Jump to content

ASP authentification by ip-number

Guest Ralph Wiggum

By Guest Ralph Wiggum
in Techno Babble

 Share

Recommended Posts

Guest Ralph Wiggum

Guest Ralph Wiggum

Posted
Posted

How safe is it to use the client's ip-number versus posting a username/password (in cleartext) in an http request? Assuming the client's ip-number is static.

 

A common use-case would be a web-forum, where only VIP-users should have access to specific topics. Authentification by ip is certainly the most user-friendly, as user don't have register/remember passwords, no?

 

Is ip-spoofing considered easier than picking up unencrypted usernames/passwords from web-traffic?

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

"Ralph Wiggum" <go.ahead@spam.me> wrote in message

news:TtSdnRagFNDlTI3VRVnzvQA@telenor.com...<span style="color:blue">

> How safe is it to use the client's ip-number versus posting a

> username/password (in cleartext) in an http request? Assuming the client's

> ip-number is static.</span>

 

It's probably safer than a usr/pwd cred exchange in the clear.

<span style="color:blue">

> A common use-case would be a web-forum, where only VIP-users should have

> access to specific topics. Authentification by ip is certainly the most

> user-friendly, as user don't have register/remember passwords, no?</span>

 

No. Yes, you are right, but after taking inital IP verified registration

and user being struck to registered IPs into account it seems that the

use-case gets pretty weak.

<span style="color:blue">

> Is ip-spoofing considered easier than picking up unencrypted

> usernames/passwords from web-traffic?</span>

 

No in general, and certainly not for someone one a different subnet.

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Posted
Posted

Wrong approach. IP addresses identify machines, not humans. They are easily

spoofable, since they are always clear-text and are always unauthenticated.

Plus, with your approach, authorized users will be tied to specific

machines--they won't be able to access their information from other

computers.

 

User ID/password pairs are specifically designed for the scenario you've

described. Please use them.

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Ralph Wiggum" <go.ahead@spam.me> wrote in message

news:TtSdnRagFNDlTI3VRVnzvQA@telenor.com...<span style="color:blue">

> How safe is it to use the client's ip-number versus posting a

> username/password (in cleartext) in an http request? Assuming the client's

> ip-number is static.

> A common use-case would be a web-forum, where only VIP-users should have

> access to specific topics. Authentification by ip is certainly the most

> user-friendly, as user don't have register/remember passwords, no?

>

> Is ip-spoofing considered easier than picking up unencrypted

> usernames/passwords from web-traffic? </span>

Guest Ralph Wiggum

Guest Ralph Wiggum

Posted
Posted

Most of my users are behind their company's firewall. If I keep a database of firewall ip-numbers and check incoming requests against the database, wouldn't that be an ok solution?

 

Steve Riley [MSFT] wrote:<span style="color:blue">

> Wrong approach. IP addresses identify machines, not humans. They are

> easily spoofable, since they are always clear-text and are always

> unauthenticated. Plus, with your approach, authorized users will be tied

> to specific machines--they won't be able to access their information

> from other computers.

>

> User ID/password pairs are specifically designed for the scenario you've

> described. Please use them.

> </span>

Guest S. Pidgorny

Guest S. Pidgorny

Posted
Posted

No - for the same reasons. Why do you need extravagant authentication-like

schemes when many proper ways of authentication are available?

 

If you just need to allow certain IPs to access the Web site, just configure

restrictions and use anonymous access.

 

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

 

http://sl.mvps.org http://msmvps.com/blogs/sp

 

"Ralph Wiggum" <go.ahead@spam.me> wrote in message

news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...<span style="color:blue">

> Most of my users are behind their company's firewall. If I keep a database

> of firewall ip-numbers and check incoming requests against the database,

> wouldn't that be an ok solution?

> Steve Riley [MSFT] wrote:<span style="color:green">

>> Wrong approach. IP addresses identify machines, not humans. They are

>> easily spoofable, since they are always clear-text and are always

>> unauthenticated. Plus, with your approach, authorized users will be tied

>> to specific machines--they won't be able to access their information from

>> other computers.

>>

>> User ID/password pairs are specifically designed for the scenario you've

>> described. Please use them.

>> </span></span>

Guest Roger Abell [MVP]

Guest Roger Abell [MVP]

Posted
Posted

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

news:u2Xr7nXqIHA.1736@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> No - for the same reasons. Why do you need extravagant authentication-like

> schemes when many proper ways of authentication are available?

>

> If you just need to allow certain IPs to access the Web site, just

> configure restrictions and use anonymous access.

></span>

 

 

Hi Slav,

 

As I read the poster, allowing anonymous access but gating it

based on origin IP, as you suggest, _is_ precisely what poster

was talking about doing.

As far as I can see, that is safer (less likely breached) than using

account based authentication with the creds passing in the clear.

 

Roger

<span style="color:blue">

>

> "Ralph Wiggum" <go.ahead@spam.me> wrote in message

> news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...<span style="color:green">

>> Most of my users are behind their company's firewall. If I keep a

>> database of firewall ip-numbers and check incoming requests against the

>> database, wouldn't that be an ok solution?

>> Steve Riley [MSFT] wrote:<span style="color:darkred">

>>> Wrong approach. IP addresses identify machines, not humans. They are

>>> easily spoofable, since they are always clear-text and are always

>>> unauthenticated. Plus, with your approach, authorized users will be tied

>>> to specific machines--they won't be able to access their information

>>> from other computers.

>>>

>>> User ID/password pairs are specifically designed for the scenario you've

>>> described. Please use them.

>>></span></span>

>

> </span>

Guest Steve Riley [MSFT]

Guest Steve Riley [MSFT]

Posted
Posted

Clear-text account credentials are as risky as using IP addresses for

authentication purposes. IP addresses are _also_ sent in the clear, and can

be intercepted and spoofed _in exactly the same way_ as clear-text

credentials.

 

Firewalls like ISA Server allow you to write user-aware rules. Credentials

are never passed between the client and ISA Server in clear-text -- it's

standard Winlogon.

 

--

Steve Riley

steve.riley@microsoft.com

http://blogs.technet.com/steriley

http://www.protectyourwindowsnetwork.com

 

 

 

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message

news:OcW4NnFrIHA.3508@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

> news:u2Xr7nXqIHA.1736@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>> No - for the same reasons. Why do you need extravagant

>> authentication-like schemes when many proper ways of authentication are

>> available?

>>

>> If you just need to allow certain IPs to access the Web site, just

>> configure restrictions and use anonymous access.

>></span>

>

>

> Hi Slav,

>

> As I read the poster, allowing anonymous access but gating it

> based on origin IP, as you suggest, _is_ precisely what poster

> was talking about doing.

> As far as I can see, that is safer (less likely breached) than using

> account based authentication with the creds passing in the clear.

>

> Roger

><span style="color:green">

>>

>> "Ralph Wiggum" <go.ahead@spam.me> wrote in message

>> news:HdKdnRIIFsLHo4vVRVnzvQA@telenor.com...<span style="color:darkred">

>>> Most of my users are behind their company's firewall. If I keep a

>>> database of firewall ip-numbers and check incoming requests against the

>>> database, wouldn't that be an ok solution?

>>> Steve Riley [MSFT] wrote:

>>>> Wrong approach. IP addresses identify machines, not humans. They are

>>>> easily spoofable, since they are always clear-text and are always

>>>> unauthenticated. Plus, with your approach, authorized users will be

>>>> tied to specific machines--they won't be able to access their

>>>> information from other computers.

>>>>

>>>> User ID/password pairs are specifically designed for the scenario

>>>> you've described. Please use them.

>>>></span>

>>

>></span>

>

> </span>

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...