IP address access control lists are not as great as you think they are

There ain’t no party like a TCP retry party


Clarity in life is important.

External IP addresses

This post talks about IP addresses on the public Internet (or perhaps large scale multi-party WAN like the Public Services Network)


The purpose of IP addresses in this context are to help determine origin therefore confer trust and offer privileges as a result.

The problem (what we are currently doing)

We try and identify the IP address ranges

In order to ‘lock down’ a thing (commonly this will be Intranet pages, non-production systems, administrative interfaces like SSH/RDP/VNC and so on) we have to know ‘who’ to let in.

We never truly understand what are behind these ranges because we can’t see behind them

On face value the wider/narrower the CIDR the more or less possible hosts there are — has in theory 131,068 devices/hosts, has 254, has 6 and has one.

We assume what is behind them is ‘good’

In an ideal world an organisation you’re working with would tell you they use a /29 (or so) and can define the scope of that use — exclusive, just corporate devices, not BYOD/Guest etc.

Thus, we incorrectly attribute trust

One or more of the combined problems leads us to confer an inappropriate amount of trust onto the traffic coming from that network.

IP addresses as one indicator in defensive depth (how we should use/trust external IP address in ACLs)

Try and identify the IP address ranges

Unfortunately this problem will persist when you’re talking about different organisations talking to each other.

Understand IP addresses are just a mild indicator for potential trust

The complexities and probabilities of IP range hi-jacking and all that aside: operate on the basis that external IP address ranges are maybe who you think they are most of the time but you will never be sure.

Consider the use-cases

A problem with IP address access control methods is that they are a binary gate — open or closed — and if availability is important (the thing behind the access control is used all of the time) then you must consider the consequence of the deviation or outliner scenarios.

Implement defensive depth

With less trust in IP addresses as a filtration method, we remember we should always do a good bunch of other things:

  • log access/activity
  • monitor access/activity
  • actual authentication (client certificates, magic links, usernames/passwords, single/same sign-on, multi-factor authentication etc)
  • actual authorisation
  • build in defences against denial of service attacks, brute force attempts and credential stuffing

Filter out the noise if it still makes sense to do so

IP addresses used as this kind of sensible and well-considered filtration method still provide a handy filter of “not the public Internet”

So, what are you saying?

External IP address access control lists are useful as part of a wider set of controls.

Can we have some real-world examples?

Since you asked so nicely :-)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store