IP whitelisting is for those that have no other choice, but even then – it’s a testament to the lack of security control. It’s reminiscent of how we did security when I was in high school 10 years ago, but we’re better now – right? Or at least, we should try to be.

Recently I’ve had to think and discuss about IP whitelisting and its place as a security measure. Trying to order and distil what it means to use IP whitelisting as a security measure, I decided to make this blog post about it to share my thoughts.

My primary observation thus far in security, is that we rely too much, think too easily and too much of IP whitelisting as a genuine security measure as part of your defence. Let’s get a few things straight first;

  • IP whitelisting is not a form of authentication

No, also not a small part of authentication. It says nothing about who you are, only where you route your traffic from. If anything, it makes it easier for attackers to infiltrate your network – as people that believe and trust in measures like this also trust in its security. It wouldn’t be the first time that hackers only need to attack the VPN gateway and instantly have access to all sensitive systems and data.

  • IP whitelisting is terrible and hard to manage

Okay, so even if you go this route. How do you know which IP whitelist is present where? How do you know if the IP is still in use for its intended purpose? What if an IP changes, will you even know? Even if you will know, how many communications and procedural steps are required to make such trivial changes in your organisation? What if you somehow lose your outbound IP, now you need to contact all those external parties that rely on this symbolic measure of “security”. You’re lucky now, IPv4 is still dominant - just wait until IPv6 starts becoming the standard. Good luck verifying the IP’s visually and typing them over with all those odd and similar characters. Oh whops, /32 is not the same for IPv6 as IPv4…

  • You shouldn’t even need IP whitelisting if you did security properly

What are you really trying to solve? What is the reason you resort to things like IP whitelisting? Why not embrace the zero-trust philosophy and assume all systems and networks are dangerous? That’s where this originates from and why it’s still used, it’s an artifact of symptomatic boomer security – a required measure in security infrastructure that is fundamentally weak and flawed. Legacy of organisations that have not been touched in years, that nobody knows how it works and what it does.

Is IP whitelisting not good for anything?

Well, it can be good to use it in some cases – it’s understandable that if certain systems do not support proper security standards and you lack the alternatives that you’d go this route. I understand it takes time and effort to improve. The thing it does manage to do quite good, is reduce your attack surface for systems that would otherwise be connected to the internet. For protecting against cookie hijacking/stealing an IP whitelist could even proof to be one of the best security measures? Just know that it stimulates and incentivises the broken security infrastructure that requires you to do these things in the first place. That’s my issue with it, you become part of the problem and prolong it. Whilst you should revolt against it and pioneer a way to better more robust future for your security operations.

How could security look like without IP whitelisting you say?

In an era of remote working, the zero-trust model is even more relevant than ever. The zero-trust model assumes everything is hostile, even in your internal infrastructure. Ditch the idea of VPN’s, IP whitelisting, and IP/port/protocol based firewall configuration. Let go of the era of boomer security, and embrace identity as your leading security measure. Identity based proxies, firewalls and SSH access. Just-In-Time (JIT) so you only have the access you need, when you need it – whilst carefully logging everything. Behaviour based detection to catch anomalies and potential attackers. Even the concept of passwords should be abolished, where possible. Make mTLS in combination with SSO your core authentication methods. Every system in your organisation is managed remotely using various agents, that allow for security, network monitoring and policy enforcement. You support all the common operating systems, because security is not restrictive but rather agnostic so that everyone can do their absolute best using the tools that suit them. All so you can move away from the outdated security model that relies on your “secure VPN gateway”, which is required to connect to before you can do anything.