requests against the

>>> database, wouldn't that be an ok solution?

>>> Steve Riley [MSFT] wrote:

>>>> Wrong approach. IP addresses identify machines, not humans. They are

>>>> easily spoofable, since they are always clear-text and are always

>>>> unauthenticated. Plus, with your approach, authorized users will be

>>>> tied to specific machines--they won't be able to access their

>>>> information from other computers.

>>>>

>>>> User ID/password pairs are specifically designed for the scenario

>>>> you've described. Please use them.

>>>></span>

>>

>></span>

>

> </span>

 
You must log in or register to reply here.
Top Bottom